鉴于下面的 Thinktecture AuthenticationConfiguration:
var authConfig = new AuthenticationConfiguration
{
EnableSessionToken = true,
SendWwwAuthenticateResponseHeaders = true,
RequireSsl = false,
ClaimsAuthenticationManager = new ClaimsTransformation(),
SessionToken = new SessionTokenConfiguration
{
EndpointAddress = "/api/token",
SigningKey = CryptoRandom.CreateRandomKey(32),
DefaultTokenLifetime = new TimeSpan(1, 0, 0)
}
};
它将返回一个示例 JWTeyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzZXNzaW9uIGlzc3VlciIsImF1ZCI6Imh0dHA6Ly9zZXNzaW9uLnR0IiwibmJmIjoxNDIwMzk2ODgyLCJleHAiOjE0MjA0MDA0ODIsInVuaXF1ZV9uYW1lIjoicGFzcyIsImF1dGhtZXRob2QiOiJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvYXV0aGVudGljYXRpb25tZXRob2QvcGFzc3dvcmQiLCJhdXRoX3RpbWUiOiIyMDE1LTAxLTA0VDE4OjQxOjA0LjAxOVoiLCJyb2xlIjoiVmVyaWZpZWQifQ.h7curaLrqkMT4Btg-AAoEpNYqUIYNQA_y-eUdEwQBqs
这是:
{
"alg": "HS256",
"typ": "JWT"
}
{
"unique_name": "pass",
"aud": "http://session.tt",
"iss": "session issuer",
"authmethod": "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password",
"role": "Verified",
"exp": 1420400482,
"auth_time": "2015-01-04T18:41:04.019Z",
"nbf": 1420396882
}
我将如何验证 JWT 是从受信任的机器发出的,我们可以使用对称密钥作为私有签名密钥并在远程机器上使用相同的密钥进行验证吗?
我如何连接 WebAPI 以便它自动为我们执行此操作(假设 AuthenticationConfiguration 位于另一台专用于帐户安全 api 的机器上)。