1

我在 Windows Azure ACS 中使用 SWT,并且在依赖方应用程序中使用自定义 SwtHandler 来处理传入的 SWT 令牌。虽然它在依赖方重新创建 SWT 令牌,但在创建与 validFrom 属性值相关的 SessionSecurityToken 时出现错误。

我已经尝试了以下 ValidFrom 值,但没有解决问题。

  1. DateTime SwtBaseTime = new DateTime(1970, 1, 1, 0, 0, 0, 0);
  2. 日期时间.UtcNow
  3. DateTime.MinValue 指定的参数超出了有效值的范围。参数名称:validFrom

[ArgumentOutOfRangeException:指定的参数超出了有效值的范围。参数名称:validFrom]

System.IdentityModel.Tokens.SessionSecurityToken..ctor(ClaimsPrincipal claimPrincipal,UniqueId contextId,String id,String context,Byte [] key,String endpointId,Nullable 1 validFrom, Nullable1 validTo,UniqueId keyGeneration,Nullable 1 keyEffectiveTime, Nullable1 keyExpirationTime,SctAuthorizationPolicy sctAuthorizationPolicy,Uri securityContextSecurityTokenWrapperSecureConversationVersion)+1009610 System.IdentityModel.Tokens.SessionSecurityToken..ctor(ClaimsPrincipal claimPrincipal,UniqueId contextId,字符串上下文,字符串 endpointId,Nullable1 validFrom, Nullable1 validTo, SymmetricSecurityKey key) +317 System.IdentityModel.Tokens.SessionSecurityTokenHandler.CreateSessionSecurityToken(ClaimsPrincipal principal, String context, String endpointId, DateTime validFrom, DateTime validTo) +306 System.IdentityModel.Services.SessionAuthenticationModule.CreateSessionSecurityToken(ClaimsPrincipal principal, String context , DateTime validFrom, DateTime validTo, Boolean isPersistent) +313 System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +1079 System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +123924 System.Web.SyncEventExecutionStep .System.Web.HttpApplication.IExecutionStep.Execute() +80 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&同步完成)+165

4

2 回答 2

1

在尝试为 SessionAuthenticationModule 实现滑动到期时,我遇到了重新创建会话安全令牌的类似问题。

protected void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
    DateTime now = DateTime.UtcNow;
    DateTime validFrom = e.SessionToken.ValidFrom;
    DateTime validTo = e.SessionToken.ValidTo;
    TimeSpan sessionLifetime = validTo.Subtract(e.SessionToken.ValidFrom);

    bool sessionTimeHasExpired = now > validTo;
    bool sessionTimeIsHalfExpired = now > validFrom.AddMinutes(sessionLifetime.TotalMinutes / 2);

    // http://www.michael-mckenna.com/Blog/2013/2/the-problem-with-absolute-token-expiration-in-windows-identity-foundation-wif
    if (!sessionTimeHasExpired && sessionTimeIsHalfExpired)
    {
        // If the session has not expired but the session lifetime is already half spent, reissue the cookie. 
        e.SessionToken = (sender as SessionAuthenticationModule).CreateSessionSecurityToken(e.SessionToken.ClaimsPrincipal, e.SessionToken.Context,
        now, now.AddMinutes(sessionLifetime.TotalMinutes), e.SessionToken.IsPersistent);
        e.ReissueCookie = true;
    }
}

CreateSessionSecurityToken 方法采用validFrom 和validTo 的值。如果这两个值相等,则会引发 ArgumentOutOfRange 异常。

我遇到了这个问题,因为最初我使用的是 sessionLifetime.Minutes(0)而不是 sessionLifetime.TotalMinutes(100)。

于 2014-04-17T18:01:28.787 回答
0

尝试使用相同的KeyEffectiveTime

e.SessionToken = sam.CreateSessionSecurityToken(
                     e.SessionToken.ClaimsPrincipal,
                     e.SessionToken.Context,
                     e.SessionToken.KeyEffectiveTime, 
                     e.SessionToken.KeyExpirationTime.AddHours(8), 
                     e.SessionToken.IsPersistent);
于 2016-04-25T12:42:31.123 回答