OwinMiddleware Authentication (ws federation) - MV

2019-08-14 12:46发布

问题:

I'm trying to Authenticate toward an ACS server, I do manage to get authenticated with http modules the old way through the config file but I can't git it to work with owin. Here is the relevants part of my startup

        app.UseCookieAuthentication(
            new CookieAuthenticationOptions
            {
                AuthenticationType =
                    WsFederationAuthenticationDefaults.AuthenticationType
            });
app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                MetadataAddress =
                    "https://*******.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml",
                Wtrealm = "http://localhost:62569/",
                Wreply = "http://localhost:62569/callback-signin",
                SecurityTokenHandlers = new SecurityTokenHandlerCollection
                {
                    new MachineKeySessionSecurityTokenHandler
                    {
                        Configuration = new SecurityTokenHandlerConfiguration
                        {
                            CertificateValidationMode = X509CertificateValidationMode.None,
                            IssuerNameRegistry = new ValidatingIssuerNameRegistry
                            {
                                IssuingAuthorities =
                                    new List<IssuingAuthority>
                                    {
                                        new IssuingAuthority("https://*******.accesscontrol.windows.net/")
                                        {
                                            Thumbprints = { "9B9F8B5E21640ED692C*****A62B4077813659B5" },
                                            Issuers = { "https://*******.accesscontrol.windows.net/" }
                                        }
                                    }
                            }
                        }
                    }
                }
            });

And here is the working config file

<?xml version="1.0" encoding="utf-8"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=301880
  -->
<configuration>
  <configSections>
    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />    
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  </configSections>
  <connectionStrings>
    <add name="DefaultConnection" connectionString="Data Source=********.database.windows.net,1433;Initial Catalog=*********;Persist Security Info=True;User ID=m*******;Password=*******" providerName="System.Data.SqlClient" />
  </connectionStrings>
  <appSettings>
    <add key="webpages:Version" value="3.0.0.0" />
    <add key="webpages:Enabled" value="false" />
    <add key="ClientValidationEnabled" value="true" />
    <add key="UnobtrusiveJavaScriptEnabled" value="true" />
  </appSettings>

  <system.web>
    <authentication mode="None" />
    <compilation debug="true" targetFramework="4.5.2" />
    <httpRuntime targetFramework="4.5" />
  </system.web>



  <system.webServer>
    <modules>
      <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
      <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    </modules>
    <handlers>
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <remove name="OPTIONSVerbHandler" />
      <remove name="TRACEVerbHandler" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
  </system.webServer>


 <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="http://localhost:62569" />
      </audienceUris>
      <securityTokenHandlers>
        <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>
      <certificateValidation certificateValidationMode="None" />
      <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
        <authority name="https://**********.accesscontrol.windows.net/">
          <keys>
            <add thumbprint="9B9F8B5E21640ED692CC1CF2A62B4077813659B5" />
          </keys>
          <validIssuers>
            <add name="https://*********.accesscontrol.windows.net/" />
          </validIssuers>
        </authority>
      </issuerNameRegistry>
    </identityConfiguration>
  </system.identityModel>
  <system.identityModel.services>
    <federationConfiguration>
      <cookieHandler requireSsl="false" />
      <wsFederation passiveRedirectEnabled="true" issuer="https://***********.accesscontrol.windows.net/v2/wsfederation" realm="http://localhost:62569" reply="http://localhost:62569/callback-signin" requireHttps="false" />
    </federationConfiguration>
  </system.identityModel.services>      

      <entityFramework>
        <providers>
          <provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
        </providers>
        <defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework">
          <parameters>
            <parameter value="Data Source=***********.database.windows.net,1433;Initial Catalog=********;Persist Security Info=True;User ID=*************;Password=********" />
          </parameters>
        </defaultConnectionFactory>
      </entityFramework>

    </configuration>

With Owin I get this error:

Exception thrown: 'System.IdentityModel.Tokens.SecurityTokenValidationException' in mscorlib.dll

Additional information: IDX10201: None of the the SecurityTokenHandlers could read the 'securityToken':

    <?xml version="1.0" encoding="UTF-8"?>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_19fb92df-c8ac-4388-9294-7a8cdb3bcf0b" IssueInstant="2015-07-30T12:07:25.837Z" Version="2.0">
   <Issuer>https://*********.accesscontrol.windows.net/</Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
         <ds:Reference URI="#_19fb92df-c8ac-4388-9294-7a8cdb3bcf0b">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>wEjAPR2kWtfrRKX9tMGvJu/Nv+yLtm1KeXbYFDwbB8U=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>GVamldoBjB+RZY+2bf2700k2Z4PUtp+7Cy9EGTne5+7ID+tLmQ08yXur898O21ldqVqqmGxKbVYQRPVRkF1F+e3bBRipEhyvZ4K8oxQly6f0lLza2svTBSI8GUhLQ9/5ElReaOAgM84q3V5XcBvmXHamanRFSd5hzkTqWbRlNFWJFisqKEuTBTl2DLNV/CeWKrv+11qTgGc0Qxk18mycDGXDfwuWAYcVAZMImiEFm8wErIfOaQ9EbKYqtoVdbuKb5WH2+yjI6jp7uHRKl6x2z77XVLuNRLbutgQDASMGt2dll4P7Ve/tt/NqzkHj7P/zbkEYckY6r1W2Tv1kUeh6vg==</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <X509Data>
            <X509Certificate>MIIDSjCCAjagAwIBAgIQrcBhMtovuJ9MilbEjMjS7TAJBgUrDgMCHQUAMDExLzAtBgNVBAMTJm1hcmdvY29uc2VpbC5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE1MDYxNjA4MTYzOFoXDTIwMDUzMTIyMDAwMFowMTEvMC0GA1UEAxMmbWFyZ29jb25zZWlsLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpeZseXX1IYTABUOPr7nfIAXc7cXAI0k+vR3qEbvy0UxEhYAkAocQR2qUTPQ8D1v4lPp59tnHKBGJ0eHt9DYm/SyKkfHsWfqsysZx5NHXSJIhy/SgHwpd8b2q1NKxqBRLrdJKyAua+WWza4p/HMFjEVoN/upZtngSqxUKO/oYqy6m7smkz8vwjzpJR8tyqN881XBQzvryiF/i3ZPFQqlCT9263TMcAGPpym9uvxHzFPPx3u8IDz3AQydyHeViaJhiXGic0VEcm6LMn3JLOYqAzJnv8z89NdpsL4ynv1ekytt/8yyza3CnsU1E4tFDj1HU3785aFZ1xm6wr1MUK9VOTAgMBAAGjZjBkMGIGA1UdAQRbMFmAEN1alzwM3lJSHdh4LFl7uxmhMzAxMS8wLQYDVQQDEyZtYXJnb2NvbnNlaWwuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQrcBhMtovuJ9MilbEjMjS7TAJBgUrDgMCHQUAA4IBAQAsQ5jNKvS2fLtqs9oB6DGTXdI5nAli5UyvZUQlnf******ifG14SRbVdTjUOzngIWAJ5KAQk5t//wSkwgAS+U6AFYI/mee9NLEvOEhrRbpGUP0oL504OZ9zTDeXmGu2FybRB2TvdTKLaeVsBvwqgP33QFkcuPK50fCGC1l3SecIeyWL5fsiw/2+GuTKHjCaeRqnYBgDTINptc9PGayLPBTjs4UPzbccmaYyuanmTAMZGU0iRoGJYet2uAasT52QvWZqD0NUZbWyR1N8CBf5EIW2S/TrpoOBYNgZQU5n9PRJjTBhESHXjfa8RipC8RXU9o</X509Certificate>
         </X509Data>
      </KeyInfo>
   </ds:Signature>
   <Subject>
      <NameID>******.*******@********.net</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
   </Subject>
   <Conditions NotBefore="2015-07-30T12:07:25.837Z" NotOnOrAfter="2015-07-30T13:07:25.837Z">
      <AudienceRestriction>
         <Audience>http://localhost:62569/</Audience>
      </AudienceRestriction>
   </Conditions>
   <AttributeStatement>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
         <AttributeValue>7102feaa-34af-4756-85ce-b0f69766d78d</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
         <AttributeValue>*****.*******@*******.net</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
         <AttributeValue>******</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
         <AttributeValue>*******</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
         <AttributeValue>https://sts.windows.net/7102feaa-34af-4756-85ce-b0f69766d78d/</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider">
         <AttributeValue>https://sts.windows.net/7102feaa-34af-4756-85ce-b0f69766d78d/</AttributeValue>
      </Attribute>
   </AttributeStatement>
   <AuthnStatement AuthnInstant="2015-07-27T12:39:30.003Z">
      <AuthnContext>
         <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
      </AuthnContext>
   </AuthnStatement>
</Assertion>

What I am missing there ? Anything that could help me is more than welcome I've been struggling on this for days !

回答1:

When you specify the SecurityTokenHandlers property to the WS-Federation middlware, you are giving it the definitive list of security token handlers it should use to validate any security tokens it receives, preventing creation of the default token handlers.

By specifying a MachineKeySessionSecurityTokenHandler instance, the middleware can only validate SessionSecurityToken instances. This type of token is used for passing session data. You won't see this token in the messages received from Azure AD, so the middleware message is accurate: it cannot read the security token.

The management of an authenticated session is handled by the cookie middleware - it will issue a "logged in" cookie once you sign in with your external authentication. You shouldn't need to specify an AuthenticationType value unless you're using multiple authentication cookies.

Instead, you need to tell the WS-Federation middleware to perform sign-in using the cookie authentication middleware, using the SignInAsAuthenticationType option. This means that after validating the sign-in message from the Azure AD tenant, it will trigger the cookie authentication middleware to add a cookie to the response. That cookie is then used on subsequent requests to sign in the user with their identity from Azure AD.

The configuration will look like this:

app.UseCookieAuthentication(
    new CookieAuthenticationOptions());

app.UseWsFederationAuthentication(
    new WsFederationAuthenticationOptions
    {
        SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
        MetadataAddress = "https://*******.accesscontrol.windows.net/"
             + "FederationMetadata/2007-06/FederationMetadata.xml",
        Wtrealm = "http://localhost:62569/",
        Wreply = "http://localhost:62569/callback-signin"
    });

Because you have specified the metadata address, the middleware would normally be able to retrieve all the information it requires to validate the tokens returned by your Azure AD tenant. Unfortunately this seems to be using the deprecated Azure Access Control system, so you need to configure the validation of those tokens yourself.

You can use the TokenValidationParameters option to set the same information in a way which does not prevent the default token handlers being created.

TokenValidationParameters = new TokenValidationParameters
{
    ValidIssuer = "https://*******.accesscontrol.windows.net/",
    SigningToken = new X509SecurityToken(...)
}