OWIN承载令牌认证 [英] OWIN Bearer Token Authentication

查看:375
本文介绍了OWIN承载令牌认证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有关于不记名令牌一些问题。在Owin可以保护一票保护(门票)是这样的:

  ClaimsIdentity身份=新ClaimsIdentity(Startup.OAuthServerOptions.AuthenticationType); 

identity.AddClaim(新索赔(ClaimTypes.Name,user.UserName));

&字典LT;字符串,字符串>性能=新词典与LT;字符串,字符串>();
properties.Add(用户ID,user.Id);
properties.Add(用户名,user.UserName);
properties.Add(角色,用户);

AuthenticationProperties性能=新AuthenticationProperties(属性);

AuthenticationTicket票=新AuthenticationTicket(身份,属性);


的DateTime currentUtc = DateTime.UtcNow;

的DateTime expireUtc = currentUtc.Add(TimeSpan.FromHours(24));

ticket.Properties.IssuedUtc = currentUtc;
ticket.Properties.ExpiresUtc = expireUtc;


字符串标记= OAuthAuthorizationServerOptions.AccessTokenFormat.Protect(门票)

现在令牌将是这样的:



nqak-9R6U64Owsm_lqn_mJzKc_Djd8iVnIw0EX77v5x2rybhf4m_zg_UnrsoO5BxDZQl0HWrSvvd4efa4ChNSf5rAGhd13aOXZlvwOJOZ5v_9bhRCq8A7tqHyiM6DqVVOyYs3lh2SU-wU1m85HH2IcYDtdTY3ijaKZ_QnP1nsqO5LRnnEL4upbETPW9zqWIZzZBX7_Y2cXi2v0K7WnlRor3gFKIZlU9J-NfidRpWXqq5744NfWWHalYADGS7eUWyuxPJCj9ykHYzaXFksJEXBw



我的问题:




  • 如何生成/加密此令牌


  • 是否有任何机会,有人可以尝试用令牌mess'up并添加一些自定义的要求呢?




例如:



如果您有令牌字符串,你可以这样做:

  AuthenticationTicket票= OAuthAuthorizationServerOptions.AccessTokenFormat.Unprotect(令牌); 

现在你可以添加自定义声明它。例如,如果有一个角色索赔值用户,那么你可以修改这一说法,并添加管理然后重新编码的车票,你会得到一个具有管理员角色的令牌。



我其实嚣一些测试,编码的令牌上服务器,然后尝试修改它的另一个系统上,但我不能撤消它。因此,我想,也许门票被加密/解密使用的最初创建的计算机密钥。但是,如果我尝试撤消从同一台机器它的作品。我可以将其解密并修改它。



有人能解释一下这个过程吗?


解决方案

如何生成此令牌/加密?




数据保护供应商可以设置使用 IAppBuilder 对象的 SetDataProtectionProvider 扩展方法。如果不这样做,则使用主机的数据保护供应商。在IIS + ASP.NET的情况下,这是 MachineKeyDataProtector 在组装 Microsoft.Owin.Host.SystemWeb 。对于自托管,这将是DPAPI。基本上,令牌加密,然后MACed,这是什么保护()是怎么一回事。




是否有任何机会,有人可以尝试用令牌mess'up并添加一些自定义>索赔呢?




没有。这不可能。令牌在一台机器的保护不能被保护别处。该例外将是一个Web场,你必须多台机器的情况。一机可以保护,如果后续请求去一些其他的机器,这台机器应该有取消保护的能力。使用DPAPI,这是不可能的。随着 MachineKeyDataProtector ,这是有可能通过在所有的机器一样的machineKey 部分。不过,如果你担心一些中间人能够做到这一点,那么不,这是不可能的。


I have some questions related to Bearer Token. In Owin you can protect a ticket Protect(ticket) like this:

ClaimsIdentity identity = new ClaimsIdentity(Startup.OAuthServerOptions.AuthenticationType);

identity.AddClaim(new Claim(ClaimTypes.Name, user.UserName));

 Dictionary<string, string> properties = new Dictionary<string, string>();
 properties.Add("UserId", user.Id);
 properties.Add("UserName", user.UserName);
 properties.Add("Role", "user");

 AuthenticationProperties properties = new AuthenticationProperties(properties);

 AuthenticationTicket ticket = new AuthenticationTicket(identity, properties);


 DateTime currentUtc = DateTime.UtcNow;

 DateTime expireUtc = currentUtc.Add(TimeSpan.FromHours(24));

 ticket.Properties.IssuedUtc = currentUtc;
 ticket.Properties.ExpiresUtc = expireUtc;


 string token = OAuthAuthorizationServerOptions.AccessTokenFormat.Protect(ticket)

Now the token will be something like this:

nqak-9R6U64Owsm_lqn_mJzKc_Djd8iVnIw0EX77v5x2rybhf4m_zg_UnrsoO5BxDZQl0HWrSvvd4efa4ChNSf5rAGhd13aOXZlvwOJOZ5v_9bhRCq8A7tqHyiM6DqVVOyYs3lh2SU-wU1m85HH2IcYDtdTY3ijaKZ_QnP1nsqO5LRnnEL4upbETPW9zqWIZzZBX7_Y2cXi2v0K7WnlRor3gFKIZlU9J-NfidRpWXqq5744NfWWHalYADGS7eUWyuxPJCj9ykHYzaXFksJEXBw

My questions:

  • How this token is generated/encrypted?

  • Are there any chances that somebody can try to mess'up with the token and add some custom claims to it?

Example:

If you have the token string you can do this:

AuthenticationTicket ticket = OAuthAuthorizationServerOptions.AccessTokenFormat.Unprotect(token);

Now you can add custom claims to it. For example if there is a role claim with value user then you can modify that claim and add admin then re encode the ticket and you get a token that has admin role.

I actually din some tests, encoded a token on a server and then try to modify it on another system but I couldn't Unprotect it. Therefore I am thinking maybe the ticket is encrypted/decrypted using the machine key on which was originally created. However if I try to Unprotect it from the same machine it works. I can decrypt it and modify it.

Can somebody explain this process please?

解决方案

How this token is generated/encrypted?

The data protection provider can be set using the SetDataProtectionProvider extension method on the IAppBuilder object. When this is not done, the data protection provider of the host is used. In case of IIS + ASP.NET, this is MachineKeyDataProtector in the assembly Microsoft.Owin.Host.SystemWeb. For self-hosting, this will be DPAPI. Basically, the token is encrypted and then MACed and that is what Protect() is all about.

Are there any chances that somebody can try to mess'up with the token and add some custom > claims to it?

No. This is not possible. Token protected in a machine cannot be unprotected somewhere else. An exception to that will be the case of a web farm where you have multiple machines. One machine can protect and if the subsequent request goes to some other machine, that machine should have the ability to unprotect. With DPAPI, this is not possible. With MachineKeyDataProtector, this is possible by having the same machineKey section in all the machines. But then if you are concerned about some MITM being able to do this, then no, it is not possible.

这篇关于OWIN承载令牌认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆