将access_token存储在用户的授权声明中是否安全? [英] Is it safe to store an access_token in a user claim for authorization?

问题描述

因此，在设置IdentityServer4时，我在承载身份验证方面遇到了麻烦.基本上，我无法调用我的API资源，并收到401错误.当我添加带有access_token的Authorization标头时.我能够从Web请求中获取数据.

So, I was having trouble with Bearer authentication while setting up IdentityServer4. Basically, I wasn't able to call my API resource and was getting a 401 error. When I added the Authorization header with the access_token. I was able to get the data from my web request.

using (var client = new HttpClient())
{
        client.DefaultRequestHeaders.Authorization = new 
           AuthenticationHeaderValue("Bearer", authToken);
        var content = await  
          client.GetStringAsync("http://localhost:5000/localapi");
}

我获得auth_token的方式是将一个存储在用户中的声明存储在Idenity服务器客户端安装程序证明的SecurityTokenValidated回调中.

The way I got at the auth_token was to store in a user claim that from the SecurityTokenValidated callback proved by the idenity server client setup.

Notifications = new OpenIdConnectAuthenticationNotifications
{
    SecurityTokenValidated = notification =>
    {
        var identity = notification.AuthenticationTicket.Identity;
        identity.AddClaim(claim: new Claim(type: "auth_token", value: 
           notification.ProtocolMessage.AccessToken));
        return Task.CompletedTask;
    }
}

虽然这解决了我的授权问题，但我想通过将我的auth_token存储在身份声明中来确保不打开攻击媒介.谁能告诉我这是否存在安全问题.

While this solves my authorization issue, I want to make sure I am not opening up an attack vector by storing my auth_token in the identity claims. Can anyone tell me if this presents a security issue.

我担心的原因是我能够使用Postman创建一个简单的请求，并手动将相同的Bearer授权令牌粘贴到该请求中，然后进行发送.响应给了我安全的" api数据.那对我来说，如果有人可以使用auth_token，他们就可以访问API(或者Postman可以绕过某些东西?).

The reason I am concerned is that I was able to use Postman to create a simple request and manually pasted in the same Bearer authorization token into the request and then sending it. The response gave me the "secured" api data back. That says to me if anyone gets their hands on the auth_token they can access the API(or maybe Postman bypasses something?).

推荐答案

使用OWIN时，允许将访问令牌存储在声明中.它与.NET Core建议的将它们存储在 RemoteAuthenticationOptions 与

Storing the access token in a claim is permissible when using OWIN. It is comparable to the .NET Core recommended approach of storing them within AuthenticationProperties using RemoteAuthenticationOptions with SaveTokens. Both approaches result in the token being contained within the client's session cookie.

作为旁注，您可以考虑使用 IdentityServer4 ReferenceTokens (如果尚未减小Cookie的大小.)

As a side note, you may consider taking advantage of IdentityServer4 ReferenceTokens if not already to reduce cookie size.

这篇关于将access_token存储在用户的授权声明中是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！