0

WIFを有効にしてAzureでMVC4サイトを実行し、Wif.SWTdllを使用してacsからのswtトークンを使用します。

<microsoft.identityModel>
<service saveBootstrapTokens="true">
  <audienceUris>
    <!--<add value="http://traffictheory.cloudapp.net/" />-->
    <add value="" />
  </audienceUris>
  <issuerNameRegistry type="Microsoft.IdentityModel.Swt.SwtIssuerNameRegistry, Wif.Swt">
    <trustedIssuers>
      <add thumbprint="033F53598E4ED92E51C07238E36BBFF4E67ABAD2" name="https://traffictheory.accesscontrol.windows.net/" />
    </trustedIssuers>
  </issuerNameRegistry>
  <claimsAuthenticationManager type="S_Innovations.TrafficTheory.Web.Security.TrafficTheoryClaimsAuthenticationManager, S-Innovations.TrafficTheory.Web.Security" />
  <federatedAuthentication>
    <cookieHandler requireSsl="false" />
    <wsFederation passiveRedirectEnabled="true" issuer="https://traffictheory.accesscontrol.windows.net/v2/wsfederation" realm="/" reply="/" requireHttps="false" />
  </federatedAuthentication>
  <certificateValidation certificateValidationMode="None" />
  <securityTokenHandlers>
        <add type="Microsoft.IdentityModel.Swt.SwtSecurityTokenHandler, Wif.Swt" />
    </securityTokenHandlers>
    <issuerTokenResolver type="Microsoft.IdentityModel.Swt.SwtIssuerTokenResolver, Wif.Swt" />
  <!--<serviceCertificate>
    <certificateReference findValue="‎417DE8DCA4326B845C189BDE0990673433435524" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
  </serviceCertificate>-->    
</service>

クライアントに返されるトークンは

var token = HttpContext.Current.User.BootstrapToken();

そしてそれは私が言うことができるものからのhtmlエンコードされたクエリ文字列またはnamevalueコレクションのように見えます。

私は試しました:(クライアントはWindows8ストアアプリのhttpClientです)

client.DefaultRequestHeaders.Authorization =
                new AuthenticationHeaderValue("Bearer", token);

client.DefaultRequestHeaders.Authorization =
                new AuthenticationHeaderValue("Bearer", System.Net.WebUtility.HtmlDecode(token));

Add("Authorization", string.Format("WRAP access_token=\"{0}\"", token))

そして私はアイデアがありません。

webapiサイトはリクエストを認証しません。FederatedAuthentication.WSFederationAuthenticationModule.AuthorizationFailedはトリガーセットです。

これはトークンに含まれるものです。

http%3a%2f%2fschemas.xmlsoap.org%2fws%2f2005%2f05%2fidentity%2fclaims%2fnameidentifier=HM81Sv2xnRD6P%2bm2W2T%2feBAfAhH2ZTMMxSBBOQ1Rxqs%3d&http%3a%2f%2fschemas.microsoft.com%2faccesscontrolservice%2f2010%2f07%2fclaims%2fidentityprovider=uri%3aWindowsLiveID&Audience=http%3a%2f%2f77.75.160.102%3a48451%2f&ExpiresOn=1348778300&Issuer=https%3a%2f%2ftraffictheory.accesscontrol.windows.net%2f&HMACSHA256=C7D9CvmEeGy1xHXFV3WqPn7L9Zm%2bwoXt8Z8IUf0tgmI%3d

そしてこれは私が私のクライアントに持っているものです:

http://77.55.160.102:48451/api/federation/end?acsToken=http%3a%2f%2fschemas.xmlsoap.org%2fws%2f2005%2f05%2fidentity%2fclaims%2fnameidentifier=HM81Sv2xnRD6P%2bm2W2T%2feBAfAhH2ZTMMxSBBOQ1Rxqs%3d&http%3a%2f%2fschemas.microsoft.com%2faccesscontrolservice%2f2010%2f07%2fclaims%2fidentityprovider=uri%3aWindowsLiveID&Audience=http%3a%2f%2f77.75.160.102%3a48451%2f&ExpiresOn=1348787731&Issuer=https%3a%2f%2ftraffictheory.accesscontrol.windows.net%2f&HMACSHA256=xZT%2blbcV9WSPaJQ2XdEP5gkNJi6ZIp%2fxGveDAllXU7w%3d

これはACSがMVCコントローラーに返すものです。

wa=wsignin1.0&wresult=%3Ct%3ARequestSecurityTokenResponse+xmlns%3At%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%22%3E%3Ct%3ALifetime%3E%3Cwsu%3ACreated+xmlns%3Awsu%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-utility-1.0.xsd%22%3E2012-09-27T23%3A08%3A11.285Z%3C%2Fwsu%3ACreated%3E%3Cwsu%3AExpires+xmlns%3Awsu%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-utility-1.0.xsd%22%3E2012-09-27T23%3A18%3A11.285Z%3C%2Fwsu%3AExpires%3E%3C%2Ft%3ALifetime%3E%3Cwsp%3AAppliesTo+xmlns%3Awsp%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%22%3E%3CEndpointReference+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%22%3E%3CAddress%3Ehttp%3A%2F%2F77.75.160.102%3A48451%2F%3C%2FAddress%3E%3C%2FEndpointReference%3E%3C%2Fwsp%3AAppliesTo%3E%3Ct%3ARequestedSecurityToken%3E%3Cwsse%3ABinarySecurityToken+wsu%3AId%3D%22uuid%3Acb218b5b-62df-47bc-85d4-0d765c13db39%22+ValueType%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2009%2F11%2Fswt-token-profile-1.0%22+EncodingType%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-soap-message-security-1.0%23Base64Binary%22+xmlns%3Awsu%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-utility-1.0.xsd%22+xmlns%3Awsse%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-secext-1.0.xsd%22%3EaHR0cCUzYSUyZiUyZnNjaGVtYXMueG1sc29hcC5vcmclMmZ3cyUyZjIwMDUlMmYwNSUyZmlkZW50aXR5JTJmY2xhaW1zJTJmbmFtZWlkZW50aWZpZXI9SE04MVN2MnhuUkQ2UCUyYm0yVzJUJTJmZUJBZkFoSDJaVE1NeFNCQk9RMVJ4cXMlM2QmaHR0cCUzYSUyZiUyZnNjaGVtYXMubWljcm9zb2Z0LmNvbSUyZmFjY2Vzc2NvbnRyb2xzZXJ2aWNlJTJmMjAxMCUyZjA3JTJmY2xhaW1zJTJmaWRlbnRpdHlwcm92aWRlcj11cmklM2FXaW5kb3dzTGl2ZUlEJkF1ZGllbmNlPWh0dHAlM2ElMmYlMmY3Ny43NS4xNjAuMTAyJTNhNDg0NTElMmYmRXhwaXJlc09uPTEzNDg3ODc4OTEmSXNzdWVyPWh0dHBzJTNhJTJmJTJmdHJhZmZpY3RoZW9yeS5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0JTJmJkhNQUNTSEEyNTY9OXB6Uk00UmxsSDZUU091dlNkYktpb0x2UjQzZlhIaTB6OWEzQVZ0dXNHcyUzZA%3D%3D%3C%2Fwsse%3ABinarySecurityToken%3E%3C%2Ft%3ARequestedSecurityToken%3E%3Ct%3ATokenType%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2009%2F11%2Fswt-token-profile-1.0%3C%2Ft%3ATokenType%3E%3Ct%3ARequestType%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FIssue%3C%2Ft%3ARequestType%3E%3Ct%3AKeyType%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2FNoProofKey%3C%2Ft%3AKeyType%3E%3C%2Ft%3ARequestSecurityTokenResponse%3E

更新ソリューションsimpelトークンの認証部分。

public static class WebApiConfig {public static void Register(HttpConfiguration config){GlobalConfiguration.Configuration.MessageHandlers.Add(new OAuthAuthenticationHandler()); // GlobalConfiguration.Configuration.MessageHandlers.Add(new TokenValidationHandler());

    config.Routes.MapHttpRoute(
        name: "DefaultApi",
        routeTemplate: "api/{controller}/{id}",
        defaults: new { id = RouteParameter.Optional }
    );
}

}

    /// <summary>
    /// Authenticates the ongoing request using Windows Identity Foundation and 
    /// SimpleWebToken (wif.swf). Grabs the token from the header and performs the authentication.
    /// </summary>
public class OAuthAuthenticationHandler : MessageProcessingHandler
{
    ServiceConfiguration _serviceConfiguration;

    public ServiceConfiguration ServiceConfiguration
    {
        get
        {
            if (_serviceConfiguration == null)
                _serviceConfiguration = new ServiceConfiguration();

            if (!_serviceConfiguration.IsInitialized)
                _serviceConfiguration.Initialize();

            return _serviceConfiguration;
        }
    }

    protected override HttpRequestMessage ProcessRequest(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        try
        {
            var token = ExtractTokenFromHeader(request);

            if (token != null)
            {
                var identities = ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token);
                var principal = ClaimsPrincipal.CreateFromIdentities(identities);

               // request.SetUserPrincipal(principal);
                Thread.CurrentPrincipal = principal;
                HttpContext.Current.User = principal;
            }
        }
        catch (InvalidSecurityTokenException)
        {
            throw new HttpException((int)System.Net.HttpStatusCode.Unauthorized, "The authorization header was invalid");
        }

        return request;
    }

    protected override HttpResponseMessage ProcessResponse(HttpResponseMessage response, CancellationToken cancellationToken)
    {
        return response;
    }

    static SimpleWebToken ExtractTokenFromHeader(HttpRequestMessage request)
    {
        var authorizationHeader = request.Headers.Authorization;

        if (authorizationHeader != null && authorizationHeader.Scheme == "OAuth")
            return new SimpleWebToken(authorizationHeader.Parameter);

        return null;
    }
}
4

1 に答える 1

1

WIF SWTパッケージは、Authorizationヘッダーを使用して要求を処理せずWSFederationAuthenticationModule、WS-Federationプロトコルを理解するで使用されるSWTハンドラーを構成するだけです。WS-Fedプロトコルは、HTTPPOSTのwresultパラメーターからトークンを取得することを想定しています。これには、要素wresultで始まるXMLが含まれます。<RequestSecurityTokenResponseCollection>その要素の中には、base64でエンコードされたSWTセキュリティトークンがあります。NuGetパッケージのトークンハンドラーは、それをデコードして検証し、に変換しClaimsPrincipalます。BootstrapTokenまた、メソッドを使用してそのトークンにアクセスすることもできます。

つまり、Web APIの場合DelegatingHandler、プロトコルが異なるため(POSTとヘッダー付きのGET)、WSFederationモジュールではなくを使用して認証を処理する必要があります。

これを見てください: https ://github.com/wadewegner/ValidateACSTokenWebAPI/blob/master/WebAPI/TokenValidationHandler.cs

編集:元の質問には別の実装がありますが、それはほぼ同じアプローチです。

于 2012-09-28T05:26:09.970 に答える