Ich habe einen Beispielidentitätsdienst erstellt. Es liest einen geheimen Schlüssel aus der Konfigurationsdatei.Benutzerspezifisches Geheimnis für JWT in OWIN basierend auf Anforderungsparameter
ConfigurationManager.AppSettings["as:AudienceSecret"]
Ich brauche es zu ändern, das Geheimnis aus einer Datenbank zu lesen, auf der Grundlage der Körperparameter der eingehenden Anfragen (form["CurrentUser"]
). Wie können wir das tun?
Startup.cs Konfiguration
private void ConfigureOAuthTokenGeneration(IAppBuilder app)
{
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);
string issuer = ConfigurationManager.AppSettings["Issuer"];
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/oauth/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
Provider = new CustomOAuthProvider(),
AccessTokenFormat = new CustomJwtFormat(issuer)
};
// OAuth 2.0 Bearer Access Token Generation
app.UseOAuthAuthorizationServer(OAuthServerOptions);
}
private void ConfigureOAuthTokenConsumption(IAppBuilder app)
{
string issuer = ConfigurationManager.AppSettings["Issuer"];
string audienceId = ConfigurationManager.AppSettings["as:AudienceId"];
byte[] audienceSecret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["as:AudienceSecret"]);
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audienceId },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, audienceSecret)
}
});
}
GrantResourceOwnerCredentials in CustomOAuthProvider
public override async Task
GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var allowedOrigin = ConfigurationManager.AppSettings["AllowedOrigin"];
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });
var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
ApplicationUser user = null;
try
{
user = await userManager.FindAsync(context.UserName, context.Password);
}
catch (Exception ex)
{
string result = ex.Message;
string innerText = ex.InnerException.ToString();
}
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
var form = await context.Request.ReadFormAsync();
var loggedinUserName = form["CurrentUser"];
string practice = null;
if (!String.IsNullOrWhiteSpace(loggedinUserName))
{
ApplicationUser loggedinUserObj = userManager.FindByName(loggedinUserName);
string loggedinUserID = loggedinUserObj == null ? "" : loggedinUserObj.Id;
if (loggedinUserID != null)
{
ProvidersBL providersBL = new ProvidersBL();
practice = providersBL.GetPracticeForUser(loggedinUserID);
}
}
practice = practice ?? "Undefined";
loggedinUserName = loggedinUserName ?? "Undefined";
var claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.Name, loggedinUserName));
claims.Add(new Claim("Practice", practice));
var oAuthIdentity = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie);
var ticket = new AuthenticationTicket(oAuthIdentity, null);
context.Validated(ticket);
}
Warum brauchen Sie das? Das Geheimnis ist es, die Anwendung (Client) nicht den Benutzer –
@ CallbackKid [JWT Pro-User Signing Key] (https://auth0.com/forum/t/jwt-per-user-signing-key/485) zu bestätigen sagt "Der Ansatz, den Sie erwähnen, ist definitiv ein gültiger." – Lijo
Eine weitere Referenz: [Single-Use-Token mit JWT] (https://www.jbspeakr.cc/howto-single-use-jwt/) – Lijo