如何使用 ClaimsAuthenticationManager 更改来自 acs 的原始令牌值。我想将角色添加到令牌中。我设法在 claimidentity 中添加了角色,但它没有反映在原始令牌中。
string rawToken = string.Empty;
ClaimsIdentity identity = HttpContext.User.Identity as ClaimsIdentity;
if (null != identity)
{
SimpleWebToken token = identity.BootstrapToken as SimpleWebToken;
if (null != token)
{
rawToken = token.RawToken;
}
}
角色反映在身份上,但没有在引导令牌中添加。
Bootstrap 令牌用于构造 ClaimIdentity。在 ClaimsAuthenticationManager 中,您已经从 ACS 令牌创建了 incomingPrincipal。令牌内部的声明也由 ACS 签名,理论上不能在没有令牌消费者验证问题的情况下更改。
您正在尝试实施什么方案?在 WCF 服务或类似服务中重用令牌?
更新 这是从 ACS 更改令牌的示例代码(使用 SAML2 令牌)。注意:具有不同数据的 SAML 断言具有不同的 ID,这一点非常重要。如果实现一个加载断言“模板”并填充某些数据位的方案,则必须更改 Id,否则在调试器中您将看到修改后的断言值,但 WriteToken 方法将从存储在令牌中的源字节写入原始未修改令牌.
X509Certificate2 singingCertificate = new X509Certificate2(certificateFile, certificatePassword);
Saml2SecurityTokenHandler handler = CreateTokenHandler();
Saml2SecurityToken baseToken = GetTemplateToken();
Saml2Assertion assertion = templateToken.Assertion;
//modify template token - change date, add claims etc
assertion.Id = new Saml2Id();
//order is important, because in sampleToken this property is already setup and NotBefore date can not be NotOnOrAfter
assertion.Conditions.NotOnOrAfter = DateTime.MaxValue;
assertion.Conditions.NotBefore = DateTime.UtcNow;
//prepare to resign token assertions
X509AsymmetricSecurityKey signingKey = new X509AsymmetricSecurityKey(singingCertificate);
X509RawDataKeyIdentifierClause x509clause = new X509RawDataKeyIdentifierClause(singingCertificate);
SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { x509clause });
assertion.SigningCredentials = new SigningCredentials
(
signingKey,
assertion.SigningCredentials.SignatureAlgorithm,
assertion.SigningCredentials.DigestAlgorithm,
keyIdentifier
);
//create and sign modified token
Saml2SecurityToken token = new Saml2SecurityToken(assertion, new ReadOnlyCollection<SecurityKey>(new List<SecurityKey>() { signingKey }), templateToken.IssuerToken);