如何用对称密钥配置Microsoft JWT? [英] How to configure Microsoft JWT with symmetric key?
问题描述
我正在尝试将ASP.NET应用程序配置为接受用对称密钥签名的JSON Web令牌(JWT). STS无法为此使用证书,因此我们正在使用其对称密钥支持.
I'm trying to configure my ASP.NET app to accept a JSON Web Token (JWT) that is signed with a symmetric key. The STS isn't capable of using certificates for this, so we're using their symmetric key support.
On my end, I'm using Microsoft's JWT Developer Preview. Unfortunately, I've not seen any examples of how to use that with a symmetric key. After some digging around with various tools, I found the NamedKeyIssuerTokenResolver and discovered that I can configure it to use a symmetric key. For example:
<securityTokenHandlers>
<add type="Microsoft.IdentityModel.Tokens.JWT.JWTSecurityTokenHandler,Microsoft.IdentityModel.Tokens.JWT" />
<securityTokenHandlerConfiguration>
<certificateValidation certificateValidationMode="PeerTrust" />
<issuerTokenResolver
type="Microsoft.IdentityModel.Tokens.JWT.NamedKeyIssuerTokenResolver,
Microsoft.IdentityModel.Tokens.JWT">
<securityKey
symmetricKey="+zqf97FD/xyzzyplugh42ploverFeeFieFoeFooxqjE="
name="https://localhost/TestRelyingParty" />
</issuerTokenResolver>
</securityTokenHandlerConfiguration>
</securityTokenHandlers>
我不确定我在name中应该使用什么.应该是听众Uri,还是发行人Uri?无论如何,我知道如果不包含name,则程序启动时会出现异常,因为securityKey元素需要该属性.
I'm not entirely sure what I'm supposed to use for the name there. Should it be the audience Uri, perhaps the issuer Uri? In any case, I know that if I don't include a name, I get an exception when my program starts because the securityKey element requires that attribute.
无论如何,这仍然不能解决问题.针对STS进行身份验证后,出现以下异常:
Whatever the case, this still doesn't resolve the issue. After I authenticate against the STS, I get the following exception:
[SecurityTokenValidationException: JWT10310: Unable to validate signature. validationParameters.SigningTokenResolver type: 'Microsoft.IdentityModel.Tokens.JWT.NamedKeyIssuerTokenResolver', was unable to resolve key to a token.
The SecurityKeyIdentifier is:
'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityModel.Tokens.JWT.NamedKeyIdentifierClause
)
'. validationParameters.SigningToken was null.]
Microsoft.IdentityModel.Tokens.JWT.JWTSecurityTokenHandler.ValidateSignature(JWTSecurityToken jwt, TokenValidationParameters validationParameters) +2111
Microsoft.IdentityModel.Tokens.JWT.JWTSecurityTokenHandler.ValidateToken(JWTSecurityToken jwt, TokenValidationParameters validationParameters) +138
Microsoft.IdentityModel.Tokens.JWT.JWTSecurityTokenHandler.ValidateToken(SecurityToken token) +599
System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +135
System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +117
System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +698
System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +123924
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
我是否缺少其他配置步骤?我在name属性中输入了错误的内容吗?还是这是JWT开发人员预览版中的已知错误?
Am I missing some other configuration step? Am I putting the wrong thing in the name attribute? Or is this a known bug in the JWT Developer Preview?
推荐答案
更新2014/02/13:
正如@leastprivilege在下面指出的那样,使用JWT的RTM版本要容易得多.我强烈建议您忽略此问题,并使用他在http://leastprivilege.com/2013/07/16/identityserver-using-ws-federation-with-jwt-tokens-and-symmetric-signatures/.
请注意,下面的原始答案适用于Beta版本Microsoft.IdentityModel.Tokens.JWT.升级到发行版System.IdentityModel.Tokens.Jwt,只需要多做一些工作.见下文.
Note that the original answer below was for the Beta version, Microsoft.IdentityModel.Tokens.JWT. Upgrading to the release version, System.IdentityModel.Tokens.Jwt, required just a little more work. See below.
主要问题是方法JWTSecurityTokenHandler.ValidateToken(token)不能完全填充传递给JWTSecurityTokenHandler.ValidateToken(token, validationParameters)的TokenValidationParameters.特别是,它不会填充SigningToken成员或ValidIssuers(或ValidIssuer).
The primary problem turns out to be that the method JWTSecurityTokenHandler.ValidateToken(token) does not fully populate the TokenValidationParameters that it passes to JWTSecurityTokenHandler.ValidateToken(token, validationParameters). In particular, it doesn't populate the SigningToken member or the ValidIssuers (or ValidIssuer).
有趣的是,我在原始问题中显示的配置实际上是由令牌解析器加载的,并且可以在运行时使用,如下面的代码所示.
Interestingly, the configuration I showed in my original question actually is loaded by the token resolver, and is available at runtime, as you can see in the code below.
不过,我不知道如何在配置文件中指定有效的颁发者字符串.我强烈怀疑这里是否有放置该信息的地方,但是我还没有弄清楚它的归属.
I don't know how to specify the valid issuer string in the configuration file, though. I strongly suspect that there's a place to put that info, but I haven't yet figured out where it belongs.
解决我的问题的方法是创建一个自JWTSecurityTokenHandler派生的自定义安全令牌处理程序.覆盖ValidateToken(token, validationParameters)使我有机会设置所需的那些参数,然后调用基类的ValidateToken方法.
The solution to my problem is to create a custom security token handler that derives from JWTSecurityTokenHandler. Overriding ValidateToken(token, validationParameters) gives me the opportunity to set those parameters that I need, and then call the base class's ValidateToken method.
public class CustomJwtSecurityTokenHandler: JWTSecurityTokenHandler
{
// Override ValidateSignature so that it gets the SigningToken from the configuration if it doesn't exist in
// the validationParameters object.
private const string KeyName = "https://localhost/TestRelyingParty";
private const string ValidIssuerString = "https://mySTSname/trust";
public override ClaimsPrincipal ValidateToken(JWTSecurityToken jwt, TokenValidationParameters validationParameters)
{
// set up valid issuers
if ((validationParameters.ValidIssuer == null) &&
(validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any()))
{
validationParameters.ValidIssuers = new List<string> {ValidIssuerString};
}
// and signing token.
if (validationParameters.SigningToken == null)
{
var resolver = (NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver;
if (resolver.SecurityKeys != null)
{
List<SecurityKey> skeys;
if (resolver.SecurityKeys.TryGetValue(KeyName, out skeys))
{
var tok = new NamedKeySecurityToken(KeyName, skeys);
validationParameters.SigningToken = tok;
}
}
}
return base.ValidateToken(jwt, validationParameters);
}
}
在我的Web.config中,我只需要更改安全令牌处理程序:
In my Web.config, I just had to change the security token handler:
<securityTokenHandlers>
<!--<add type="Microsoft.IdentityModel.Tokens.JWT.JWTSecurityTokenHandler,Microsoft.IdentityModel.Tokens.JWT" />-->
<!-- replaces the default JWTSecurityTokenHandler -->
<add type="TestRelyingParty.CustomJwtSecurityTokenHandler,TestRelyingParty" />
没有什么比花三到四天研究用几十行代码解决的问题了. .
Nothing like spending three or four days researching a problem that is solved with a couple dozen lines of code . . .
2013年6月,Microsoft正式发布了其JWT.他们将命名空间更改为System.IdentityModel.Tokens.Jwt.升级到该版本后,上述解决方案停止工作.为了使其正常工作,我必须在CustomJwtSecurityTokenHandler中添加以下内容.这是现有代码的补充.
In June of 2013, Microsoft officially released their JWT. They changed the namespace to System.IdentityModel.Tokens.Jwt. After upgrading to that, the solution above stopped working. To get it working, I had to add the following to my CustomJwtSecurityTokenHandler. That's in addition to the existing code.
public override ClaimsPrincipal ValidateToken(JwtSecurityToken jwt)
{
var vparms = new TokenValidationParameters
{
AllowedAudiences = Configuration.AudienceRestriction.AllowedAudienceUris.Select(s => s.ToString())
};
return ValidateToken(jwt, vparms);
}
这篇关于如何用对称密钥配置Microsoft JWT?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
