SecurityTokenValidated回调是否使用Owin中间件自动验证令牌
本文关键字:验证 令牌 中间件 Owin 回调 是否 SecurityTokenValidated | 更新日期: 2023-09-27 18:05:43
我使用Azure Ad,并设置了我的Startup.Auth.cs文件如下我能够连接并使用Azure、Google、MS和Linked in成功地进行身份验证,并且我收到了一个id_token,但我希望能够验证我从Azure收到的这个令牌,但我不确定如何验证。引发的SecurityTokenValidated事件是否意味着令牌已经针对我定义的TokenValidationParameters进行了验证,并且我不需要验证令牌?如果是这样的话,我应该在TokenValidationParameters里面放些什么呢?
我收到的id_token不包含用于验证
的加密签名app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
SlidingExpiration = true,
LoginPath = new PathString("/"),
CookieSecure = CookieSecureOption.Always,
});
var options = new OpenIdConnectAuthenticationOptions
{
Authority = "https://login.windows.net/common",
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
SecurityTokenReceived = OnSecurityTokenReceived,
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
SecurityTokenValidated = OnSecurityTokenValidated,
MessageReceived = OnMessageReceived
},
Scope = "openid",
ResponseType = "id_token",
Description = new AuthenticationDescription
{
AuthenticationType = "OpenIdConnect",
},
ConfigurationManager = new PolicyConfigurationManager(
string.Format(CultureInfo.InvariantCulture, aadInstance, tenant, "/v2.0", OidcMetadataSuffix),
new[] { SisuGoogle, SisuLinkedIn, SisuMicrosoft, SisuLocal, ResetPasswordLocalPolicyId }),
TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = new string[]
{
"http://localhost:44330/",
},
IssuerSigningKey = GetSecurityKey(),
// If you don't add this, you get IDX10205
//ValidateIssuer = false,
},
};
app.UseOpenIdConnectAuthentication(options);
private SecurityKey GetSecurityKey()
{
var securityKey = "secure key";
var signingKey = new InMemorySymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey));
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256Signature,SecurityAlgorithms.Sha256Digest);
return signingCredentials.SigningKey;
}
private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg)
{
//do I need to validate the token here or has it already been validated??
//if I have to validate it then how do I? I've tried the following but does not work
var tokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = GetSecurityKey()
};
SecurityToken validatedToken;
var jwtHandler = new JwtSecurityTokenHandler();
//crashes at this point
jwtHandler.ValidateToken(arg.ProtocolMessage.IdToken, tokenValidationParameters, out validatedToken);
return Task.FromResult(0);
}
您可以遵循以下示例:https://github.com/Azure/azure-content/blob/master/articles/active-directory-b2c/active-directory-b2c-devquickstarts-api-dotnet.md
或者看看这个类似的问题:https://social.msdn.microsoft.com/forums/en us/893a6142 - 1508 4 - aa2 9 - da3 dab3b1f1a6b9/b2c jwt令牌-签名validation?forum=windowsazuread
如果您在示例中使用类似的配置,那么OWIN将使用从元数据端点获取的键来处理令牌验证。
有点迟了,但是各种事件的文档可以在这里找到:
OpenIdConnectAuthenticationNotifications
可以与通知挂钩的事件有:
-
AuthenticationFailed
在处理请求期间抛出异常时调用。除非被抑制,否则异常将在此事件之后被重新抛出。 -
AuthorizationCodeReceived 如果协议消息中存在授权码,则在安全令牌验证后调用。
-
MessageReceived
当第一次收到协议消息时调用。 -
RedirectToIdentityProvider
调用以操纵对SignIn、SignOut或Challenge的标识提供程序的重定向。 -
SecurityTokenReceived 使用从协议消息中提取的安全令牌调用。
-
SecurityTokenValidated
在安全令牌通过验证并生成ClaimsIdentity之后调用。 -
TokenResponseReceived 在"授权代码"之后调用;在令牌端点兑换令牌。
使用其中一些更新的示例可以在这里找到:Azure AD B2C:调用ASP。. NET Web API。. NET Web App.
正如教程的高级选项中所提到的:在ASP中添加登录到Microsoft。. NET web应用程序有很多方法可以进一步限制谁可以访问你的应用程序,一旦他们通过身份验证。