/// <summary>
/// Computes the Client Assertion portion of the JWT
/// </summary>
/// <param name="header">The JSON Web Token header</param>
/// <param name="claimSet">The JSON Web Token claim set</param>
/// <param name="clientSecret">The client's secret</param>
/// <returns>The assertion</returns>
public string BuildAssertion(JWTHeader header, JWTClaimSet claimSet, string clientSecret)
{
// Serialize the header and claimSet
string serializedHeader = JsonConvert.SerializeObject(header);
string serializedClaimSet = JsonConvert.SerializeObject(claimSet);
// Base64Encode the header and claimSet
string encodedHeader = Convert.ToBase64String(UTF8Encoding.UTF8.GetBytes(serializedHeader));
string encodedClaimSet = Convert.ToBase64String(UTF8Encoding.UTF8.GetBytes(serializedClaimSet));
// Concatenate the header and the claims separated with a '.': [header].[claims]
string message = string.Join(".", encodedHeader, encodedClaimSet);
// Apply an HMAC/SHA-256 hash* to the concatenated content using the Client Secret as the key
HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(clientSecret));
byte[] hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(message));
// Base64Encode the result of the hash
string signature = Convert.ToBase64String(hash);
// Combine the encoded elements as follows [header].[claims].[hash]
string assertion = string.Join(".", encodedHeader, encodedClaimSet, signature);
return assertion;
}
/// <summary>
/// Retrieves a new token from Webtrends auth service
/// </summary>
public string Execute()
{
var builder = new JWTBuilder();
var header = new JWTHeader
{
Type = "JWT",
Algorithm = "HS256"
};
var claimSet = new JWTClaimSet
{
Issuer = clientId,
Principal = clientId,
Audience = audience,
Expiration = DateTime.Now.AddSeconds(30),
Scope = scope
};
string assertion = builder.BuildAssertion(header, claimSet, clientSecret);
var client = new RestClient(authUrl);
var request = new RestRequest("token/", Method.POST);
request.AddParameter("client_id", clientId);
request.AddParameter("client_assertion", assertion);
request.AddParameter("grant_type", "client_credentials");
request.AddParameter("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
var response = client.Execute(request).Content;
return (string)JObject.Parse(response)["access_token"];
}
/// <summary>
/// Retrieves a new token from Webtrends auth service
/// </summary>
public string Execute()
{
var builder = new JWTBuilder();
var header = new JWTHeader
{
Type = "JWT",
Algorithm = "HS256"
};
var claimSet = new JWTClaimSet
{
Issuer = clientId,
Principal = clientId,
Audience = audience,
Expiration = DateTime.Now.ToUniversalTime().AddSeconds(30),
Scope = scope
};
string assertion = builder.BuildAssertion(header, claimSet, clientSecret);
var client = new RestClient(authUrl);
var request = new RestRequest("token/", Method.POST);
request.AddParameter("client_id", clientId);
request.AddParameter("client_assertion", assertion);
request.AddParameter("grant_type", "client_credentials");
request.AddParameter("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
var response = client.Execute(request).Content;
return (string)JObject.Parse(response)["access_token"];
}
private static JsonWebToken Create(string issuer, string audience, DateTime validFrom, DateTime validTo, DateTime issuedAt, IEnumerable <Claim> additionalClaims, JsonWebToken actor, string actorToken, VssSigningCredentials credentials, bool allowExpiredCertificate)
{
ArgumentUtility.CheckStringForNullOrEmpty(issuer, nameof(issuer));
ArgumentUtility.CheckStringForNullOrEmpty(audience, nameof(audience)); // Audience isn't actually required...
validFrom = validFrom == default(DateTime) ? DateTime.UtcNow : validFrom.ToUniversalTime();
validTo = validTo == default(DateTime) ? DateTime.UtcNow + TimeSpan.FromSeconds(DefaultLifetime) : validTo.ToUniversalTime();
//issuedAt is optional, and breaks certain scenarios if it is present, and breaks others if it is not.
//so only include it if it is explicitly set.
issuedAt = issuedAt == default(DateTime) ? default(DateTime) : issuedAt.ToUniversalTime();
JWTHeader header = GetHeader(credentials, allowExpiredCertificate);
JWTPayload payload = new JWTPayload(additionalClaims)
{
Issuer = issuer, Audience = audience, ValidFrom = validFrom, ValidTo = validTo, IssuedAt = issuedAt
};
if (actor != null)
{
payload.Actor = actor;
}
else if (actorToken != null)
{
payload.ActorToken = actorToken;
}
byte[] signature = GetSignature(header, payload, header.Algorithm, credentials);
return(new JsonWebToken(header, payload, signature));
}
public IActionResult CheckToken(string _token)
{
if (_token == null)
{
return(BadRequest("初次登陆,请使用ID与密码登录"));
}
else
{
if (JWTHelper.IsOkToken(_token))
{
JWTHeader header = JWTHelper.GerHeaderFromToken(_token);
string Hd = header.expTime.ToString();
string Now = DateTime.Now.ToString();
if (DateTime.Compare(Convert.ToDateTime(Now), Convert.ToDateTime(Hd)) <= 0)
{
return(Ok());
}
else
{
return(BadRequest("证书过期,请重新登录"));
}
}
else
{
return(BadRequest("验证证书错误,请使用ID与密码登录"));
}
}
}
private JsonWebToken(JWTHeader header, JWTPayload payload, byte[] signature)
{
ArgumentUtility.CheckForNull(header, nameof(header));
ArgumentUtility.CheckForNull(payload, nameof(payload));
//signature allowed to be null
_header = header;
_payload = payload;
_signature = signature;
}
/// <summary>
/// 生成JwtToken
/// </summary>
/// <param name="jwtPayload">非隐私的用户数据</param>
/// <returns></returns>
public static string SetJwtEncode(JWTPayload jwtPayload)
{
try
{
JWTHeader jwtHeader = new JWTHeader();
//格式如下
//var payload = new Dictionary<string, object>
//{
// { "username","admin" },
// { "pwd", "claim2-value" }
//};
//--------------加密器配置
IJwtAlgorithm algorithm = new HMACSHA256Algorithm();
IJsonSerializer serializer = new JsonNetSerializer();
IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder);
//--------------------
//json转string
string strHeader = JsonConvert.SerializeObject(jwtHeader);
string strPayload = JsonConvert.SerializeObject(jwtPayload);
//64位加密
byte[] encHeaderBuff = System.Text.Encoding.UTF8.GetBytes(strHeader);
string basHeader = Convert.ToBase64String(encHeaderBuff);
byte[] encPayloadBuff = System.Text.Encoding.UTF8.GetBytes(strPayload);
string basPayload = Convert.ToBase64String(encPayloadBuff);
string value = basHeader + "." + basPayload;
//debug
//byte[] SHA256Data = System.Text.Encoding.UTF8.GetBytes(value);
//SHA256Managed sha256 = new SHA256Managed();
//byte[] SHA256Reslut = sha256.ComputeHash(SHA256Data);
//var Payload = new Dictionary<string, object>
//{
// { "UserID",jwtPayload.UserID},
// { "UserType",jwtPayload.}
//}
//string basSignature = encoder.Encode(value, saltKey);
string basSignature = encoder.Encode(value, saltKey);
string token = string.Format("{0}.{1}.{2}", basHeader, basPayload, basSignature);
return(token);
//--------
}
//如果创建token失败则返回空值
catch (Exception) { return(string.Empty); }
}
/// <summary>
/// 获取Token信息,解密获得其他信息
/// </summary>
/// <param name="value"></param>
/// <returns>头部信息</returns>
public static JWTHeader GetHeader(string value)
{
try
{
//先把加密的文字解密
byte[] basHeader = Convert.FromBase64String(value);
string decHeader = System.Text.Encoding.UTF8.GetString(basHeader);
//将解密后的数据序列化成对象
JWTHeader header = JsonConvert.DeserializeObject <JWTHeader>(decHeader);
return(header);
}
catch (Exception)
{
return(null);
}
}
private static string getAssertion(string serverId, string privateKey)
{
ArrayList segments = new ArrayList();
JWTHeader jwtHeader = new JWTHeader();
jwtHeader.alg = "RS256";
jwtHeader.typ = "JWT";
string header = jwtHeader.ToJSON();
JWTClaim jwtClaim = new JWTClaim();
jwtClaim.iss = serverId;
jwtClaim.iat = (int)DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1)).TotalSeconds;
jwtClaim.exp = jwtClaim.iat + 1800;
string claim = jwtClaim.ToJSON();
byte[] headerBytes = Encoding.UTF8.GetBytes(header);
byte[] payloadBytes = Encoding.UTF8.GetBytes(claim);
segments.Add(base64UrlEncode(headerBytes));
segments.Add(base64UrlEncode(payloadBytes));
string stringToSign = string.Join(".", segments.ToArray());
byte[] bytesToSign = Encoding.UTF8.GetBytes(stringToSign);
byte[] keyBytes = Convert.FromBase64String(privateKey);
////////////////////RSA SHA-256 암호화////////////////////
var asymmetricKeyParameter = PrivateKeyFactory.CreateKey(keyBytes);
var rsaKeyParameter = (RsaKeyParameters)asymmetricKeyParameter;
ISigner sig = SignerUtilities.GetSigner("SHA256withRSA");
sig.Init(true, rsaKeyParameter);
sig.BlockUpdate(bytesToSign, 0, bytesToSign.Length);
byte[] signature = sig.GenerateSignature();
//////////////////////////////////////////////////////////
segments.Add(base64UrlEncode(signature));
return(string.Join(".", segments.ToArray()));
}
//OnDeserialized never gets called by serializer because we have a custom converter, so call this
//from there...
//[OnDeserialized]
private void OnDeserialized(/*StreamingContext context*/)
{
if (string.IsNullOrEmpty(this._encodedToken))
{
throw new JsonWebTokenDeserializationException();
}
string[] fields = this._encodedToken.Split('.');
if (fields.Length != 3)
{
throw new JsonWebTokenDeserializationException();
}
this._header = JsonWebTokenUtilities.JsonDecode <JWTHeader>(fields[0]);
this._payload = JsonWebTokenUtilities.JsonDecode <JWTPayload>(fields[1]);
if (!string.IsNullOrEmpty(fields[2]))
{
this._signature = fields[2].FromBase64StringNoPadding();
}
}
private static JWTHeader GetHeader(VssSigningCredentials credentials, bool allowExpired)
{
//note credentials are allowed to be null here, see ValidateSigningCredentials
JWTHeader header = new JWTHeader();
JWTAlgorithm alg = JsonWebTokenUtilities.ValidateSigningCredentials(credentials, allowExpired);
header.Algorithm = alg;
if (alg != JWTAlgorithm.None)
{
// Some signing credentials may need to set headers for the JWT
var jwtHeaderProvider = credentials as IJsonWebTokenHeaderProvider;
if (jwtHeaderProvider != null)
{
jwtHeaderProvider.SetHeaders(header);
}
}
return(header);
}
public string GenerateJWT()
{
JWTHeader Header = new JWTHeader();
JWTBody Payload = new JWTBody
{
Username = this.Username,
Group = this.Group,
Iat = DateTime.Now
};
string EncodedHeader = Convert.ToBase64String(Encoding.ASCII.GetBytes(JsonConvert.SerializeObject(Header)));
string EncodedPayload = Convert.ToBase64String(Encoding.ASCII.GetBytes(JsonConvert.SerializeObject(Payload)));
string Message = EncodedHeader + "." + EncodedPayload;
//TODO: Put the file path in a config file somewhere
try
{
return(Message + "." + RS256.Sign(Encoding.ASCII.GetBytes(Message)));
}catch
{
return("fail!");
}
}
//if we alread have the alg, we assume that the creds have been validated already,
//to save the expense of validating twice in the create function...
private static byte[] GetSignature(JWTHeader header, JWTPayload payload, JWTAlgorithm alg, VssSigningCredentials signingCredentials)
{
if (alg == JWTAlgorithm.None)
{
return(null);
}
ArgumentUtility.CheckForNull(header, nameof(header));
ArgumentUtility.CheckForNull(payload, nameof(payload));
string encoding = string.Format("{0}.{1}", header.JsonEncode(), payload.JsonEncode());
byte[] bytes = Encoding.UTF8.GetBytes(encoding);
switch (alg)
{
case JWTAlgorithm.HS256:
case JWTAlgorithm.RS256:
return(signingCredentials.SignData(bytes));
default:
throw new InvalidOperationException();
}
}
/// <summary>
/// Computes the Client Assertion portion of the JWT
/// </summary>
/// <param name="header">The JSON Web Token header</param>
/// <param name="claimSet">The JSON Web Token claim set</param>
/// <param name="clientSecret">The client's secret</param>
/// <returns>The assertion</returns>
public string BuildAssertion(JWTHeader header, JWTClaimSet claimSet, string clientSecret)
{
// Serialize the header and claimSet
string serializedHeader = JsonConvert.SerializeObject(header);
string serializedClaimSet = JsonConvert.SerializeObject(claimSet);
// Base64Encode the header and claimSet
string encodedHeader = Convert.ToBase64String(UTF8Encoding.UTF8.GetBytes(serializedHeader));
string encodedClaimSet = Convert.ToBase64String(UTF8Encoding.UTF8.GetBytes(serializedClaimSet));
// Concatenate the header and the claims separated with a '.': [header].[claims]
string message = string.Join(".", encodedHeader, encodedClaimSet);
// Apply an HMAC/SHA-256 hash* to the concatenated content using the Client Secret as the key
HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(clientSecret));
byte[] hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(message));
// Base64Encode the result of the hash
string signature = Convert.ToBase64String(hash);
// Combine the encoded elements as follows [header].[claims].[hash]
string assertion = string.Join(".", encodedHeader, encodedClaimSet, signature);
return assertion;
}
public static string SignData(JWTPayload payload, byte[] privateKey, string certificatePassword)
{
X509Certificate2 x509Certificate2 = new X509Certificate2(privateKey, certificatePassword);
JWTHeader header = new JWTHeader();
string jsonHeader = JsonConvert.SerializeObject(header);
string jsonPayload = JsonConvert.SerializeObject(payload);
byte[] bytesHeader = Encoding.UTF8.GetBytes(jsonHeader);
byte[] bytesPaylod = Encoding.UTF8.GetBytes(jsonPayload);
List <string> segments = new List <string>();
segments.Add(Base64UrlEncode(bytesHeader));
segments.Add(Base64UrlEncode(bytesPaylod));
byte[] bytesToSign = Encoding.UTF8.GetBytes(string.Join(".", segments.ToArray()));
using (RSA rsa = x509Certificate2.GetRSAPrivateKey())
{
byte[] signedData = rsa.SignData(bytesToSign, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
segments.Add(Base64UrlEncode(signedData));
return(string.Join(".", segments.ToArray()));
}
}
public IJWTBuilder WithHeader(JWTHeader header)
{
JWTHeader = header;
return(this);
}
private static byte[] GetSignature(JWTHeader header, JWTPayload payload, VssSigningCredentials credentials, bool allowExpired)
{
JWTAlgorithm alg = JsonWebTokenUtilities.ValidateSigningCredentials(credentials, allowExpired);
return(GetSignature(header, payload, alg, credentials));
}
