安全的WebAPI与智威汤逊 [英] Secure WebAPI with a JWT
问题描述
我想写一个移动应用程序将基于其余的WebAPI网站获取数据。
I'm trying to write a mobile application that will get data from a webapi rest based site.
该网站应通过ACS固定(如可以有多个身份提供)。
The site should be secured via ACS (as there can be multiple identity providers).
我的移动应用程序正在查询以下网址<一个href=\"https://xx.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=javascriptnotify&realm=http://xx.azurewebsites.net/&version=1.0\">https://xx.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=javascriptnotify&realm=http://xx.azurewebsites.net/&version=1.0获得IP地址的列表。
My mobile app is currently querying the following url https://xx.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=javascriptnotify&realm=http://xx.azurewebsites.net/&version=1.0 to get a list of IPs.
我然后让用户选择一个IP,然后使用Web浏览器控制我向他们展示一个登录。
I then allow the user to choose an IP, and then using a web browser control I show them a login.
一旦我捕获响应并提取令牌,但现在我真的不知道我该怎么做用户登录。令牌如下: -
Once the user has logged in I capture the response and extract the token, but now I'm not really sure what I should be doing. The token looks like this:-
{"appliesTo":"http://****.azurewebsites.net/",
"context":null,
"created":1362069383,
"expires":1362072983,
"securityToken":"... a lot of text:-)",
"tokenType":"urn:ietf:params:oauth:token-type:jwt"}
所以,我猜我应该采取securityToken部分,并将其添加有Authorization头的GET请求的一部分?
So, I'm guessing I should take the securityToken part and add it has part of the Authorization header to the get request?
问题1是我应该怎么重视令牌 - 我刚刚装上安全令牌位,还是我不得不以64 EN code中的很多,再附上它作为一个Authorization头
Question 1 is how should I attach the token - do I just attach the security token bit, or do I have to base 64 encode the lot and again attach it as an Authorization header?
问题2我该如何配置的WebAPI来处理JWT?我已经修改ACS后发出智威汤逊的令牌,我安装了JWTSecurityTokenHandler我仍然得到以下错误(这是被动的验证):
Question 2 How do I configure the webapi to handle a JWT? After I have modified ACS to issue JWT tokens, and I installed the JWTSecurityTokenHandler I still get the following error (this is with passive authentication):
JWT10310: Unable to validate signature. validationParameters.SigningTokenResolver type: 'System.IdentityModel.Tokens.IssuerTokenResolver', was unable to resolve key to a token.
The SecurityKeyIdentifier is:
'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0x2FEE3EE96B019D4BA0C046124B77C652EEF768E5)
)
'. validationParameters.SigningToken was null.
感谢
罗斯
推荐答案
虽然你不使用Azure的身份验证库,的这个AAL code样品在展示了如何使用新的https://nuget.org/packages/Microsoft.IdentityModel.Tokens。智威汤逊>智威汤逊标记处理程序验证请求中请求管道中使用HTTP消息处理程序一个Web API。在code明确处理由ACS颁发JWTs。特别是,看看的Global.asax.cs 的 TokenValidationHandler 类。流程是这样的:
Though you aren't using the Azure Authentication Library, this AAL code sample is helpful in showing how to use the new JWT Token Handler to authenticate requests to a Web API using an HTTP Message Handler in the request pipeline. The code explicitly handles JWTs issued by ACS. In particular, look at the TokenValidationHandler class in Global.asax.cs. The flow goes like this:
- 传入的请求是由消息处理程序进行检查。
- Authorization头被检查和使用JWTTokenHandler验证。
- 如果在JWT令牌是有效的,JWTTokenHandler实例化一个新ClaimsPrincipal对象。如果令牌无效,则返回一个HTTP 401未授权的响应。
从客户端应用程序
回到你的第一个问题,你只需要在securityToken值(类似 eyJ0eXAiOiJK ... )作出授权头像授权:承载eyJ0eXAiOiJK ... 。当这个在您的Web API的请求被通过,JWTTokenHandler将通过消息处理程序进行验证。当然,这是假设你的Web API已经被正确的配置要知道你曾经从ACS获取令牌摆在首位的ACS租户和安全域。
Coming back to your first question, you just need the "securityToken" value (something like eyJ0eXAiOiJK...) to make an authorization header like Authorization: Bearer eyJ0eXAiOiJK.... When this is passed in a request to your Web API, the JWTTokenHandler will validate it via the Message Handler. Of course this assumes that your Web API has been configured properly to be aware of the ACS tenant and security domain you used to get the token from ACS in the first place.
编辑:看看的模式和放大器;有关保护REST服务,并通过移动应用访问这些做法的指导 - 非常类似的情况,这可能有助于给你更多的上下文
Take a look at the patterns & practices guidance on securing REST services and accessing them from a mobile app - very similar scenario that might help give you more context.
- Accessing REST Services from a Windows Phone Device
- Securing REST Services
这篇关于安全的WebAPI与智威汤逊的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
