来自OnTokenValidated事件侦听器的TokenValidatedContext的安全令牌丢失了最后一个字符串段 [英] Security token from TokenValidatedContext from the OnTokenValidated event listener is missing last string segment
问题描述
我正在将 Microsoft.AspNetCore.Authentication.JwtBearer 和 System.IdentityModel.Tokens.Jwt 用于我的.NET Core项目.
I'm using the Microsoft.AspNetCore.Authentication.JwtBearer and System.IdentityModel.Tokens.Jwt for my .NET Core project.
每当我生成一个新令牌时,都会将该令牌存储到数据库中.首先,这就是我生成新令牌的方式
Whenever I generate a new token I store that to the database. First of all this is how I generate a new token
public string GenerateToken(Dictionary<string, object> payload)
{
DateTime tokenExpiresAt = DateTime.Now.AddMilliseconds(1); // from config
byte[] symmetricKey = Convert.FromBase64String("secret"); // from config
SymmetricSecurityKey symmetricSecurityKey = new SymmetricSecurityKey(symmetricKey);
SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor
{
Claims = payload,
Expires = tokenExpiresAt,
SigningCredentials = new SigningCredentials(symmetricSecurityKey,
SecurityAlgorithms.HmacSha256Signature)
};
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
SecurityToken securityToken = tokenHandler.CreateToken(tokenDescriptor);
string token = tokenHandler.WriteToken(securityToken);
return token;
}
生成的样本令牌为
.
如果客户端尝试访问受保护的端点,则默认配置将处理基本验证(在启动文件的DI设置中配置)
If a client tries to access a protected endpoint the default configuration will handle the basic validation (configured in the DI setup in the Startup file)
services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(jwtBearerOptions =>
{
byte[] symmetricKey = Convert.FromBase64String("secret"); // from config
SymmetricSecurityKey symmetricSecurityKey = new SymmetricSecurityKey(symmetricKey);
jwtBearerOptions.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
ValidateIssuer = false,
ValidateAudience = false,
IssuerSigningKey = symmetricSecurityKey,
};
jwtBearerOptions.Events = new JwtBearerEvents()
{
OnTokenValidated = ProcessAfterTokenValidation
};
});
如您所见,我向 OnTokenValidated 事件监听器添加了一个方法.此方法应检查数据库中是否存在令牌.
As you can see I added a method to the OnTokenValidated event listener. This method should check, if the token exists in the database.
public async Task ProcessAfterTokenValidation(TokenValidatedContext tokenValidatedContext)
{
JwtSecurityTokenHandler jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
string token = jwtSecurityTokenHandler.WriteToken(tokenValidatedContext.SecurityToken);
// ... check if token exists in db ...
}
该方法的问题在于,生成的令牌与存储在数据库中的令牌不完全相同.缺少最后一段.令牌变量保存了这个
The problem with that method is that the generated token is not the exact token as it is stored in the database. There is missing a last segment. The token variable holds this
.
而缺少的最后一部分将是
and the missing last part would be
cWvSpKC_yYao2_ziW_ahjjHpUl2SgUZvCmsjXntxCOI
cWvSpKC_yYao2_ziW_ahjjHpUl2SgUZvCmsjXntxCOI
有人知道为什么令牌的最后一部分丢失了吗?
Does someone know why the last part of the token is missing?
感谢帮助!
推荐答案
The last part of the token is the signature. The purpose of the OnTokenValidated method is to provide a ClaimsIdentity. The signature is not a component of the claims of the token holder.
如果您在签发方具有密钥轮换政策,则给定的用户可以在密钥轮换之前和之后出示具有不同签名的相同权利要求.
If you had a key rotation policy on the issuing side a given user could present identical claims with a different signature before and after a key rotation.
用户的身份是由发行人加上任何标识用户的声明(例如,示例中令牌中的 username )组合而成的.
The identity of the user is derived from a combination of the issuer plus any claims that identify the user (e.g. username in the token from your example).
在您的情况下,由于您是发行者,因此令牌减去签名仅表示用户已针对令牌发行端点成功进行了身份验证的证明.令牌中的声明应导致数据库记录,而不是令牌本身.
In your case, since you are the issuer, the token minus the signature simply represents proof that the user has successfully authenticated against your token issuing endpoint. The claims within the token should lead to a database record rather than the token itself.
这篇关于来自OnTokenValidated事件侦听器的TokenValidatedContext的安全令牌丢失了最后一个字符串段的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
