验证 Oauth Bearer 令牌,Microsoft.Owin.Security.Jwt 4.x 中缺少 IIssuerSecurityTokenProvider
Validate Oauth Bearer token, IIssuerSecurityTokenProvider missing in Microsoft.Owin.Security.Jwt 4.x
我正在尝试让我的 .Net Web API(使用 OWIN 的 Azure API 应用程序)接受 OAuth Bearer 令牌以获得 client_credentials 授权,但我一直在获取401 未经授权。
似乎所有 Microsoft 示例都已过时(不符合 Owin 的最新 nuget 包)。
JwtFormat 执行一个 IIssuerSecurityTokenProvider,但它不再存在 - 相反,JwtFormat 需要一个 IIssuerSecurityKeyProvider,但我不知道如何使用它。
Azure OAuth 服务器正在运行
我已经在 Azure Active Directory 中注册了两个应用程序(api 和客户端)。
由于这只是快速演示,我会给你所有的 ID 和秘密 ;)
我可以从 Azure AD 获取令牌,请参阅 https://reqbin.com/817shtc2 了解完整的请求,目前一切顺利。
API
ClientId: 44cf7574-88a2-42d6-9497-bff43cc8dc09
Endpoint: https://apim-demo-mglentoft.azure-api.net/api/Values (GET)
客户端
ClientId: 5f7ee334-b8db-46d3-972f-09f52e186d1d
Secret: ggKp94]HZHWZ.c*5wUC?ToSVfknyqLB3
我遵循了 https://github.com/azureadquickstarts/appmodelv2-nativeclient-dotnet 中的示例,但它引用了 Microsoft.Owin.Security.Jwt.IIssuerSecurityTokenProvider,它在 nuget v4.0.1.0 中不存在。
我尝试只注释掉 JwtFormat 的第二个参数,但这不起作用。任何想法如何使用 Microsoft.Owin.Security.Jwt.IIssuerSecurityKeyProvider?
下面是全文startup.cs
我可以使用 .Net Core 实现此功能,但出于各种原因我必须坚持使用 .Net Framework 4.7.2
using System;
using System.Configuration;
using System.Threading.Tasks;
using System.Web.Http;
using DemoAPI.Middleware;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin;
using Microsoft.Owin.Cors;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Jwt;
using Microsoft.Owin.Security.OAuth;
using Owin;
[assembly: OwinStartup(typeof(DemoAPI.App_Start.Startup))]
namespace DemoAPI.App_Start
{
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
var config = new HttpConfiguration();
ConfigureAuth(app);
app.Use(typeof(CorrelationHandlerMiddleware));
app.UseCors(CorsOptions.AllowAll);
WebApiConfig.Register(config);
app.UseWebApi(config);
}
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
public void ConfigureAuth(IAppBuilder app)
{
// NOTE: The usual WindowsAzureActiveDirectoryBearerAuthentication middleware uses a
// metadata endpoint which is not supported by the v2.0 endpoint. Instead, this
// OpenIdConnectSecurityTokenProvider implementation can be used to fetch & use the OpenIdConnect
// metadata document - which for the v2 endpoint is https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = new JwtFormat(
new TokenValidationParameters
{
// Check if the audience is intended to be this application
ValidAudiences = new[] { clientId, $"api://{clientId}" },`enter code here`
// Change below to 'true' if you want this Web API to accept tokens issued to one Azure AD tenant only (single-tenant)
// Note that this is a simplification for the quickstart here. You should validate the issuer. For details,
// see https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore
ValidateIssuer = false,
}//,
//new OpenIdConnectSecurityKeyProvider("https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration")
//the OpenIdConnectSecurityKeyProvider implements IIssuerSecurityTokenProvider, which is not part of Microsoft.Owin.Security.Jwt 4.0
),
});
}
}
}
实际使用时的错误Microsoft.Owin.diagnostics
Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware
Error: 0 : Authentication failed
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException:
IDX10501: Signature validation failed. Unable to match key: kid:
'[PII is hidden. For more details, see
https://aka.ms/IdentityModel/PII.]'. Exceptions caught: '[PII is
hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII is hidden. For more details, see
https://aka.ms/IdentityModel/PII.]'. at
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String
token, TokenValidationParameters validationParameters) at
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String
token, TokenValidationParameters validationParameters, SecurityToken&
validatedToken)
尝试将 'token' 重命名为 'key',你可能会很好。
所以,而不是
IssuerSecurityTokenProviders = new IIssuedSecurityTokenProvider[]
{
new symmetricKeyIssuerSecurityTokenProvider(issuer, audienceSecret)
}
你应该有类似
IssuerSecurityKeyProviders= new IIssuerSecurityKeyProvider[]
{
new SymmetricKeyIssuerSecurityKeyProvider(issuer, audienceSecret)
}
更多信息:Issue Thread or Actual Github Repo
希望这对您有所帮助...
我将继续在这里回答我自己的问题,因为我通过稍微更改 https://github.com/azureadquickstarts/appmodelv2-nativeclient-dotnet 中的示例来让它工作。
可能 Stef's 答案也有效,我只是做错了什么 - 但你让我朝着正确的方向前进:)
在Startup.cs中:
我从 IIssuerSecurityTokenProvider 的实现更改为 IIssuerSecurityKeyProvider(感谢 Stef)
string issuerEndpoint = @"https://sts.windows.net/919e9a01-27bf-4106-9d36-48528249d0ce/";
string metadaEndpoint = $"{issuerEndpoint}v2.0/.well-known/openid-configuration";
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = new JwtFormat(
new TokenValidationParameters
{
// Check if the audience is intended to be this application
ValidAudiences = new[] { clientId, $"api://{clientId}" },
// Change below to 'true' if you want this Web API to accept tokens issued to one Azure AD tenant only (single-tenant)
// Note that this is a simplification for the quickstart here. You should validate the issuer. For details,
// see https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore
ValidateIssuer = false,
},
new OpenIdConnectSecurityKeyProvider("https://sts.windows.net/919e9a01-27bf-4106-9d36-48528249d0ce/v2.0/.well-known/openid-configuration")
),
});
OpenIDConnectSecurityKeyProvider.cs
基于 https://github.com/azureadquickstarts/appmodelv2-nativeclient-dotnet 中的示例实施,将其更改为检索密钥而不是令牌。
using System.Collections.Generic;
using System.Threading;
using Microsoft.IdentityModel.Protocols;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin.Security.Jwt;
namespace DemoAPI.App_Start
{
//This class is necessary because the OAuthBearer Middleware does not leverage
// the OpenID Connect metadata endpoint exposed by the STS by default.
public class OpenIdConnectSecurityKeyProvider : IIssuerSecurityKeyProvider
{
public ConfigurationManager<OpenIdConnectConfiguration> ConfigManager;
private string _issuer;
private IEnumerable<SecurityKey> _keys;
private readonly string _metadataEndpoint;
private readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();
public OpenIdConnectSecurityKeyProvider(string metadataEndpoint)
{
_metadataEndpoint = metadataEndpoint;
ConfigManager = new ConfigurationManager<OpenIdConnectConfiguration>(metadataEndpoint, new OpenIdConnectConfigurationRetriever());
RetrieveMetadata();
}
/// <summary>
/// Gets the issuer the credentials are for.
/// </summary>
/// <value>
/// The issuer the credentials are for.
/// </value>
public string Issuer
{
get
{
RetrieveMetadata();
_synclock.EnterReadLock();
try
{
return _issuer;
}
finally
{
_synclock.ExitReadLock();
}
}
}
public IEnumerable<SecurityKey> SecurityKeys
{
get
{
RetrieveMetadata();
_synclock.EnterReadLock();
try
{
return _keys;
}
finally
{
_synclock.ExitReadLock();
}
}
}
private void RetrieveMetadata()
{
_synclock.EnterWriteLock();
try
{
OpenIdConnectConfiguration config = ConfigManager.GetConfigurationAsync().Result;
_issuer = config.Issuer;
_keys = config.SigningKeys;
}
finally
{
_synclock.ExitWriteLock();
}
}
}
}
我正在尝试让我的 .Net Web API(使用 OWIN 的 Azure API 应用程序)接受 OAuth Bearer 令牌以获得 client_credentials 授权,但我一直在获取401 未经授权。
似乎所有 Microsoft 示例都已过时(不符合 Owin 的最新 nuget 包)。
JwtFormat 执行一个 IIssuerSecurityTokenProvider,但它不再存在 - 相反,JwtFormat 需要一个 IIssuerSecurityKeyProvider,但我不知道如何使用它。
Azure OAuth 服务器正在运行
我已经在 Azure Active Directory 中注册了两个应用程序(api 和客户端)。 由于这只是快速演示,我会给你所有的 ID 和秘密 ;)
我可以从 Azure AD 获取令牌,请参阅 https://reqbin.com/817shtc2 了解完整的请求,目前一切顺利。
API
ClientId: 44cf7574-88a2-42d6-9497-bff43cc8dc09
Endpoint: https://apim-demo-mglentoft.azure-api.net/api/Values (GET)
客户端
ClientId: 5f7ee334-b8db-46d3-972f-09f52e186d1d
Secret: ggKp94]HZHWZ.c*5wUC?ToSVfknyqLB3
我遵循了 https://github.com/azureadquickstarts/appmodelv2-nativeclient-dotnet 中的示例,但它引用了 Microsoft.Owin.Security.Jwt.IIssuerSecurityTokenProvider,它在 nuget v4.0.1.0 中不存在。
我尝试只注释掉 JwtFormat 的第二个参数,但这不起作用。任何想法如何使用 Microsoft.Owin.Security.Jwt.IIssuerSecurityKeyProvider?
下面是全文startup.cs
我可以使用 .Net Core 实现此功能,但出于各种原因我必须坚持使用 .Net Framework 4.7.2
using System;
using System.Configuration;
using System.Threading.Tasks;
using System.Web.Http;
using DemoAPI.Middleware;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin;
using Microsoft.Owin.Cors;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Jwt;
using Microsoft.Owin.Security.OAuth;
using Owin;
[assembly: OwinStartup(typeof(DemoAPI.App_Start.Startup))]
namespace DemoAPI.App_Start
{
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
var config = new HttpConfiguration();
ConfigureAuth(app);
app.Use(typeof(CorrelationHandlerMiddleware));
app.UseCors(CorsOptions.AllowAll);
WebApiConfig.Register(config);
app.UseWebApi(config);
}
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
public void ConfigureAuth(IAppBuilder app)
{
// NOTE: The usual WindowsAzureActiveDirectoryBearerAuthentication middleware uses a
// metadata endpoint which is not supported by the v2.0 endpoint. Instead, this
// OpenIdConnectSecurityTokenProvider implementation can be used to fetch & use the OpenIdConnect
// metadata document - which for the v2 endpoint is https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = new JwtFormat(
new TokenValidationParameters
{
// Check if the audience is intended to be this application
ValidAudiences = new[] { clientId, $"api://{clientId}" },`enter code here`
// Change below to 'true' if you want this Web API to accept tokens issued to one Azure AD tenant only (single-tenant)
// Note that this is a simplification for the quickstart here. You should validate the issuer. For details,
// see https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore
ValidateIssuer = false,
}//,
//new OpenIdConnectSecurityKeyProvider("https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration")
//the OpenIdConnectSecurityKeyProvider implements IIssuerSecurityTokenProvider, which is not part of Microsoft.Owin.Security.Jwt 4.0
),
});
}
}
}
实际使用时的错误Microsoft.Owin.diagnostics
Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key: kid: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Exceptions caught: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. token: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
尝试将 'token' 重命名为 'key',你可能会很好。
所以,而不是
IssuerSecurityTokenProviders = new IIssuedSecurityTokenProvider[]
{
new symmetricKeyIssuerSecurityTokenProvider(issuer, audienceSecret)
}
你应该有类似
IssuerSecurityKeyProviders= new IIssuerSecurityKeyProvider[]
{
new SymmetricKeyIssuerSecurityKeyProvider(issuer, audienceSecret)
}
更多信息:Issue Thread or Actual Github Repo
希望这对您有所帮助...
我将继续在这里回答我自己的问题,因为我通过稍微更改 https://github.com/azureadquickstarts/appmodelv2-nativeclient-dotnet 中的示例来让它工作。
可能 Stef's 答案也有效,我只是做错了什么 - 但你让我朝着正确的方向前进:)
在Startup.cs中:
我从 IIssuerSecurityTokenProvider 的实现更改为 IIssuerSecurityKeyProvider(感谢 Stef)
string issuerEndpoint = @"https://sts.windows.net/919e9a01-27bf-4106-9d36-48528249d0ce/";
string metadaEndpoint = $"{issuerEndpoint}v2.0/.well-known/openid-configuration";
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = new JwtFormat(
new TokenValidationParameters
{
// Check if the audience is intended to be this application
ValidAudiences = new[] { clientId, $"api://{clientId}" },
// Change below to 'true' if you want this Web API to accept tokens issued to one Azure AD tenant only (single-tenant)
// Note that this is a simplification for the quickstart here. You should validate the issuer. For details,
// see https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore
ValidateIssuer = false,
},
new OpenIdConnectSecurityKeyProvider("https://sts.windows.net/919e9a01-27bf-4106-9d36-48528249d0ce/v2.0/.well-known/openid-configuration")
),
});
OpenIDConnectSecurityKeyProvider.cs
基于 https://github.com/azureadquickstarts/appmodelv2-nativeclient-dotnet 中的示例实施,将其更改为检索密钥而不是令牌。
using System.Collections.Generic;
using System.Threading;
using Microsoft.IdentityModel.Protocols;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin.Security.Jwt;
namespace DemoAPI.App_Start
{
//This class is necessary because the OAuthBearer Middleware does not leverage
// the OpenID Connect metadata endpoint exposed by the STS by default.
public class OpenIdConnectSecurityKeyProvider : IIssuerSecurityKeyProvider
{
public ConfigurationManager<OpenIdConnectConfiguration> ConfigManager;
private string _issuer;
private IEnumerable<SecurityKey> _keys;
private readonly string _metadataEndpoint;
private readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();
public OpenIdConnectSecurityKeyProvider(string metadataEndpoint)
{
_metadataEndpoint = metadataEndpoint;
ConfigManager = new ConfigurationManager<OpenIdConnectConfiguration>(metadataEndpoint, new OpenIdConnectConfigurationRetriever());
RetrieveMetadata();
}
/// <summary>
/// Gets the issuer the credentials are for.
/// </summary>
/// <value>
/// The issuer the credentials are for.
/// </value>
public string Issuer
{
get
{
RetrieveMetadata();
_synclock.EnterReadLock();
try
{
return _issuer;
}
finally
{
_synclock.ExitReadLock();
}
}
}
public IEnumerable<SecurityKey> SecurityKeys
{
get
{
RetrieveMetadata();
_synclock.EnterReadLock();
try
{
return _keys;
}
finally
{
_synclock.ExitReadLock();
}
}
}
private void RetrieveMetadata()
{
_synclock.EnterWriteLock();
try
{
OpenIdConnectConfiguration config = ConfigManager.GetConfigurationAsync().Result;
_issuer = config.Issuer;
_keys = config.SigningKeys;
}
finally
{
_synclock.ExitWriteLock();
}
}
}
}