SecurityTokenValidated回調是否使用Owin Middleware自動驗證令牌

Question

我正在使用Azure廣告並設置我的Startup.Auth.cs文件如下 我能夠連接並使用Azure，Google，MS和Linked in來成功進行身份驗證，並且我收到了id_token回來，但我希望能夠驗證我從Azure收到的此令牌，但我不確定如何操作。提出的SecurityTokenValidated事件是否意味着令牌已經根據我定義的TokenValidationParameters進行了驗證，我不需要驗證該令牌？如果是這種情況，我應該在TokenValidationParameters中輸入什麼內容？

我接收回來的id_token不包含加密的簽名來驗證

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); 

      app.UseCookieAuthentication(new CookieAuthenticationOptions 
       { 
        SlidingExpiration = true, 
        LoginPath = new PathString("/"), 
        CookieSecure = CookieSecureOption.Always, 


       }); 

      var options = new OpenIdConnectAuthenticationOptions 
      { 

       Authority = "https://login.windows.net/common", 
       ClientId = clientId, 
       RedirectUri = redirectUri, 
       PostLogoutRedirectUri = postLogoutRedirectUri, 
       Notifications = new OpenIdConnectAuthenticationNotifications 
       { 

        AuthenticationFailed = AuthenticationFailed, 
        RedirectToIdentityProvider = OnRedirectToIdentityProvider, 
        SecurityTokenReceived = OnSecurityTokenReceived, 
        AuthorizationCodeReceived = OnAuthorizationCodeReceived, 
        SecurityTokenValidated = OnSecurityTokenValidated, 
        MessageReceived = OnMessageReceived 
       }, 
       Scope = "openid", 
       ResponseType = "id_token", 
       Description = new AuthenticationDescription 
       { 

        AuthenticationType = "OpenIdConnect", 
             }, 

       ConfigurationManager = new PolicyConfigurationManager(
        string.Format(CultureInfo.InvariantCulture, aadInstance, tenant, "/v2.0", OidcMetadataSuffix), 
        new[] { SisuGoogle, SisuLinkedIn, SisuMicrosoft, SisuLocal, ResetPasswordLocalPolicyId }), 


       TokenValidationParameters = new TokenValidationParameters 
       { 
        ValidAudiences = new string[] 
        { 
        "http://localhost:44330/", 


        }, 
        IssuerSigningKey = GetSecurityKey(), 
        // If you don't add this, you get IDX10205 
        //ValidateIssuer = false, 
       }, 
      }; 

      app.UseOpenIdConnectAuthentication(options); 



private SecurityKey GetSecurityKey() 
     { 
      var securityKey = "secure key"; 
      var signingKey = new InMemorySymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey)); 
      var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256Signature,SecurityAlgorithms.Sha256Digest); 
      return signingCredentials.SigningKey; 
     } 


    private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg) 
      { 


//do I need to validate the token here or has it already been validated?? 

//if I have to validate it then how do I? I've tried the following but does not work 
       var tokenValidationParameters = new TokenValidationParameters 
       { 
        IssuerSigningKey = GetSecurityKey() 
       }; 

       SecurityToken validatedToken; 
       var jwtHandler = new JwtSecurityTokenHandler(); 


    //crashes at this point 
       jwtHandler.ValidateToken(arg.ProtocolMessage.IdToken, tokenValidationParameters, out validatedToken); 



       return Task.FromResult(0); 
      } 

Answer 1

你可以按照這個樣本：https://github.com/Azure/azure-content/blob/master/articles/active-directory-b2c/active-directory-b2c-devquickstarts-api-dotnet.md

還是來看看這個類似的問題： https://social.msdn.microsoft.com/Forums/en-US/893a6142-1508-4aa2-9da3-dab3b1f1a6b9/b2c-jwt-token-signature-validation?forum=WindowsAzureAD

如果您在示例中使用了類似的配置，那麼OWIN將使用從元數據端點獲取的密鑰來處理令牌驗證。