JSON Web Token in ASP.NET Web API 2 using Owin
2021-06-15 20:04
标签:created multi http control algorithm work server repr rod http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/ In the previous post Decouple OWIN Authorization Server from Resource Server we saw how we can separate the Authorization Server and the Resource Server by unifying the “decryptionKey” and “validationKey” key values in machineKey node in the web.config file for the Authorization and the Resource server. So once the user request an access token from the Authorization server, the Authorization server will use this unified key to encrypt the access token, and at the other end when the token is sent to the Resource server, it will use the same key to decrypt this access token and extract the authentication ticket from it. This way works well if you have control on your Resource servers (Audience) which will rely on your Authorization server (Token Issuer) to obtain access tokens from, in other words you are fully trusting those Resource servers so you are sharing with them the same “decryptionKey” and “validationKey” values. But in some situations you might have big number of Resource servers rely on your Authorization server, so sharing the same “decryptionKey” and “validationKey” keys with all those parties become inefficient process as well insecure, you are using the same keys for multiple Resource servers, so if a key is compromised all the other Resource servers will be affected. To overcome this issue we need to configure the Authorization server to issue access tokens using JSON Web Tokens format (JWT) instead of the default access token format, as well on the Resource server side we need to configure it to consume this new JWT access tokens, as well you will see through out this post that there is no need to unify the “decryptionKey” and “validationKey” key values anymore if we used JWT. JSON Web Token is a security token which acts as a container for claims about the user, it can be transmitted传输 easily between the Authorization server (Token Issuer), and the Resource server (Audience), the claims in JWT are encoded using JSON which make it easier to use especially in applications built using JavaScript. JSON Web Tokens can be signed following the JSON Web Signature (JWS) specifications, as well it can be encrypted following the JSON Web Encryption (JWE) specifications, in our case we will not transmit any sensitive data in the JWT payload, so we’ll only sign this JWT to protect it from tampering篡改 during the transmission between parties. Basically the JWT is a string which consists of three parts separated by a dot (.) The JWT parts are: The header part is JSON object which contains 2 nodes always and looks as the following: { "typ": "JWT","alg": "HS256" } The “type” node has always “JWT” value, and the node “alg” contains the algorithm used to sign the token, in our case we’ll use “HMAC-SHA256” for signing. The payload part is JSON object as well which contains all the claims inside this token, check the example shown in the snippet below: All those claims are not mandatory in order to build JWT, you can read more about JWT claims here. In our case we’ll always use those set of claims in the JWT we are going to issue, those claims represent the below: Lastly the signature part of the JWT is created by taking the header and payload parts, base 64 URL encode them, then concatenate them with “.”, then use the “alg” defined in the JSON Web Token in ASP.NET Web API 2 using Owin 标签:created multi http control algorithm work server repr rod 原文地址:https://www.cnblogs.com/chucklu/p/10361345.htmlWhat is JSON Web Token (JWT)?
JSON Web Token (JWT) Format
{
"unique_name": "SysAdmin",
"sub": "SysAdmin",
"role": [
"Manager",
"Supervisor"
],
"iss": "http://myAuthZServer",
"aud": "379ee8430c2d421380a713458c23ef74",
"exp": 1414283602,
"nbf": 1414281802
}
文章标题:JSON Web Token in ASP.NET Web API 2 using Owin
文章链接:http://soscw.com/essay/94266.html