GenerateCorrelationId() 和 ValidateCorrelationId() 有什么作用?
What does GenerateCorrelationId() and ValidateCorrelationId() do?
我在自定义 owin 处理程序中看到这段代码来执行 Oauth2。例如这里:https://github.com/RockstarLabs/OwinOAuthProviders/blob/master/Owin.Security.Providers/Reddit/RedditAuthenticationHandler.cs
谁能用简单的英语向我解释这两种方法在 oauth2 的上下文中的作用?好像跟CSRF有关,但不知道是怎么回事。
当重定向到 "OAuth 2" 合作伙伴时,必须通过某种方式将最终重定向回您自己的应用程序与您发送的原始重定向相关联。
Microsoft.Owin AuthenticationHandler 的实现方式:
- 生成一个 nonce 的随机字节并将其保留在浏览器 cookie 中
(
GenerateCorrelationId)
- 加密这个随机数和其他信息,你的工作是将这个在
state 查询字符串参数中传递给合作伙伴(回想一下,合作伙伴的工作是 return 这个值直接返回给你的验证用户后申请)
- 通过解密
state 查询字符串参数并验证它与存储的 cookie 中的值相匹配来验证随机数 (ValidateCorrelationId)
这里是the source:
protected void GenerateCorrelationId(AuthenticationProperties properties)
{
if (properties == null)
{
throw new ArgumentNullException("properties");
}
string correlationKey = Constants.CorrelationPrefix +
BaseOptions.AuthenticationType;
var nonceBytes = new byte[32];
Random.GetBytes(nonceBytes);
string correlationId = TextEncodings.Base64Url.Encode(nonceBytes);
var cookieOptions = new CookieOptions
{
HttpOnly = true,
Secure = Request.IsSecure
};
properties.Dictionary[correlationKey] = correlationId;
Response.Cookies.Append(correlationKey, correlationId, cookieOptions);
}
protected bool ValidateCorrelationId(AuthenticationProperties properties,
ILogger logger)
{
if (properties == null)
{
throw new ArgumentNullException("properties");
}
string correlationKey = Constants.CorrelationPrefix +
BaseOptions.AuthenticationType;
string correlationCookie = Request.Cookies[correlationKey];
if (string.IsNullOrWhiteSpace(correlationCookie))
{
logger.WriteWarning("{0} cookie not found.", correlationKey);
return false;
}
var cookieOptions = new CookieOptions
{
HttpOnly = true,
Secure = Request.IsSecure
};
Response.Cookies.Delete(correlationKey, cookieOptions);
string correlationExtra;
if (!properties.Dictionary.TryGetValue(
correlationKey,
out correlationExtra))
{
logger.WriteWarning("{0} state property not found.", correlationKey);
return false;
}
properties.Dictionary.Remove(correlationKey);
if (!string.Equals(correlationCookie, correlationExtra, StringComparison.Ordinal))
{
logger.WriteWarning("{0} correlation cookie and state property mismatch.",
correlationKey);
return false;
}
return true;
}
我在自定义 owin 处理程序中看到这段代码来执行 Oauth2。例如这里:https://github.com/RockstarLabs/OwinOAuthProviders/blob/master/Owin.Security.Providers/Reddit/RedditAuthenticationHandler.cs
谁能用简单的英语向我解释这两种方法在 oauth2 的上下文中的作用?好像跟CSRF有关,但不知道是怎么回事。
当重定向到 "OAuth 2" 合作伙伴时,必须通过某种方式将最终重定向回您自己的应用程序与您发送的原始重定向相关联。
Microsoft.Owin AuthenticationHandler 的实现方式:
- 生成一个 nonce 的随机字节并将其保留在浏览器 cookie 中
(
GenerateCorrelationId) - 加密这个随机数和其他信息,你的工作是将这个在
state查询字符串参数中传递给合作伙伴(回想一下,合作伙伴的工作是 return 这个值直接返回给你的验证用户后申请) - 通过解密
state查询字符串参数并验证它与存储的 cookie 中的值相匹配来验证随机数 (ValidateCorrelationId)
这里是the source:
protected void GenerateCorrelationId(AuthenticationProperties properties)
{
if (properties == null)
{
throw new ArgumentNullException("properties");
}
string correlationKey = Constants.CorrelationPrefix +
BaseOptions.AuthenticationType;
var nonceBytes = new byte[32];
Random.GetBytes(nonceBytes);
string correlationId = TextEncodings.Base64Url.Encode(nonceBytes);
var cookieOptions = new CookieOptions
{
HttpOnly = true,
Secure = Request.IsSecure
};
properties.Dictionary[correlationKey] = correlationId;
Response.Cookies.Append(correlationKey, correlationId, cookieOptions);
}
protected bool ValidateCorrelationId(AuthenticationProperties properties,
ILogger logger)
{
if (properties == null)
{
throw new ArgumentNullException("properties");
}
string correlationKey = Constants.CorrelationPrefix +
BaseOptions.AuthenticationType;
string correlationCookie = Request.Cookies[correlationKey];
if (string.IsNullOrWhiteSpace(correlationCookie))
{
logger.WriteWarning("{0} cookie not found.", correlationKey);
return false;
}
var cookieOptions = new CookieOptions
{
HttpOnly = true,
Secure = Request.IsSecure
};
Response.Cookies.Delete(correlationKey, cookieOptions);
string correlationExtra;
if (!properties.Dictionary.TryGetValue(
correlationKey,
out correlationExtra))
{
logger.WriteWarning("{0} state property not found.", correlationKey);
return false;
}
properties.Dictionary.Remove(correlationKey);
if (!string.Equals(correlationCookie, correlationExtra, StringComparison.Ordinal))
{
logger.WriteWarning("{0} correlation cookie and state property mismatch.",
correlationKey);
return false;
}
return true;
}