在id_token内核3中使用ASP.NET
在id_token内核3中使用ASP.NET
提问于 2019-11-18 14:20:14
在ASP.NET核心3应用程序中,我需要处理来自id_token和access_token的信息。
id_token具有有时构建策略所需的成员信息。由于成员信息可能很大,因此使其成为access_token的一部分是不可能的(令牌超过了允许的最大大小)。
客户端在id_token报头中发送x-id-token,我正在寻找一种方法来提取它并在其中使用声明。
现在,我已经配置了JwtBearer auth,它与Authorization: Bearer access_token头无缝地工作。
public void ConfigureServices(IServiceCollection services) {
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Authority = $"https://{Configuration["auth:Domain"]}/";
options.Audience = Configuration["auth:Audience"];
});
...
}回答 1
Stack Overflow用户
回答已采纳
发布于 2019-11-19 05:13:46
正如问题中所述,我需要在授权流中执行一个步骤来验证id_token和自定义标头中提供的membership_id。最后,我以以下形式创建了一个自定义auth需求处理程序
internal class MembershipRequirement : AuthorizationHandler<MembershipRequirement>, IAuthorizationRequirement
{
public MembershipRequirement(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, MembershipRequirement requirement)
{
var authFilterCtx = (Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext)context.Resource;
string idToken = authFilterCtx.HttpContext.Request.Headers["x-id-token"];
string membershipId = authFilterCtx.HttpContext.Request.Headers["x-selected-membership-id"];
if (idToken != null && membershipId != null)
{
var identity = ValidateIdToken(idToken).Result;
if (identity != null)
{
var subscriptions = identity.Claims.ToList().FindAll(s => s.Type == "https://example.com/subs").ToList();
var assignments = subscriptions.Select(s => JsonSerializer.Deserialize<Subscription>(s.Value)).ToList();
var membership = assignments.Find(a => a.id == membershipId);
if (membership != null)
{
// assign the id token claims to user identity
context.User.AddIdentity(new ClaimsIdentity(identity.Claims));
context.Succeed(requirement);
}
else { context.Fail(); }
}
else
{
context.Fail();
}
}
return Task.FromResult<object>(null);
}
private async Task<ClaimsPrincipal> ValidateIdToken(string token)
{
try
{
IConfigurationManager<OpenIdConnectConfiguration> configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>($"https://{Configuration["Auth:Domain"]}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = await configurationManager.GetConfigurationAsync(CancellationToken.None);
TokenValidationParameters validationParameters =
new TokenValidationParameters
{
IssuerSigningKeys = openIdConfig.SigningKeys,
ValidateIssuer = false,
ValidateAudience = false
};
var validator = new JwtSecurityTokenHandler();
SecurityToken validatedToken;
var identity = validator.ValidateToken(token, validationParameters, out validatedToken);
return identity;
}
catch (Exception e)
{
Console.Writeline($"Error occurred while validating token: {e.Message}");
return null;
}
}
}
internal class Subscription
{
public string name { get; set; }
public string id { get; set; }
}然后在public void ConfigureServices(IServiceCollection services)方法中添加了一个策略来检查id_token中的成员身份。
services.AddAuthorization(options =>
{
options.AddPolicy("RequiredCompanyMembership", policy => policy.Requirements.Add(new MembershipRequirement(Configuration)));
});对我们来说,此策略适用于所有授权端点。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/58916645
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号