5

我们正在为基于 REST 的服务实施 STS(基于声明的身份验证)。当我们决定创建 REST 服务(使用 JSON)时,众多原因之一是线路占用空间小。使用 STS,只有少数声明的 SAML 令牌 SAML 大小变为几 K 字节。对于我们不返回对象列表的大多数 REST 调用,响应大小只有 100 秒字节,对于这些调用,这个令牌似乎开销太大。你在你的项目中是如何处理这个问题的?

4

2 回答 2

2

...或 JWT(JSON Web 令牌)。ACS 也支持这些。查看这篇文章:Microsoft .NET Framework 4.5 的 JSON Web 令牌处理程序 这是此库与 .Net 4.5 的使用示例,它发出并验证使用基于对称密钥的 HMAC SHA256 签名的 JWT。

string jwtIssuer = "MyIssuer";
string jwtAudience = "MyAudience";

// Generate symmetric key for HMAC-SHA256 signature
RNGCryptoServiceProvider cryptoProvider = new RNGCryptoServiceProvider();
byte[] keyForHmacSha256 = new byte[64];
cryptoProvider.GetNonZeroBytes(keyForHmacSha256);

///////////////////////////////////////////////////////////////////
// Create signing credentials for the signed JWT.
// This object is used to cryptographically sign the JWT by the issuer.
SigningCredentials sc = new SigningCredentials(
                                new InMemorySymmetricSecurityKey(keyForHmacSha256),
                                "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
                                "http://www.w3.org/2001/04/xmlenc#sha256");

///////////////////////////////////////////////////////////////////
// Create token validation parameters for the signed JWT
// This object will be used to verify the cryptographic signature of the received JWT
TokenValidationParameters validationParams =
    new TokenValidationParameters()
    {
        AllowedAudience = s_jwtAudience,
        ValidIssuer = s_jwtIssuer,
        ValidateExpiration = true,
        ValidateNotBefore = true,
        ValidateIssuer = true,
        ValidateSignature = true,
        SigningToken = new BinarySecretSecurityToken(keyForHmacSha256),
    };

///////////////////////////////////////////////////////////////////
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();

// Create a simple JWT claim set
IList<Claim> payloadClaims = new List<Claim>() { new Claim("clm1", "clm1 value"), };

// Create a JWT with signing credentials and lifetime of 12 hours
JWTSecurityToken jwt =
    new JWTSecurityToken(jwtIssuer, jwtAudience, payloadClaims, sc, DateTime.UtcNow, DateTime.UtcNow.AddHours(12.0));

// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);

// Validate the token signature (we provide the shared symmetric key in `validationParams`)
// This will throw if the signature does not validate
jwtHandler.ValidateToken(jwtOnTheWire, validationParams);

// Parse JWT from the Base64UrlEncoded wire form (<Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>)
JWTSecurityToken parsedJwt = jwtHandler.ReadToken(jwtOnTheWire) as JWTSecurityToken;
于 2013-02-10T12:41:22.080 回答
0

您可以将 SAML 令牌与 REST 端点一起使用,但更多时候您会发现人们使用简单 Web 令牌 (SWT) 来代替。更小、更简单等。

例如,ACS(Windows Azure 平台中的访问控制服务)实现了这一点。

于 2011-02-05T04:51:52.000 回答