你怎么$ P $与Thinktecture IdentityModel pvent重放攻击令牌? [英] How do you prevent replay attacks with Thinktecture IdentityModel token?
问题描述
我有不同的域两个站点。我实施使用Thinktecture IdentityModel SSO。
I have two sites on separate domains. I'm implementing SSO using the Thinktecture IdentityModel.
一个用户登录到站点A在某些时候,他们点击一个链接带他们到站点B站点A将用户重定向到站点B /令牌的Login.aspx = LT?;令牌>与JWT令牌。然后站点B通过调用站点A API来验证用户的身份验证令牌。如果通过身份验证,用户会自动登录到站点B
A user logs into Site A. At some point they click a link to take them to site B. Site A redirects the user to site B/Login.aspx?token=< token > with a JWT token. Site B then validates the token by calling an API on Site A to authenticate the user. If authenticated, the user is automatically logged into site B.
在默认情况下Thinktecture令牌过去的10小时,没有办法杀令牌(据我可以告诉)。如果用户退出网站,令牌仍然有效。我可以看看浏览器历史记录,并得到了的Login.aspx令牌= LT;令牌>网址,并自动重新登录有没有办法杀死所有用户一个令牌,当他们注销?如果令牌不作为查询字符串的一部分通过?什么是prevent的最佳方式重放攻击?
By default Thinktecture tokens last for 10 hours, with no way to kill a token(as far as I can tell). If the user logs out of the site, the token is still valid. I can look at the browser history and get the "Login.aspx?token=< token >" url and be automatically logged back in. Is there a way to kill all of a users tokens when they logout? Should the token not be passed as part of the querystring? What is the best way to prevent a replay attack?
推荐答案
作为评价了@leastprivilege你的问题,你可以很容易地实现SSO为您的网站只要定义这两个网站的RP的(信任方)信任相同的IDP 。这当然会简化您的身份验证解决方案架构。
As commented on your question by @leastprivilege, you can easily achieve SSO for both your sites just by defining both sites as RP's (relying parties) trusting the same IDP. That would of course simplify your authentication solution architecture.
话虽如此,使用WS-美联储被动认证,仍然容易受到重放攻击。虽然令牌发布到你的网站,打回在浏览器中几次(即使签出后)将重新发布该令牌到你的网站,并签署用户回。
Having said that, passive authentication using WS-Fed, is still vulnerable to replay attacks. Although the token is posted to your site, hitting "back" on your browser a couple of times (even after sign out) will re-post the token to your site and will sign the user back in.
幸运的是,WIF有办法减轻攻击。通过配置:
Fortunately, WIF has a way to mitigate that attack. By configuring:
<identityConfiguration>
.......
<tokenReplayDetection enabled="true" />
.....
</identityConfiguration>
的Wif然后缓存在服务器上使用的令牌,并确保其只能使用一次。 (如果检测到重放攻击一个适当的异常引发 SecurityTokenReplayDetectedException )。
当然,这个缓存将无法生存的过程循环,将不足以在Web场方案。如果你想减轻这种攻击对于这些场景,以及,你将需要某种形式的分布式和放大器;持久缓存它。
This cache of course will not survive a process recycle and won't be enough in a web farm scenario. If you want to mitigate this attack for these scenarios as well, you would need some kind of distributed & persistent cache for it.
我实现了一个作为到Thinktecture.IdentityModel 的贡献,你可以看看它和使用它。
I implemented one as a contribution to Thinktecture.IdentityModel, you could look into it and use it.
这篇关于你怎么$ P $与Thinktecture IdentityModel pvent重放攻击令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
