C# 在OWIN JWT OAuth中使用Clockskew的正确方法
我有一个使用以下软件包的应用程序C# 在OWIN JWT OAuth中使用Clockskew的正确方法,c#,asp.net,jwt,owin,C#,Asp.net,Jwt,Owin,我有一个使用以下软件包的应用程序 Autofac version="4.8.1" targetFramework="net471" Autofac.Owin version="4.2.0" targetFramework="net471" Autofac.WebApi2" version="4.2.0" targetFramework="net471" Autofac.WebApi2.Owin" version="4.0.0" targetFramework="net471" jose-jwt"
Autofac version="4.8.1" targetFramework="net471"
Autofac.Owin version="4.2.0" targetFramework="net471"
Autofac.WebApi2" version="4.2.0" targetFramework="net471"
Autofac.WebApi2.Owin" version="4.0.0" targetFramework="net471"
jose-jwt" version="2.4.0" targetFramework="net471"
Microsoft.AspNet.Cors" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Client" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Core" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Owin" version="5.2.6" targetFramework="net471"
Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="1.0.7" targetFramework="net471"
Microsoft.IdentityModel.Logging" version="5.2.4" targetFramework="net471"
Microsoft.IdentityModel.Tokens" version="5.2.4" targetFramework="net471"
Microsoft.Net.Compilers" version="2.1.0" targetFramework="net471"
Microsoft.Owin" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Cors" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Host.SystemWeb" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security.Jwt" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security.OAuth" version="3.1.0" targetFramework="net471"
Newtonsoft.Json" version="11.0.2" targetFramework="net471"
Owin" version="1.0" targetFramework="net471"
Serilog" version="2.7.1" targetFramework="net471"
Swashbuckle.Core" version="5.6.0" targetFramework="net471"
System.IdentityModel.Tokens.Jwt" version="4.0.4.403061554" targetFramework="net471"
服务器正在颁发到期时间为20分钟的令牌
在资源服务器中,我有以下配置
TokenValidationParameters tokenValidationParameters = new
TokenValidationParameters()
{
ClockSkew = TimeSpan.FromSeconds(_allowedClockDriftSeconds),
IssuerSigningKey = ...
ValidateIssuer = true,
ValidateAudience = true,
RequireSignedTokens = true,
ValidIssuer = "...",
ValidAudience = "....",
};
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { "ConsumerDataServices" },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{...},
TokenHandler = new JoseJwtTokenHandler(decryptionHandler, logger),
TokenValidationParameters = tokenValidationParameters,
});
身份验证服务器正在将令牌作为JWE令牌发布。JoseJwtTokenHandler正在重写ReadToken以解密并返回JWT令牌
20分钟内一切正常。我可以在principal.Identity的AuthorizationFilterAttribute中看到我的声明。但20分钟后,authorization停止作为principal.Identity.IsAuthenticated的工作,设置为false,声明为空。在调试时,我可以看到JoseJwtTokenHandler工作正常
在我的日志中,我可以看到以下内容
Microsoft.Owin.Security.OAuth.OAuthBeareAuthenticationMiddleware警告:0:收到过期的承载令牌
查看Microsoft.Owin.Security.OAuth.OAuthBeareAuthenticationHandler的代码
DateTimeOffset currentUtc = this.Options.SystemClock.UtcNow;
if (ticket.Properties.ExpiresUtc.HasValue && ticket.Properties.ExpiresUtc.Value < currentUtc)
{
this._logger.WriteWarning("expired bearer token received");
return (AuthenticationTicket) null;
}
DateTimeOffset currentUtc=this.Options.SystemClock.UtcNow;
if(ticket.Properties.ExpiresUtc.HasValue&&ticket.Properties.ExpiresUtc.Value
看起来OAuthBeareAuthenticationHandler忽略了时钟偏移
我花了很多时间在这上面,但没能让它工作。我现在做的看起来还好吗?如果不是,正确的方法是什么?我刚刚用JWT oAuth 2.0实现了OWIN。调试后我遇到了同样的问题,我知道我没有设置令牌颁发者服务器的过期时间。默认情况下,其时间仅为20分钟。请将OAuthServerOptions中的AccessTokenExpireTimeSpan设置为您所需的时间,然后这将作为一个符咒工作。下面是我的代码片段,希望对您有所帮助
public void ConfigureOAuth(IAppBuilder app)
{
var authuri = ConfigurationManager.AppSettings["AuthURL"];
var timeout = Convert.ToInt32(ConfigurationManager.AppSettings["SessionTimeOut"]);
var AllowInsecureHttp = Convert.ToBoolean(ConfigurationManager.AppSettings["AllowInsecureHttp"]);
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
//Todo by Hasan : For Dev enviroment only (on production should be AllowInsecureHttp = false)
AllowInsecureHttp = AllowInsecureHttp,
TokenEndpointPath = new PathString("/oauth2/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(timeout),
Provider = new CustomOAuthProvider(),
AccessTokenFormat = new CustomJwtFormat(authuri)
};
// OAuth 2.0 Bearer Access Token Generation
app.UseOAuthAuthorizationServer(OAuthServerOptions);
}
如果我不理解某些内容,请原谅,但是如果您只分配了一个生命周期为20分钟的令牌,那么令牌是否应该在20分钟后停止工作?
\u allowedClockDriftSeconds
的值是多少,这样您就可以期望令牌不会过期?这是为了在身份验证服务器和资源服务器时钟之间留出一定的差异。由于这是两台不同的机器,时钟可能不同步。Clockskew将允许令牌工作,即使两个时钟存在一些差异。使用clock skew token,其实际vaid生存期为issuetime clock skew to Expiration time+clock skew,现在测试时设置为600秒。