如何使用谷歌OAuth2兼容算法RSASHA-256使用System.IdentityModel.Tokens.Jwt生成JWT?
如何使用谷歌OAuth2兼容算法RSASHA-256使用System.IdentityModel.Tokens.Jwt生成JWT?
提问于 2014-10-21 04:02:21
我正在尝试创建一个JWT来授权一个服务帐户,如Google文档中使用System.IdentityModel.Tokens.Jwt所描述的那样。我有以下代码:
byte[] key = Convert.FromBase64String("...");
var certificate = new X509Certificate2(key, "notasecret");
DateTime now = DateTime.UtcNow;
TimeSpan span = now - UnixEpoch;
Claim[] claims =
{
new Claim("iss", "email@developer.gserviceaccount.com"),
new Claim("scope", "https://www.googleapis.com/auth/plus.me"),
new Claim("aud", "https://accounts.google.com/o/oauth2/token"),
new Claim("iat", span.TotalSeconds.ToString()),
new Claim("exp", span.Add(TimeSpan.FromHours(1)).TotalSeconds.ToString())
};
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
var descriptor = new SecurityTokenDescriptor
{
SigningCredentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(key),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256"),
Subject = new ClaimsIdentity(claims)
};
JwtSecurityToken jwtSecurityToken = (JwtSecurityToken)handler.CreateToken(descriptor);
string json = handler.WriteToken(jwtSecurityToken);其中产出:
{ "typ" : "JWT" , "alg" : "HS256" }虽然Google明确声明它支持SHA-256:
服务帐户依赖于RSA SHA-256算法和JWT令牌格式。
根据wtSecurityTokenHandler.InboundAlgorithmMap
RS256 => http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
HS256 => http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 所以当我改变我的代码:
new SigningCredentials(
new InMemorySymmetricSecurityKey(key),
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256");我有个例外:
System.InvalidOperationException: IDX10632: SymmetricSecurityKey.GetKeyedHashAlgorithm( 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' ) threw an exception.
SymmetricSecurityKey: 'System.IdentityModel.Tokens.InMemorySymmetricSecurityKey'
SignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', check to make sure the SignatureAlgorithm is supported.这是否意味着微软不支持谷歌独家支持的算法?
回答 3
Stack Overflow用户
回答已采纳
发布于 2014-10-29 23:21:57
private static async Task<string> GetAuthorizationToken(GoogleAuthOptions authOptions)
{
string jwt = CreateJwt(authOptions);
var dic = new Dictionary<string, string>
{
{ "grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer" },
{ "assertion", jwt }
};
var content = new FormUrlEncodedContent(dic);
var httpClient = new HttpClient { BaseAddress = new Uri("https://accounts.google.com") };
var response = await httpClient.PostAsync("/o/oauth2/token", content);
response.EnsureSuccessStatusCode();
dynamic dyn = await response.Content.ReadAsAsync<dynamic>();
return dyn.access_token;
}
private static readonly DateTime UnixEpoch = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
private static string CreateJwt(GoogleAuthOptions authOptions)
{
var certificate = new X509Certificate2(Convert.FromBase64String(authOptions.CertificateKey), authOptions.CertificateSecret);
DateTime now = DateTime.UtcNow;
var claimset = new
{
iss = authOptions.Issuer,
scope = "https://www.googleapis.com/auth/plus.me",
aud = authOptions.Audience,
iat = ((int)now.Subtract(UnixEpoch).TotalSeconds).ToString(CultureInfo.InvariantCulture),
exp = ((int)now.AddMinutes(55).Subtract(UnixEpoch).TotalSeconds).ToString(CultureInfo.InvariantCulture)
};
// header
var header = new { typ = "JWT", alg = "RS256" };
// encoded header
var headerSerialized = JsonConvert.SerializeObject(header);
var headerBytes = Encoding.UTF8.GetBytes(headerSerialized);
var headerEncoded = TextEncodings.Base64Url.Encode(headerBytes);
// encoded claimset
var claimsetSerialized = JsonConvert.SerializeObject(claimset);
var claimsetBytes = Encoding.UTF8.GetBytes(claimsetSerialized);
var claimsetEncoded = TextEncodings.Base64Url.Encode(claimsetBytes);
// input
var input = String.Join(".", headerEncoded, claimsetEncoded);
var inputBytes = Encoding.UTF8.GetBytes(input);
// signiture
var rsa = (RSACryptoServiceProvider)certificate.PrivateKey;
var cspParam = new CspParameters
{
KeyContainerName = rsa.CspKeyContainerInfo.KeyContainerName,
KeyNumber = rsa.CspKeyContainerInfo.KeyNumber == KeyNumber.Exchange ? 1 : 2
};
var cryptoServiceProvider = new RSACryptoServiceProvider(cspParam) { PersistKeyInCsp = false };
var signatureBytes = cryptoServiceProvider.SignData(inputBytes, "SHA256");
var signatureEncoded = TextEncodings.Base64Url.Encode(signatureBytes);
// jwt
return String.Join(".", headerEncoded, claimsetEncoded, signatureEncoded);
}Stack Overflow用户
发布于 2015-06-10 13:07:09
问这个问题已经有一段时间了,但我认为对于未来的用户来说,在.NET Google的几行代码中很容易获得相同的结果(其nuget在这里可以获得:Google.Apis.Auth ),这一点值得知道。
using System.Security.Cryptography.X509Certificates;
using System.Threading;
using System.Threading.Tasks;
using Google.Apis.Auth.OAuth2;
namespace GoogleTest
{
public class GoogleOAuth2
{
/// <summary>
/// Authorization scope for our requests
/// </summary>
private readonly string _defaultScope;
/// <summary>
/// Service account will be of the form nnnnnnn@developer.gserviceaccount.com
/// </summary>
private readonly string _serviceAccount;
/// <summary>
/// Set this to the full path to your service account private key file.
/// </summary>
private readonly string _certificateFile;
public GoogleOAuth2(string defaultScope, string serviceAccount, string certificateFile)
{
_defaultScope = defaultScope;
_serviceAccount = serviceAccount;
_certificateFile = certificateFile;
}
/// <summary>
/// Access Token returned by Google Token Server
/// </summary>
public string AccessToken { get; set; }
public async Task<bool> RequestAccessTokenAsync()
{
var certificate = new X509Certificate2(_certificateFile, "notasecret", X509KeyStorageFlags.Exportable);
var serviceAccountCredential = new ServiceAccountCredential(new ServiceAccountCredential.Initializer(_serviceAccount)
{
Scopes = new[] { _defaultScope }
}.FromCertificate(certificate));
var status = await serviceAccountCredential.RequestAccessTokenAsync(CancellationToken.None);
if (status)
AccessToken = serviceAccountCredential.Token.AccessToken;
return status;
}
}
}要获得访问令牌,只需调用方法RequestAccessTokenAsync,如果结果成功,则可以在AccessToken属性中获得令牌。
请注意,此实现假定在开发人员控制台中,您已经将私钥导出为.P12文件。
希望这个答案会有所帮助。
Stack Overflow用户
发布于 2014-12-04 21:12:23
我不得不稍微修改@abatishchev的代码。否则,在将证书部署到非开发环境时,会出现生成证书的问题。
问题是两方面的。如果证书没有标记为可导出的,它将抛出一个异常,上面写着"keyset不存在“。这只会发生在服务器上,而不是在本地,因此我怀疑Windows的服务器版本有更多的限制。
此外,它还会引发有关计算机信任问题的加密异常,因为证书是在用户密钥集中创建的。我们的应用程序池被设置为不导入高级选项中的用户配置文件,您可以这样做。但由于与其他应用程序的兼容性问题,这对我们来说不是一种选择。设置要在计算机密钥集中创建的证书可以缓解此问题。
两个更改的部分都标记了注释。
private static async Task<string> GetAuthorizationToken(GoogleAuthOptions authOptions)
{
string jwt = CreateJwt(authOptions);
var dic = new Dictionary<string, string>
{
{ "grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer" },
{ "assertion", jwt }
};
var content = new FormUrlEncodedContent(dic);
var httpClient = new HttpClient { BaseAddress = new Uri("https://accounts.google.com") };
var response = await httpClient.PostAsync("/o/oauth2/token", content);
response.EnsureSuccessStatusCode();
dynamic dyn = await response.Content.ReadAsAsync<dynamic>();
return dyn.access_token;
}
private static readonly DateTime UnixEpoch = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
private static string CreateJwt(GoogleAuthOptions authOptions)
{
/* changed */
const X509KeyStorageFlags certificateFlags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable;
var certificate = new X509Certificate2(Convert.FromBase64String(authOptions.CertificateKey), authOptions.CertificateSecret, certificateFlags);
/* end of change */
DateTime now = DateTime.UtcNow;
var claimset = new
{
iss = authOptions.Issuer,
scope = "https://www.googleapis.com/auth/plus.me",
aud = authOptions.Audience,
iat = ((int)now.Subtract(UnixEpoch).TotalSeconds).ToString(CultureInfo.InvariantCulture),
exp = ((int)now.AddMinutes(55).Subtract(UnixEpoch).TotalSeconds).ToString(CultureInfo.InvariantCulture)
};
// header
var header = new { typ = "JWT", alg = "RS256" };
// encoded header
var headerSerialized = JsonConvert.SerializeObject(header);
var headerBytes = Encoding.UTF8.GetBytes(headerSerialized);
var headerEncoded = TextEncodings.Base64Url.Encode(headerBytes);
// encoded claimset
var claimsetSerialized = JsonConvert.SerializeObject(claimset);
var claimsetBytes = Encoding.UTF8.GetBytes(claimsetSerialized);
var claimsetEncoded = TextEncodings.Base64Url.Encode(claimsetBytes);
// input
var input = String.Join(".", headerEncoded, claimsetEncoded);
var inputBytes = Encoding.UTF8.GetBytes(input);
// signiture
var rsa = (RSACryptoServiceProvider)certificate.PrivateKey;
var cspParam = new CspParameters
{
KeyContainerName = rsa.CspKeyContainerInfo.KeyContainerName,
/* changed */
KeyNumber = (int) KeyNumber.Exchange,
Flags = CspProviderFlags.UseMachineKeyStore
/* end of change */
};
var cryptoServiceProvider = new RSACryptoServiceProvider(cspParam) { PersistKeyInCsp = false };
var signatureBytes = cryptoServiceProvider.SignData(inputBytes, "SHA256");
var signatureEncoded = TextEncodings.Base64Url.Encode(signatureBytes);
// jwt
return String.Join(".", headerEncoded, claimsetEncoded, signatureEncoded);
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/26478694
复制相关文章
相似问题
腾讯云开发者
