OpenIddict Token格式
JSON 网络令牌
OpenIddict 3.0 实现了JSON Web Token、JSON Web Signature 和JSON Web Encryption标准,并依赖于 由 Microsoft 开发和维护的Azure Active Directory IdentityModel Extensions for .NET 库, 使用在服务器选项中注册的凭据生成签名和加密的令牌。
JWT 令牌类型
为了防止令牌替换和混淆代理攻击,OpenIddict 3.0 使用标准typ
JWT 标头来传达实际令牌类型。token_usage
此机制取代了在以前版本的 OpenIddict 中用于相同目的的私有声明。
根据JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens specification 的要求,
OpenIddict 3.0 生成的访问令牌始终带有"typ": "at jwt"
标头,而身份令牌仍用于"typ": "JWT"
向后兼容。其他类型的令牌——仅被 OpenIddict 自己的端点接受——使用前缀为oi_
.
禁用 JWT 访问令牌加密
默认情况下,OpenIddict 对其支持的所有令牌类型强制加密。虽然出于安全原因不能对授权代码、刷新令牌和设备代码禁用此强制执行,但当需要与第三方 API/资源服务器集成时,可以放宽对访问令牌的强制执行。如果接收访问令牌的资源服务器不完全支持 JSON Web 加密,也可以禁用访问令牌加密。
services.AddOpenIddict()
.AddServer(options =>
{
options.DisableAccessTokenEncryption();
});
ASP.NET 核心数据保护
OpenIddict 3.0 can also be configured to use ASP.NET Core Data Protection to create Data Protection tokens instead of JWT tokens. ASP.NET Core Data Protection uses its own key ring to encrypt and protect tokens against tampering and is supported for all types of tokens, except identity tokens, that are always JWT tokens.
Unlike JWTs, ASP.NET Core Data Protection tokens only support symmetric encryption and rely on a binary format developed by the ASP.NET team rather than on a standard like JWT. While this prevents using such tokens in scenarios where interoperability is needed, opting for ASP.NET Core Data Protection rather than JWT has actually a few advantages:
- ASP.NET Core Data Protection tokens don't use a JSON representation and therefore are generally a bit shorter.
- ASP.NET Core Data Protection has been designed to achieve high throughput as it's natively used by ASP.NET Core for authentication cookies, antiforgery tokens and session cookies.
警告
Despite its name, ASP.NET Core Data Protection is not tied to ASP.NET Core and can be used in any .NET Standard 2.0-compatible
application, including legacy ASP.NET 4.6.1 (and higher) applications using Microsoft.Owin
.
To enable ASP.NET Core Data Protection support in the OpenIddict OWIN server and validation hosts, you need to
manually reference the OpenIddict.Server.DataProtection
and OpenIddict.Validation.DataProtection
packages.
Switching to Data Protection tokens
ASP.NET Core Data Protection support is provided by the OpenIddict.Server.DataProtection
and OpenIddict.Validation.DataProtection
packages.
These packages are referenced by the OpenIddict.AspNetCore
metapackage and therefore don't have to be referenced explicitly.
To enable ASP.NET Core Data Protection support, call options.UseDataProtection()
in both the server and validation options:
services.AddOpenIddict()
.AddServer(options =>
{
options.UseDataProtection();
})
.AddValidation(options =>
{
options.UseDataProtection();
});
笔记
Switching to ASP.NET Core Data Protection tokens doesn't prevent JWT tokens issued before Data Protection support was enabled from being validated: existing tokens can still be used alongside newly issued ASP.NET Core Data Protection tokens until they expire. When sending a refresh token request containing a JWT refresh token, the application will receive an ASP.NET Core Data Protection refresh token and the previous one will be automatically marked as redeemed.
By default, enabling ASP.NET Core Data Protection support will automatically switch the token format from JWT to Data Protection for all types of tokens, except JWT tokens. The OpenIddict/Data Protection integration can be configured to prefer JWT when creating new tokens, which can be useful when using the ASP.NET Core Data Protection format for specific token types only (e.g for authorization codes and refresh tokens, but not for access tokens).
services.AddOpenIddict()
.AddServer(options =>
{
options.UseDataProtection()
.PreferDefaultAccessTokenFormat()
.PreferDefaultAuthorizationCodeFormat()
.PreferDefaultDeviceCodeFormat()
.PreferDefaultRefreshTokenFormat()
.PreferDefaultUserCodeFormat();
});
警告
When the authorization and API/resource servers are not part of the same application, ASP.NET Core Data Protection MUST be configured to use the same application name and share the same key ring to allow the OpenIddict validation handler to read ASP.NET Core Data Protection tokens generated by an authorization server located in another project.
有关更多信息,请阅读配置 ASP.NET Core 数据保护。