OWIN - 签名和加密请求答案

【问题标题】：OWIN - signing and encrypting requestsOWIN - 签名和加密请求
【发布时间】：2015-12-14 14:33:09
【问题描述】：

在我们的 asp.net MVC5 网站中，我们针对多个 ADFS 服务器进行身份验证。我们签署（并最好加密）我们的请求的这些请求之一。

我们正在使用 OWIN 和 UseWsFederationAuthentication 扩展方法来设置每个 ADFS 服务器的选项（见下文）。

var adfsLoginProviderOptions = new WsFederationAuthenticationOptions
            {
                MetadataAddress = adfsLoginProvider.MetadataUrl,
                Wtrealm = AppSettings.FirstAgendaWtRealm,
                AuthenticationMode = AuthenticationMode.Passive,
                AuthenticationType = adfsLoginProvider.Name,
                CallbackPath = new PathString("/adfs/callback"),
                UseTokenLifetime = true
            };
app.UseWsFederationAuthentication(adfsLoginProviderOptions);

我的问题是，我没有看到设置请求签名和加密的明显选项，而且我似乎找不到其他人这样做。

【问题讨论】：

嗨。我面临同样的问题。你找到解决办法了吗？谢谢。
我确实做到了。将添加一个答案
酷。期待。

标签： asp.net owin adfs

【解决方案1】：

我做了一些研究，发现了以下内容。

我需要注册到 SecurityTokenHandlers：

一个用于解密加密令牌
一个用于验证签名令牌

注册如下：

    var adfsLoginProviderOptions = new WsFederationAuthenticationOptions
            {
                MetadataAddress = adfsLoginProvider.MetadataUrl,
                Wtrealm = "http://[your-realm]",
                AuthenticationMode = AuthenticationMode.Passive,
                AuthenticationType = adfsLoginProvider.Name,
                UseTokenLifetime = false,
                CallbackPath = new PathString("/adfs/callback/" + adfsLoginProvider.ID.ToString()),
                TokenValidationParameters = new TokenValidationParameters
                {
                    AuthenticationType = adfsLoginProvider.Name
                },
                SecurityTokenHandlers = new SecurityTokenHandlerCollection
                {
                    new EncryptedSecurityTokenHandler(new X509CertificateStoreTokenResolver(StoreName.My,StoreLocation.LocalMachine)),
                    new SamlSecurityTokenHandler
                    {
                        CertificateValidator = X509CertificateValidator.None,
                        Configuration = new SecurityTokenHandlerConfiguration()
                        {
                            AudienceRestriction = audienceRestriction,
                            IssuerNameRegistry = issuerRegistry
                        }
                    }
                },


            };

EncryptedSecurityTokenHandler 实现如下：

        public class EncryptedSecurityTokenHandler : System.IdentityModel.Tokens.EncryptedSecurityTokenHandler, ISecurityTokenValidator
        {
            public EncryptedSecurityTokenHandler(SecurityTokenResolver securityTokenResolver)
            {
                Configuration = new SecurityTokenHandlerConfiguration
                {
                    ServiceTokenResolver = securityTokenResolver
                };
            }

            public override bool CanReadToken(string securityToken)
            {
                return base.CanReadToken(new XmlTextReader(new StringReader(securityToken)));
            }

            public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
            {
                // Read token will decrypt it and look for another SecurityTokenHandler in the same collection to do the actual validation
                validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
                if (ContainingCollection != null)
                {
                    var identities = ContainingCollection.ValidateToken(validatedToken);
                    var principal = new ClaimsPrincipal(identities.First());
                    return principal;
                }
                return new ClaimsPrincipal(base.ValidateToken(validatedToken));
            }

            public int MaximumTokenSizeInBytes { get; set; }
        }

还有 SamlSecurityTokenHandler：

public class SamlSecurityTokenHandler : System.IdentityModel.Tokens.SamlSecurityTokenHandler, ISecurityTokenValidator
{
    public override bool CanReadToken(string securityToken)
    {
        return base.CanReadToken(XmlReader.Create(new StringReader(securityToken)));
    }

    public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters,
        out SecurityToken validatedToken)
    {
        validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
        var identities = ValidateToken(validatedToken);
        var newIdentities = identities.Select(d => new ClaimsIdentity(d.Claims, "ExternalCookie"));
        var claimsPrincipal = new ClaimsPrincipal(newIdentities);
        return claimsPrincipal; ;
    }

    public override ReadOnlyCollection<ClaimsIdentity> ValidateToken(SecurityToken token)
    {
        var identities = base.ValidateToken(token);
        return identities
    }

    public int MaximumTokenSizeInBytes { get; set; }
}

受众限制是应用程序的领域：

var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
audienceRestriction.AllowedAudienceUris.Add(new Uri(http://[your-realm]));

IssuerRegistry 是颁发者签署证书的注册表：

var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
issuerRegistry.AddTrustedIssuer(adfsLoginProvider.SigningCertThumbprint, adfsLoginProvider.Issuer);

【讨论】：