在 C# 中覆盖 JWT ValidateToken

Question

我已经设置了一个令牌认证过程并且它工作得很好。我正在使用 OWIN。

我正在扩展 2 个特定点，让我可以控制 JWT 的签名以及像这样验证用户凭据。

            Provider = new MyOAuthProvider(),
            AccessTokenFormat = new MyJwtFormatter()

如何连接到正在验证令牌的部分。我在网上搜索，似乎有一个方法不能 ValidateToken 可以覆盖，但我不知道这是哪里。

我也有以下。我需要在这里覆盖一些东西吗？

        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
                {
                    AuthenticationMode = AuthenticationMode.Active,
                    AllowedAudiences = new[] { audience },
                    IssuerSecurityTokenProviders =
                        new IIssuerSecurityTokenProvider[]
                            {
                                new SymmetricKeyIssuerSecurityTokenProvider(
                                    issuer,
                                    secret)
                            }
                });

我可能缺少什么？我发现的大多数东西都支持我正在做的事情，但不支持令牌身份验证。

我相信它使用了内部的 JWTTokenHandler，我想你可以覆盖这个什么的？

Answer 1

这是一个简单的 JWT 验证类，基于：Google Sign-In for Websites

using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens;
using System.Linq;
using System.Net.Http;
using System.Web;
using System.Web.Configuration;
using Newtonsoft.Json;
using System.Net;
using System.Threading.Tasks;
using System.Threading;
using Services.Models;
using System.Security.Claims;

namespace Services
{
    /// <summary>
    ///  This is an implementation of Google JWT verification that
    ///  demonstrates:
    ///    - JWT validation
    /// </summary>
    /// @author kunal.bajpai@gmail.com (Kunal Bajpai)


    public class CustomJwtHandler : DelegatingHandler
    {
        string issuer = WebConfigurationManager.AppSettings["GoogleDomain"];
        string audience = WebConfigurationManager.AppSettings["GoogleClientId"];

        /// <summary>
        /// 
        /// </summary>
        /// <param name="request"></param>
        /// <param name="cancellationToken"></param>
        /// <returns></returns>
        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            HttpStatusCode statusCode;
            string token;

            var authHeader = request.Headers.Authorization;
            if (authHeader == null)
            {
                // Missing authorization header
                return base.SendAsync(request, cancellationToken);
            }

            if (!TryRetrieveToken(request, out token))
            {
                return Task<HttpResponseMessage>.Factory.StartNew(() => new HttpResponseMessage(HttpStatusCode.Unauthorized));
            }

            try
            {
                ValidateToken(token);
                return base.SendAsync(request, cancellationToken);
            }
            catch (SecurityTokenInvalidAudienceException)
            {
                statusCode = HttpStatusCode.Unauthorized;
            }
            catch (SecurityTokenValidationException)
            {
                statusCode = HttpStatusCode.Unauthorized;
            }
            catch (Exception e)
            {
                statusCode = HttpStatusCode.InternalServerError;
            }

            return Task<HttpResponseMessage>.Factory.StartNew(() => new HttpResponseMessage(statusCode));
        }
        /// <summary>
        /// Validates JWT Token
        /// </summary>
        /// <param name="token"></param>
        private void ValidateToken(string token)
        {
            try
            {
                using (WebClient wc = new WebClient())
                {
                    TokenInfo tokenInfo = JsonConvert.DeserializeObject<TokenInfo>(wc.DownloadString("https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=" + token));

                    List<Claim> claims = new List<Claim> {
                        new Claim(ClaimTypes.Name, tokenInfo.Name),
                        new Claim(ClaimTypes.Email, tokenInfo.Email),
                        new Claim(ClaimTypes.GivenName, tokenInfo.GivenName),
                        new Claim(ClaimTypes.Surname, tokenInfo.FamilyName),
                    };

                    ClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(new ClaimsIdentity(claims, tokenInfo.Issuer));
                    Thread.CurrentPrincipal = claimsPrincipal;
                    HttpContext.Current.User = claimsPrincipal;
                }
            }
            catch (WebException e)
            {
                HttpStatusCode statusCode = ((HttpWebResponse)e.Response).StatusCode;
                if (statusCode == HttpStatusCode.BadRequest)
                {
                    throw new SecurityTokenValidationException();
                }
                else
                {
                    throw new Exception();
                }
            }
        }
        /// <summary>
        /// Tries to retrieve Token
        /// </summary>
        /// <param name="request"></param>
        /// <param name="token"></param>
        /// <returns></returns>
        private static bool TryRetrieveToken(HttpRequestMessage request, out string token)
        {
            token = null;
            IEnumerable<string> authorizationHeaders;

            if (!request.Headers.TryGetValues("Authorization", out authorizationHeaders) ||
            authorizationHeaders.Count() > 1)
            {
                return false;
            }

            var bearerToken = authorizationHeaders.ElementAt(0);
            token = bearerToken.StartsWith("Bearer ") ? bearerToken.Substring(7) : bearerToken;
            return true;
        }
    }
}