OWIN承载令牌认证 [英] OWIN Bearer Token Authentication
问题描述
我有关于不记名令牌一些问题。在Owin可以保护一票保护(门票)
是这样的:
ClaimsIdentity身份=新ClaimsIdentity(Startup.OAuthServerOptions.AuthenticationType);
identity.AddClaim(新索赔(ClaimTypes.Name,user.UserName));
&字典LT;字符串,字符串>性能=新词典与LT;字符串,字符串>();
properties.Add(用户ID,user.Id);
properties.Add(用户名,user.UserName);
properties.Add(角色,用户);
AuthenticationProperties性能=新AuthenticationProperties(属性);
AuthenticationTicket票=新AuthenticationTicket(身份,属性);
的DateTime currentUtc = DateTime.UtcNow;
的DateTime expireUtc = currentUtc.Add(TimeSpan.FromHours(24));
ticket.Properties.IssuedUtc = currentUtc;
ticket.Properties.ExpiresUtc = expireUtc;
字符串标记= OAuthAuthorizationServerOptions.AccessTokenFormat.Protect(门票)
现在令牌将是这样的:
nqak-9R6U64Owsm_lqn_mJzKc_Djd8iVnIw0EX77v5x2rybhf4m_zg_UnrsoO5BxDZQl0HWrSvvd4efa4ChNSf5rAGhd13aOXZlvwOJOZ5v_9bhRCq8A7tqHyiM6DqVVOyYs3lh2SU-wU1m85HH2IcYDtdTY3ijaKZ_QnP1nsqO5LRnnEL4upbETPW9zqWIZzZBX7_Y2cXi2v0K7WnlRor3gFKIZlU9J-NfidRpWXqq5744NfWWHalYADGS7eUWyuxPJCj9ykHYzaXFksJEXBw
我的问题:
-
如何生成/加密此令牌
-
是否有任何机会,有人可以尝试用令牌mess'up并添加一些自定义的要求呢?
例如:
如果您有令牌字符串,你可以这样做:
AuthenticationTicket票= OAuthAuthorizationServerOptions.AccessTokenFormat.Unprotect(令牌);
现在你可以添加自定义声明它。例如,如果有一个角色
索赔值用户
,那么你可以修改这一说法,并添加管理
然后重新编码的车票,你会得到一个具有管理员角色的令牌。
我其实嚣一些测试,编码的令牌上服务器,然后尝试修改它的另一个系统上,但我不能撤消
它。因此,我想,也许门票被加密/解密使用的最初创建的计算机密钥。但是,如果我尝试撤消
从同一台机器它的作品。我可以将其解密并修改它。
有人能解释一下这个过程吗?
如何生成此令牌/加密?
块引用>
数据保护供应商可以设置使用
IAppBuilder
对象的SetDataProtectionProvider
扩展方法。如果不这样做,则使用主机的数据保护供应商。在IIS + ASP.NET的情况下,这是MachineKeyDataProtector
在组装Microsoft.Owin.Host.SystemWeb
。对于自托管,这将是DPAPI。基本上,令牌加密,然后MACed,这是什么保护()
是怎么一回事。
是否有任何机会,有人可以尝试用令牌mess'up并添加一些自定义>索赔呢?
块引用>
没有。这不可能。令牌在一台机器的保护不能被保护别处。该例外将是一个Web场,你必须多台机器的情况。一机可以保护,如果后续请求去一些其他的机器,这台机器应该有取消保护的能力。使用DPAPI,这是不可能的。随着
MachineKeyDataProtector
,这是有可能通过在所有的机器一样的machineKey
部分。不过,如果你担心一些中间人能够做到这一点,那么不,这是不可能的。I have some questions related to Bearer Token. In Owin you can protect a ticket
Protect(ticket)
like this:ClaimsIdentity identity = new ClaimsIdentity(Startup.OAuthServerOptions.AuthenticationType); identity.AddClaim(new Claim(ClaimTypes.Name, user.UserName)); Dictionary<string, string> properties = new Dictionary<string, string>(); properties.Add("UserId", user.Id); properties.Add("UserName", user.UserName); properties.Add("Role", "user"); AuthenticationProperties properties = new AuthenticationProperties(properties); AuthenticationTicket ticket = new AuthenticationTicket(identity, properties); DateTime currentUtc = DateTime.UtcNow; DateTime expireUtc = currentUtc.Add(TimeSpan.FromHours(24)); ticket.Properties.IssuedUtc = currentUtc; ticket.Properties.ExpiresUtc = expireUtc; string token = OAuthAuthorizationServerOptions.AccessTokenFormat.Protect(ticket)
Now the token will be something like this:
nqak-9R6U64Owsm_lqn_mJzKc_Djd8iVnIw0EX77v5x2rybhf4m_zg_UnrsoO5BxDZQl0HWrSvvd4efa4ChNSf5rAGhd13aOXZlvwOJOZ5v_9bhRCq8A7tqHyiM6DqVVOyYs3lh2SU-wU1m85HH2IcYDtdTY3ijaKZ_QnP1nsqO5LRnnEL4upbETPW9zqWIZzZBX7_Y2cXi2v0K7WnlRor3gFKIZlU9J-NfidRpWXqq5744NfWWHalYADGS7eUWyuxPJCj9ykHYzaXFksJEXBw
My questions:
How this token is generated/encrypted?
Are there any chances that somebody can try to mess'up with the token and add some custom claims to it?
Example:
If you have the token string you can do this:
AuthenticationTicket ticket = OAuthAuthorizationServerOptions.AccessTokenFormat.Unprotect(token);
Now you can add custom claims to it. For example if there is a
role
claim with valueuser
then you can modify that claim and addadmin
then re encode the ticket and you get a token that has admin role.I actually din some tests, encoded a token on a server and then try to modify it on another system but I couldn't
Unprotect
it. Therefore I am thinking maybe the ticket is encrypted/decrypted using the machine key on which was originally created. However if I try toUnprotect
it from the same machine it works. I can decrypt it and modify it.Can somebody explain this process please?
解决方案How this token is generated/encrypted?
The data protection provider can be set using the
SetDataProtectionProvider
extension method on theIAppBuilder
object. When this is not done, the data protection provider of the host is used. In case of IIS + ASP.NET, this isMachineKeyDataProtector
in the assemblyMicrosoft.Owin.Host.SystemWeb
. For self-hosting, this will be DPAPI. Basically, the token is encrypted and then MACed and that is whatProtect()
is all about.Are there any chances that somebody can try to mess'up with the token and add some custom > claims to it?
No. This is not possible. Token protected in a machine cannot be unprotected somewhere else. An exception to that will be the case of a web farm where you have multiple machines. One machine can protect and if the subsequent request goes to some other machine, that machine should have the ability to unprotect. With DPAPI, this is not possible. With
MachineKeyDataProtector
, this is possible by having the samemachineKey
section in all the machines. But then if you are concerned about some MITM being able to do this, then no, it is not possible.这篇关于OWIN承载令牌认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!