动态追加 OWIN JWT 资源服务器应用程序客户端(受众)
本文关键字:客户端 受众 应用程序 源服务器 追加 OWIN JWT 动态 | 更新日期: 2023-09-27 18:32:38
我有一个使用 OWINJWT 进行身份验证的C# API。
我的startup.cs(我的资源服务器(根据代码配置 OAuth:
public void ConfigureOAuth(IAppBuilder app)
{
var issuer = "<the_same_issuer_as_AuthenticationServer.Api>";
// Api controllers with an [Authorize] attribute will be validated with JWT
var audiences = DatabaseAccessLayer.GetAllowedAudiences(); // Gets a list of audience Ids, secrets, and names (although names are unused)
// List the
List<string> audienceId = new List<string>();
List<IIssuerSecurityTokenProvider> providers = new List<IIssuerSecurityTokenProvider>();
foreach (var aud in audiences) {
audienceId.Add(aud.ClientId);
providers.Add(new SymmetricKeyIssuerSecurityTokenProvider(issuer, TextEncodings.Base64Url.Decode(aud.ClientSecret)));
}
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = audienceId.ToArray(),
IssuerSecurityTokenProviders = providers.ToArray(),
Provider = new OAuthBearerAuthenticationProvider
{
OnValidateIdentity = context =>
{
context.Ticket.Identity.AddClaim(new System.Security.Claims.Claim("newCustomClaim", "newValue"));
return Task.FromResult<object>(null);
}
}
});
}
这允许再次检查多个客户端 ID 的经过身份验证的持有者令牌。这很好用。但是,我的 Web 应用程序允许用户创建新的应用程序受众(即新的 ClientID、ClientSecret 和 ClientName 组合(,但在发生这种情况后,我不知道如何让资源服务器的JwtBearerAuthenticationOptions识别新创建的受众。
我可以在新受众之后重新启动服务器,以便ConfigureOAuth()之后重新运行,但从长远来看,这不是一个好方法。
有没有人知道如何在启动之外JwtBearerAuthenticationOptions将受众(即新的**ClientID,ClientSecret和ClientName组合(添加到OWIN应用程序.cs并ConfigureOAuth()?
我一直在寻求:https://docs.auth0.com/aspnetwebapi-owin-tutorial 和 http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/寻求帮助,但两个代码示例都显示了上述相同的问题。
以下操作在使用 X509CertificateSecurityTokenProvider 时有效。它已被修改为使用 SymmetricKeyIssuerSecurityTokenProvider,但尚未经过测试。
public void ConfigureOAuth(IAppBuilder app)
{
var issuer = "<the_same_issuer_as_AuthenticationServer.Api>";
// Api controllers with an [Authorize] attribute will be validated with JWT
Func<IEnumerable<Audience>> allowedAudiences = () => DatabaseAccessLayer.GetAllowedAudiences();
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = new JwtFormat(new TokenValidationParameters
{
AudienceValidator = (audiences, securityToken, validationParameters) =>
{
return allowedAudiences().Select(x => x.ClientId).Intersect(audiences).Count() > 0;
},
ValidIssuers = new ValidIssuers { Audiences = allowedAudiences },
IssuerSigningTokens = new SecurityTokensTokens(issuer) { Audiences = allowedAudiences }
})
};
app.UseOAuthBearerAuthentication(bearerOptions);
}
public abstract class AbstractAudiences<T> : IEnumerable<T>
{
public Func<IEnumerable<Audience>> Audiences { get; set; }
public abstract IEnumerator<T> GetEnumerator();
System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator()
{
throw new NotImplementedException();
}
}
public class SecurityTokensTokens : AbstractAudiences<SecurityToken>
{
private string issuer;
public SecurityTokensTokens(string issuer)
{
this.issuer = issuer;
}
public override IEnumerator<SecurityToken> GetEnumerator()
{
foreach (var aud in Audiences())
{
foreach (var securityToken in new SymmetricKeyIssuerSecurityTokenProvider(issuer, TextEncodings.Base64Url.Decode(aud.ClientSecret)).SecurityTokens)
{
yield return securityToken;
};
}
}
}
public class ValidIssuers : AbstractAudiences<string>
{
public override IEnumerator<string> GetEnumerator()
{
foreach (var aud in Audiences())
{
yield return aud.ClientSecret;
}
}
}
}
我会尽力提供帮助:D请记住,我是初学者,所以它可能不是最好的:D
我还希望在不重新启动服务的情况下拥有动态的受众,因为最终它是关于灵活性和易用性的。
因此,我的验证如下:
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = new JwtFormat(new TokenValidationParameters
{
AudienceValidator = AudienceValidator,
IssuerSigningToken = x509SecToken,
ValidIssuer = issuer,
RequireExpirationTime = true,
ValidateLifetime = true,
})
};
app.UseOAuthBearerAuthentication(bearerOptions);
正如你在上面看到的,我确实有一个代表正在验证我的受众。基本上这意味着 - 每次向服务器发出请求时,都会调用此方法来验证受众。
目前我只有小的调试方法,我正在验证任何观众:
private bool AudienceValidator(IEnumerable<string> audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
{
Trace.Write("would be validating audience now");
return true;
}
现在下一步是在这里做什么?可以肯定的是,您不希望每次验证受众时都查询数据库,因为这将省略使用这些令牌的目的:D您可能会想出一些好主意 - 请分享!
第一种方法:
所以我所做的是使用 https://github.com/jgeurts/FluentScheduler 并且我计划每 1 小时从数据库更新一次允许的受众。这很有效。我正在注册具有一组权限的新受众,在最好的情况下,他们已经准备好飞行了,或者我必须等待~59分钟:)
希望这有帮助!
第二种方法:
现在,另一方面,我已经添加了对定义授权资源的JWT令牌的声明。然后我正在检查安全令牌中是否有与我的资源服务器匹配的资源。如果是这样,我们认为受众是:D<</p>
我们还需要动态 JWT 受众处理程序,专门针对 Azure B2C 租户。租户信息存储在数据库中,该数据库用于配置每个租户的单个OAuthBearerAuthenticationProvider()条目和 B2C 策略(使用 B2C 租户所需的附加参数(。
我们发现,尝试在启动后尝试使用IAppBuilder UseOAuthBearerAuthentication()来添加其他条目根本不起作用 - 提供程序未正确管理,因此未检索签名令牌,从而导致 HTTP 401 质询。(我们保留了IAppBuiler对象,以便以后使用。
查看验证令牌的JwtFormat.cs代码提供了有关如何实现解决方案的线索(我们使用的是版本 3.1.0 - YMMV(:
https://github.com/aspnet/AspNetKatana/blob/v3.1.0/src/Microsoft.Owin.Security.Jwt/JwtFormat.cs#L193
这是它从提供的OAuthBearerAuthenticationProvider()中提取颁发者和签名密钥的地方。请注意,对于我们的目的来说,它的效率有点低 - 它拉取所有颁发者和签名密钥,即使只有一个受众与 Azure B2C 租户颁发的 JWT 匹配。
相反,我们所做的是:
- 仅使用一个
UseOAuthBearerAuthentication()调用,没有OAuthBearerAuthenticationProvider()- 只需传递令牌验证参数; - 使用子类化
JwtSecurityTokenHandler类并覆盖ValidateToken以动态管理受众; - 创建子类化
JwtSecurityTokenHandler的实例并将其戳入JwtFormat.TokenHandler。
如何管理和发起添加新受众取决于您。我们使用数据库和 Redis 来传递重新加载命令。
以下是 Startup.Auth.cs 片段:
/// <summary>
/// The B2C token handler for handling dynamically loaded B2C tenants.
/// </summary>
protected B2CTokenHandler TokenHandler = new B2CTokenHandler();
/// <summary>
/// Setup the OAuth authentication. We use the database to retrieve the available B2C tenants.
/// </summary>
/// <param name="app">The application builder object</param>
public AuthOAuth2(IAppBuilder app) {
// get Active Directory endpoint
AadInstance = ConfigurationManager.AppSettings["b2c:AadInstance"];
// get the B2C policy list used by API1
PolicyIdList = ConfigurationManager.AppSettings["b2c:PolicyIdList"].Split(',').Select(p => p.Trim()).ToList();
TokenValidationParameters tvps = new TokenValidationParameters {
NameClaimType = "http://schemas.microsoft.com/identity/claims/objectidentifier"
};
// create a access token format
JwtFormat jwtFormat = new JwtFormat(tvps);
// add our custom token handler which will provide token validation parameters per tenant
jwtFormat.TokenHandler = TokenHandler;
// wire OAuth authentication for tenants
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions {
// the security token provider handles Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint
AccessTokenFormat = jwtFormat,
Provider = new OAuthBearerAuthenticationProvider() {
OnValidateIdentity = async (context) => await OAuthValidateIdentity(context)
}
});
// load initial OAuth authentication tenants
LoadAuthentication();
}
/// <summary>
/// Load the OAuth authentication tenants. We maintain a local hash map of those tenants during
/// processing so we can track those tenants no longer in use.
/// </summary>
protected override void LoadAuthentication() {
AuthProcessing authProcessing = new AuthProcessing();
List<B2CAuthTenant> authTenantList = new List<B2CAuthTenant>();
// add all tenants for authentication
foreach (AuthTenantApp authTenantApp in authProcessing.GetAuthTenantsByAppId("API1")) {
// create a B2C authentication tenant per policy. Note that the policy may not exist, and
// this will be handled by the B2C token handler at configuration load time below
foreach (string policyId in PolicyIdList) {
authTenantList.Add(new B2CAuthTenant {
Audience = authTenantApp.ClientId,
PolicyId = policyId,
TenantName = authTenantApp.Tenant
});
}
}
// and load the token handler with the B2C authentication tenants
TokenHandler.LoadConfiguration(AadInstance, authTenantList);
// we must update the CORS origins
string origins = string.Join(",", authProcessing.GetAuthTenantAuthoritiesByAppId("API1").Select(a => a.AuthorityUri));
// note some browsers do not support wildcard for exposed headers - there specific needed. See
//
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers#Browser_compatibility
EnableCorsAttribute enableCors = new EnableCorsAttribute(origins, "*", "*", "Content-Disposition");
enableCors.SupportsCredentials = true;
enableCors.PreflightMaxAge = 30 * 60;
GlobalConfiguration.Configuration.EnableCors(enableCors);
}
下面是被覆盖的JwtSecurityTokenHandler类的代码片段:
/// <summary>
/// Dictionary of currently configured OAuth audience+policy to the B2C endpoint signing key cache.
/// </summary>
protected ConcurrentDictionary<string, OpenIdConnectCachingSecurityTokenProvider> AudiencePolicyMap = new ConcurrentDictionary<string, OpenIdConnectCachingSecurityTokenProvider>();
/// <summary>
/// Load the B2C authentication tenant list, creating a B2C endpoint security token provider
/// which will bethe source of the token signing keys.
/// </summary>
/// <param name="aadInstance">The Active Directory instance endpoint URI</param>
/// <param name="b2cAuthTenantList">The B2C authentication tenant list</param>
public void LoadConfiguration(string aadInstance, List<B2CAuthTenant> b2cAuthTenantList) {
// maintain a list of keys that are loaded
HashSet<string> b2cAuthTenantSet = new HashSet<string>();
// attempt to create a security token provider for each authentication tenant
foreach(B2CAuthTenant b2cAuthTenant in b2cAuthTenantList) {
// form the dictionary key
string tenantKey = $"{b2cAuthTenant.Audience}:{b2cAuthTenant.PolicyId}";
if (!AudiencePolicyMap.ContainsKey(tenantKey)) {
try {
// attempt to create a B2C endpoint security token provider. We may fail if there is no policy
// defined for that tenant
OpenIdConnectCachingSecurityTokenProvider tokenProvider = new OpenIdConnectCachingSecurityTokenProvider(String.Format(aadInstance, b2cAuthTenant.TenantName, b2cAuthTenant.PolicyId));
// add to audience:policy map
AudiencePolicyMap[tenantKey] = tokenProvider;
// this guy is new
b2cAuthTenantSet.Add(tenantKey);
} catch (Exception ex) {
// exception has already been reported appropriately
}
} else {
// this guys is already present
b2cAuthTenantSet.Add(tenantKey);
}
}
// at this point we have a set of B2C authentication tenants that still exist. Remove any that are not
foreach (KeyValuePair<string, OpenIdConnectCachingSecurityTokenProvider> kvpAudiencePolicy in AudiencePolicyMap.Where(t => !b2cAuthTenantSet.Contains(t.Key))) {
AudiencePolicyMap.TryRemove(kvpAudiencePolicy.Key, out _);
}
}
/// <summary>
/// Validate a security token. We are responsible for priming the token validation parameters
/// with the specific parameters for the audience:policy, if found.
/// </summary>
/// <param name="securityToken">A 'JSON Web Token' (JWT) that has been encoded as a JSON object. May be signed using 'JSON Web Signature' (JWS)</param>
/// <param name="tvps">Contains validation parameters for the security token</param>
/// <param name="validatedToken">The security token that was validated</param>
/// <returns>A claims principal from the jwt. Does not include the header claims</returns>
public override ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters tvps, out SecurityToken validatedToken) {
if (string.IsNullOrWhiteSpace(securityToken)) {
throw new ArgumentNullException("Security token is null");
}
// decode the token as we need the 'aud' and 'tfp' claims
JwtSecurityToken token = ReadToken(securityToken) as JwtSecurityToken;
if (token == null) {
throw new ArgumentOutOfRangeException("Security token is invalid");
}
// get the audience and policy
Claim audience = token.Claims.FirstOrDefault(c => c.Type == JwtRegisteredClaimNames.Aud);
Claim policy = token.Claims.FirstOrDefault(c => c.Type == ClaimTypesB2C.Tfp);
if ((audience == null) || (policy == null)) {
throw new SecurityTokenInvalidAudienceException("Security token has no audience/policy id");
}
// generate the key
string tenantKey = $"{audience.Value}:{policy.Value}";
// check if this audience:policy is known
if (!AudiencePolicyMap.ContainsKey(tenantKey)) {
throw new SecurityTokenInvalidAudienceException("Security token has unknown audience/policy id");
}
// get the security token provider
OpenIdConnectCachingSecurityTokenProvider tokenProvider = AudiencePolicyMap[tenantKey];
// clone the token validation parameters so we can update
tvps = tvps.Clone();
// we now need to prime the validation parameters for this audience
tvps.ValidIssuer = tokenProvider.Issuer;
tvps.ValidAudience = audience.Value;
tvps.AuthenticationType = policy.Value;
tvps.IssuerSigningTokens = tokenProvider.SecurityTokens;
// and call real validator with updated parameters
return base.ValidateToken(securityToken, tvps, out validatedToken);
}
对于我们的 B2C 租户,并非为租户定义了所有可用策略。我们需要在OpenIdConnectCachingSecurityTokenProvider中处理它:
/// <summary>
/// Retrieve the metadata from the endpoint.
/// </summary>
private void RetrieveMetadata() {
metadataLock.EnterWriteLock();
try {
// retrieve the metadata
OpenIdConnectConfiguration config = Task.Run(configManager.GetConfigurationAsync).Result;
// and update
issuer = config.Issuer;
securityTokens = config.SigningTokens;
} catch (Exception ex) when (CheckHttp404(ex)) {
// ignore 404 errors as they indicate that the policy does not exist for a tenant
logger.Warn($"Policy endpoint not found for {metadataEndpoint} - ignored");
throw ex;
} catch (Exception ex) {
logger.Fatal(ex, $"System error in retrieving token metadatafor {metadataEndpoint}");
throw ex;
} finally {
metadataLock.ExitWriteLock();
}
}
/// <summary>
/// Check if the inner most exception is a HTTP response with status code of Not Found.
/// </summary>
/// <param name="ex">The exception being examined for a 404 status code</param>
/// <returns></returns>
private bool CheckHttp404(Exception ex) {
// get the inner most exception
while(ex.InnerException != null) {
ex = ex.InnerException;
}
// check if a HttpWebResponse with a 404
return (ex is WebException webex) && (webex.Response is HttpWebResponse response) && (response.StatusCode == HttpStatusCode.NotFound);
}
我们有同样的问题,遵循相同的路径。此外,我还尝试通过IAppBuilder和JwtBearerAuthenticationOptions对象创建自定义OAuthBearerAuthenticationProvider((,覆盖OnValidateIdentity((并在那里重新加载JwtBearerAuthenticationOptions,但新的受众仍未得到验证。
我想,我现在将坚持重新启动应用程序以克服这个问题。
希望这能给其他人一个正确的道路提示。