Mic*_*iey 8 wcf wif jwt identityserver3
我们正在使用IdentityServer3,并且到目前为止对它非常满意.
在MS和Thinktecture OWIN中间件的帮助下,我们可以非常轻松地保护MVC和ASP.NET Web API应用程序.
我们正在为之工作的客户端仍然有很多SOAP WCF服务,而这正是我们陷入困境的地方.
我不会撒谎,我远没有体验过WCF,我只是将它用于非常基本的场景 - 理解basicHttpBinding,没有传输,也没有消息安全.
这就是我想要实现的目标:
我无法完成第三步.
ws2007FederationHttpBinding与TransportWithMessageCredential安全模式.消息包含a BearerKey且令牌属于类型urn:ietf:params:oauth:token-type:jwtJwtSecurityTokenHandler了System.IdentityModel.Tokens.JwtNuGet包BinarySecurityTokenXML元素中,它本身包含在一个GenericXmlSecurityElementCreateChannelWithIssuedToken的ChannelFactory该标记位于SOAP标头中并传递给JwtSecurityTokenHandler.
但随后会抛出异常:
System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---> System.IndexOutOfRangeException: Index was outside the bounds of the array.
at System.Xml.XmlBufferReader.GetChars(Int32 offset, Int32 length, Char[] chars)
at System.Xml.XmlBufferReader.GetString(Int32 offset, Int32 length)
at System.Xml.StringHandle.GetString()
at System.Xml.XmlBaseReader.ReadEndElement()
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)
--- End of inner exception stack trace ---
在JustDecompiling之后,当进一步读取SOAP标头中的XML元素时,看起来有一个错误.奇怪的是,令牌是最后一个元素.这是整个消息的样子:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/IService/GetListOfStrings</a:Action>
<a:MessageID>urn:uuid:5c22d4e2-f9b8-451a-b4ca-a844f41f7231</a:MessageID>
<ActivityId CorrelationId="554fc496-7c47-4063-9539-d25606f186b0" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">1213dcd7-55b7-4153-8a6d-92e0922f76dd</ActivityId>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo90CpMlUwLBOmEPkZ5C8fRQAAAAAVWkkf2rJS0qImBv+Yx1recUXdbBLjThDkAMkwfW3/2AACQAA</VsDebuggerCausalityData>
<a:To s:mustUnderstand="1">https://localhost.fiddler:44322/Service.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2015-05-21T06:41:45.362Z</u:Created>
<u:Expires>2015-05-21T06:46:45.362Z</u:Expires>
</u:Timestamp>
<wsse:BinarySecurityToken ValueType="urn:ietf:params:oauth:token-type:jwt" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><!-- Removed --></wsse:BinarySecurityToken>
</o:Security>
</s:Header>
<s:Body>
<GetListOfStrings xmlns="http://tempuri.org/" />
</s:Body>
</s:Envelope>
看起来不像有什么不正确的东西.从堆栈跟踪中,读取</o:Security>结束元素时必须抛出异常,因为正确读取和处理了令牌.
我分叉了样品回购,所以你可以看看你是否愿意.以下是相关的项目:
SelfHost (Minimal)在sources文件夹中.这是STSClients解决方案中,WCF服务位于APIs文件夹中Clients解决方案中,WCF客户端是Console Client Credentials With Wcf项目启动它的最佳方法是首先启动STS,然后Right click -> Debug -> Start new instance启动WCF服务,然后在WCF客户端启动STS .
提前致谢!
我没有解决这个问题,但IdentityServer的开发人员之一Dominick Baier找到了解决方法.
他认为异常来自WCF中的错误或WCF与之间的不兼容JwtSecurityTokenHandler.由于他认为WCF 已经完成,他不希望有人看一看.
他的解决方案是将JWT令牌包装在SAML令牌中.然后,通过子类化SamlSecurityTokenHandler,将其取回并根据实例验证它JwtSecurityTokenHandler.
以下是链接:
现在每个人都玩得开心:-)
| 归档时间: |
|
| 查看次数: |
6953 次 |
| 最近记录: |