Azure OpenId 令牌验证
Azure OpenId Token validation
我是 azure、tokens 等等的新手...
我有 "digged" 微软文档和 google 和 Whosebug,但仍然没有完全理解。
所以我使用 openId 和 Owin 库从网络应用程序 (VS2013 .net 4.5.1) 连接到 azure。我有下一个代码可以做到:
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(
CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
MetadataAddress = String.Format(aadInstance, tenant, policy),
AuthenticationType = policy,
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed
,SecurityTokenValidated = OnSecurityTokenValidated
,AuthorizationCodeReceived = OnAuthorizationCodeReceived
,SecurityTokenReceived = OnSecurityTokenReceived
},
Scope = "openid profile",
ResponseType = "id_token"
};
);
}
private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
var identity = notification.AuthenticationTicket.Identity;
var claims = notification.OwinContext.Authentication.User.Claims;
ClaimsPrincipal.Current.AddIdentity(identity);
return Task.FromResult(0);
}
它正在运行,但在微软文档中我找到了下一条指令 "Currently, ID tokens are signed but not encrypted. When your app receives an ID token, it must validate the signature to prove the token's authenticity and validate a few claims in the token to prove its validity. The claims validated by an app vary depending on scenario requirements, but your app must perform some common claim validations in every scenario."
但是有 SecurityTokenValidated-callback ,它有 AuthenticationTicket。那么我是否仍然需要以某种方式验证 token/ticked 或现在它是自动处理的(我在军队中一直很坚强,没有任何事情会自动发生,但仍然如此)?
您正在使用的库会为您处理验证。
它将根据 Azure AD 提供的密钥检查签名是否正确。
因此除了您的应用程序的特定检查外,您不需要进行手动检查。例如,一个应用程序可能只允许特定组的成员访问该应用程序。如果是这种情况,您需要进行检查。
我是 azure、tokens 等等的新手... 我有 "digged" 微软文档和 google 和 Whosebug,但仍然没有完全理解。
所以我使用 openId 和 Owin 库从网络应用程序 (VS2013 .net 4.5.1) 连接到 azure。我有下一个代码可以做到:
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(
CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
MetadataAddress = String.Format(aadInstance, tenant, policy),
AuthenticationType = policy,
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed
,SecurityTokenValidated = OnSecurityTokenValidated
,AuthorizationCodeReceived = OnAuthorizationCodeReceived
,SecurityTokenReceived = OnSecurityTokenReceived
},
Scope = "openid profile",
ResponseType = "id_token"
};
);
}
private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
var identity = notification.AuthenticationTicket.Identity;
var claims = notification.OwinContext.Authentication.User.Claims;
ClaimsPrincipal.Current.AddIdentity(identity);
return Task.FromResult(0);
}
它正在运行,但在微软文档中我找到了下一条指令 "Currently, ID tokens are signed but not encrypted. When your app receives an ID token, it must validate the signature to prove the token's authenticity and validate a few claims in the token to prove its validity. The claims validated by an app vary depending on scenario requirements, but your app must perform some common claim validations in every scenario."
但是有 SecurityTokenValidated-callback ,它有 AuthenticationTicket。那么我是否仍然需要以某种方式验证 token/ticked 或现在它是自动处理的(我在军队中一直很坚强,没有任何事情会自动发生,但仍然如此)?
您正在使用的库会为您处理验证。
它将根据 Azure AD 提供的密钥检查签名是否正确。
因此除了您的应用程序的特定检查外,您不需要进行手动检查。例如,一个应用程序可能只允许特定组的成员访问该应用程序。如果是这种情况,您需要进行检查。