如何取消加密Web API 2 JWT令牌? [英] How to unencrypt Web API 2 JWT tokens?
问题描述
我正在尝试使用Web API 2提供的OAuth承载令牌,但我不知道如何解密它们或获取数据.
I'm trying to work with the OAuth bearer tokens Web API 2 supplies but I don't know how to unencrypt them or get the data out.
What I'd really like to do is either find or write myself an equivalent tool to this Google Tool https://developers.google.com/wallet/digital/docs/jwtdecoder for the tokens I am getting from Web API. The Google tool allows you to paste in the string of text representing a JWT token and it splits it up and unencodes the JSON within.
在Visual Studio 2013中,如果选择新建ASP.NET"项目,然后选择具有单个用户帐户的Web API模板,则会得到一个包含令牌终结点的示例项目.如果您启动该项目,则可以将请求"grant_type = password& username = joe& password = joe"发布到内置Web服务器上的/token,然后返回令牌:
In Visual Studio 2013 if you choose New ASP.NET project, and then choose the Web API template with individual user accounts you get a sample project that contains a token endpoint. If you start the project, you can then POST a request "grant_type=password&username=joe&password=joe" to /token on the built in webserver and you get a token back:
{
"access_token":"x3vHm40WUXBiMZi_3EmdmCWLLuv4fsgjsg4S5Ya8kppDY_-2ejn7qF5Y_nbQ0bYVIKl6MNzL2GtXv-MAuwjippAAv5VDaxoKdxEVxeFrQ_eXsKNaQK7IvmVs1rIZ9eeRfRGK2AQ59wWQcyTtYO0dPJx9K7PGrSKz4ADAZ9SEZqQ4IesVhYbRCwToyxoyU5L9qdU8jXdHumkIrULRQhf68rIaBrEA_Be-V0rzWJ644fRLvv3z69XoHs3Az7PineILyNwbDck9uU2jkaXnwxoCTa4qlK8bR-lEI9-VXPNdbCvfgb5H9wfYsJcw2CMzNxNhV8v9YVZEt90evylwtTCEpXq4T3zRCQvrpbCvZrXqJ8uvlFeqCsvvhlIkSfPhBY8nm2ocWtBGPZm58zLe5FMi1jept0B54U38ZxkZlrGQKar47jkmnc6gpLrkpDBp7cWz",
"token_type":"bearer",
"expires_in":1209599,
"userName":"joe",
".issued":"Fri, 01 Aug 2014 16:16:02 GMT",
".expires":"Fri, 15 Aug 2014 16:16:02 GMT"
}
我想找出的是access_token的格式以及所包含的信息.
What I want to find out is what format the access_token is in and what information is contained.
我发现的一个线索是:您可以通过在Startup.Auth.cs中设置OAuthAuthorizationServerOptions.AccessTokenFormat属性来选择Web API使用哪种令牌.OAuthAuthorizationServerOptions的文档说:
A clue I found was: you can choose what kind of tokens Web API uses by setting the OAuthAuthorizationServerOptions.AccessTokenFormat property in Startup.Auth.cs. The documentation for OAuthAuthorizationServerOptions says:
用于保护访问令牌中包含的信息的数据格式.如果应用程序未提供,则默认的数据保护提供程序取决于主机服务器.IIS上的SystemWeb主机将使用ASP.NET机器密钥数据保护,并且HttpListener和其他自托管服务器将使用DPAPI数据保护.如果分配了其他访问令牌提供程序或格式,则必须将兼容实例分配给资源服务器的OAuthBearerAuthenticationOptions.AccessTokenProvider或OAuthBearerAuthenticationOptions.AccessTokenFormat属性."
"The data format used to protect the information contained in the access token. If not provided by the application the default data protection provider depends on the host server. The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted servers will use DPAPI data protection. If a different access token provider or format is assigned, a compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server."
因此它可能是使用MachineKey编码的.可以,我可以将机器密钥"设置为"OK",但是如果我知道创建令牌的机器密钥,该如何解密呢?
So it's probably encoded using the MachineKey. That's fine, I can set the Machine Key OK but if I know the machine key that the token was created with, how do I decrypt it?
推荐答案
您对令牌的生成是正确的.该令牌是一个加密或签名的字符串,包含已登录用户的所有声明和票证属性的反序列化版本.如果处于IIS模式(SystemWeb)中,则通过machineKey节点中的"decryptionKey"和"validationKey"键值进行加密和签名.如果作为自托管OWIN应用程序运行,则加密使用DPAPI对其进行保护,而实际上使用3DES算法.
You are correct about the generation of the token. This token is an encrypted or signed string contains the de-serialized version of all the claims and ticket properties for the signed in user. If in IIS mode (SystemWeb), the encryption and signing is done via the "decryptionKey" and "validationKey" key values in machineKey node. If running as a self-host OWIN application, the encryption uses the DPAPI to protect it and that actually uses the 3DES algorithm.
要解密它,您需要在API控制器操作方法中调用此代码(不是必需的,但是如果您想查看此加密令牌中的内容):
To decrypt it you need to invoke this code in your API controller action method (not necessary but if you want to see what inside this encrypted token) :
string token = "Your token goes here";
Microsoft.Owin.Security.AuthenticationTicket ticket= Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(token);
如果您需要配置AuthZ服务器以发布JWT签名令牌,以便可以使用诸如Google JWT解码器之类的在线工具对它们进行解密;那么我建议您在此处阅读有关
If you need to configure your AuthZ server to issue JWT signed tokens so you can deconde them using someone line tool such as Google JWT decoder; then I recommend you to read my blog post here about JSON Web Token in ASP.NET Web API 2 using Owin
这篇关于如何取消加密Web API 2 JWT令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
