在c#中手动解码OAuth承载令牌

在我的基于Web Api 2.2 OWIN的应用程序中,我有一种情况,我手动需要解码承载令牌,但我不知道如何做到这一点。 这是我的startup.cs

public class Startup { public static OAuthAuthorizationServerOptions OAuthServerOptions { get; private set; } public static UnityContainer IoC; public void Configuration(IAppBuilder app) { //Set Auth configuration ConfigureOAuth(app); ....and other stuff } public void ConfigureOAuth(IAppBuilder app) { OAuthServerOptions = new OAuthAuthorizationServerOptions() { AllowInsecureHttp = true, TokenEndpointPath = new PathString("/token"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(1), Provider = new AuthProvider(IoC.Resolve(), IoC.Resolve()) }; // Token Generation app.UseOAuthAuthorizationServer(OAuthServerOptions); app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()); } } 

在我的控制器中,我发送了承载令牌作为参数

 [RoutePrefix("api/EP")] public class EPController : MasterController { [HttpGet] [AllowAnonymous] [Route("DC")] public async Task GetDC(string token) { //Get the claim identity from the token here //Startup.OAuthServerOptions... //..and other stuff } } 

如何手动解码并从作为参数传递的令牌中获取声明?

注意 :我知道我可以在标题中发送令牌并使用[Authorize]和(ClaimsIdentity)User.Identity等,但问题是如何在标题中没有出现时读取令牌。

我创建了一个用于反序列化承载令牌的示例项目,它使用MachineKeyDataProtector进行加密。 您可以查看源代码。

承载令牌-解串器

只需将此放在此处可供将来访问的其他人使用。 在https://long2know.com/2015/05/decrypting-owin-authentication-ticket/上找到的解决方案更简单。

只需2行:

 var secureDataFormat = new TicketDataFormat(new MachineKeyProtector()); AuthenticationTicket ticket = secureDataFormat.Unprotect(accessToken); private class MachineKeyProtector : IDataProtector { private readonly string[] _purpose = { typeof(OAuthAuthorizationServerMiddleware).Namespace, "Access_Token", "v1" }; public byte[] Protect(byte[] userData) { throw new NotImplementedException(); } public byte[] Unprotect(byte[] protectedData) { return System.Web.Security.MachineKey.Unprotect(protectedData, _purpose); } } 

您可以使用System.IdentityModel.Tokens.Jwt包读取JWT并创建Principals和Identity对象 – https://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/

这是一个快速示例,显示了读取和validation令牌时可用的选项,

  private ClaimsIdentity GetIdentityFromToken(string token, X509Certificate2 certificate) { var tokenDecoder = new JwtSecurityTokenHandler(); var jwtSecurityToken = (JwtSecurityToken)tokenDecoder.ReadToken(token); SecurityToken validatedToken; var principal = tokenDecoder.ValidateToken( jwtSecurityToken.RawData, new TokenValidationParameters() { ValidateActor = false, ValidateIssuer = false, ValidateAudience = false, ValidateLifetime = false, ValidateIssuerSigningKey = false, RequireExpirationTime = false, RequireSignedTokens = false, IssuerSigningToken = new X509SecurityToken(certificate) }, out validatedToken); return principal.Identities.FirstOrDefault(); }