首页 .Net OpenIddict Token格式

OpenIddict Token格式

 时间:2022-09-23
笔记

在 OpenIddict 3.0 中,撤销令牌的能力与令牌格式无关,也不需要启用引用令牌:只要令牌存储未在服务器选项。

有关参考令牌的更多信息,请阅读令牌存储

JSON 网络令牌

OpenIddict 3.0 实现了JSON Web TokenJSON Web SignatureJSON Web Encryption标准,并依赖于 由 Microsoft 开发和维护的Azure Active Directory IdentityModel Extensions for .NET 库, 使用在服务器选项中注册的凭据生成签名和加密的令牌。

JWT 令牌类型

为了防止令牌替换和混淆代理攻击,OpenIddict 3.0 使用标准typJWT 标头来传达实际令牌类型token_usage此机制取代了在以前版本的 OpenIddict 中用于相同目的的私有声明。

根据JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens specification 的要求, OpenIddict 3.0 生成的访问令牌始终带有"typ": "at jwt"标头,而身份令牌仍用于"typ": "JWT"向后兼容。其他类型的令牌——仅被 OpenIddict 自己的端点接受——使用前缀为oi_.

禁用 JWT 访问令牌加密

默认情况下,OpenIddict 对其支持的所有令牌类型强制加密虽然出于安全原因不能对授权代码、刷新令牌和设备代码禁用此强制执行,但当需要与第三方 API/资源服务器集成时,可以放宽对访问令牌的强制执行。如果接收访问令牌的资源服务器不完全支持 JSON Web 加密,也可以禁用访问令牌加密。

services.AddOpenIddict()
    .AddServer(options =>
    {
        options.DisableAccessTokenEncryption();
    });

ASP.NET 核心数据保护

OpenIddict 3.0 can also be configured to use ASP.NET Core Data Protection to create Data Protection tokens instead of JWT tokens. ASP.NET Core Data Protection uses its own key ring to encrypt and protect tokens against tampering and is supported for all types of tokens, except identity tokens, that are always JWT tokens.

Unlike JWTs, ASP.NET Core Data Protection tokens only support symmetric encryption and rely on a binary format developed by the ASP.NET team rather than on a standard like JWT. While this prevents using such tokens in scenarios where interoperability is needed, opting for ASP.NET Core Data Protection rather than JWT has actually a few advantages:

  • ASP.NET Core Data Protection tokens don't use a JSON representation and therefore are generally a bit shorter.
  • ASP.NET Core Data Protection has been designed to achieve high throughput as it's natively used by ASP.NET Core for authentication cookies, antiforgery tokens and session cookies.
警告

Despite its name, ASP.NET Core Data Protection is not tied to ASP.NET Core and can be used in any .NET Standard 2.0-compatible application, including legacy ASP.NET 4.6.1 (and higher) applications using Microsoft.Owin.

To enable ASP.NET Core Data Protection support in the OpenIddict OWIN server and validation hosts, you need to manually reference the OpenIddict.Server.DataProtection and OpenIddict.Validation.DataProtection packages.

Switching to Data Protection tokens

ASP.NET Core Data Protection support is provided by the OpenIddict.Server.DataProtection and OpenIddict.Validation.DataProtection packages. These packages are referenced by the OpenIddict.AspNetCore metapackage and therefore don't have to be referenced explicitly.

To enable ASP.NET Core Data Protection support, call options.UseDataProtection() in both the server and validation options:

services.AddOpenIddict()
    .AddServer(options =>
    {
        options.UseDataProtection();
    })

    .AddValidation(options =>
    {
        options.UseDataProtection();
    });
笔记

Switching to ASP.NET Core Data Protection tokens doesn't prevent JWT tokens issued before Data Protection support was enabled from being validated: existing tokens can still be used alongside newly issued ASP.NET Core Data Protection tokens until they expire. When sending a refresh token request containing a JWT refresh token, the application will receive an ASP.NET Core Data Protection refresh token and the previous one will be automatically marked as redeemed.

By default, enabling ASP.NET Core Data Protection support will automatically switch the token format from JWT to Data Protection for all types of tokens, except JWT tokens. The OpenIddict/Data Protection integration can be configured to prefer JWT when creating new tokens, which can be useful when using the ASP.NET Core Data Protection format for specific token types only (e.g for authorization codes and refresh tokens, but not for access tokens).

services.AddOpenIddict()
    .AddServer(options =>
    {
        options.UseDataProtection()
               .PreferDefaultAccessTokenFormat()
               .PreferDefaultAuthorizationCodeFormat()
               .PreferDefaultDeviceCodeFormat()
               .PreferDefaultRefreshTokenFormat()
               .PreferDefaultUserCodeFormat();
    });
警告

When the authorization and API/resource servers are not part of the same application, ASP.NET Core Data Protection MUST be configured to use the same application name and share the same key ring to allow the OpenIddict validation handler to read ASP.NET Core Data Protection tokens generated by an authorization server located in another project.

有关更多信息,请阅读配置 ASP.NET Core 数据保护

特别声明:本站部分内容收集于互联网是出于更直观传递信息的目的。该内容版权归原作者所有,并不代表本站赞同其观点和对其真实性负责。如该内容涉及任何第三方合法权利,请及时与824310991@qq.com联系,我们会及时反馈并处理完毕。