SAML令牌大小和REST

Question

SAML令牌大小和REST

samlwifclaims-based-identitysts-securitytokenservice

5

我们正在为REST服务实现STS（基于声明的身份验证）。我们决定使用REST服务（带有JSON），其中一个原因是它在网络传输时占用的空间较小。但是，在使用STS时，SAML令牌只包含少量声明时，SAML大小变为几K字节。对于大多数REST调用，我们不返回对象列表，响应大小为低100个字节，对于这些调用，该令牌似乎过于繁琐。您在项目中如何处理这种情况？

- amit_g

2个回答

0

您可以在REST端点中使用SAML令牌，但更常见的是人们使用简单Web令牌（SWT）。它们更小、更简单等。

例如，Windows Azure平台中的ACS（访问控制服务）实现了这一点。

- Eugenio Pace

SWT似乎没有进展。JWT也还处于初期阶段。看来我们现在必须处理SAML。http://startersts.codeplex.com/discussions/242113?ProjectName=startersts - amit_g

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Vladik Branevich · Accepted Answer

如果涉及到IT技术，你需要了解JSON Web令牌（JWT）和ACS的相关知识。这个文章会对你有所帮助，介绍了Microsoft .NET Framework 4.5中的JSON Web Token Handler。下面是一个使用.NET 4.5签发和验证基于对称密钥的HMAC SHA256签名JWT的示例。

string jwtIssuer = "MyIssuer";
string jwtAudience = "MyAudience";

// Generate symmetric key for HMAC-SHA256 signature
RNGCryptoServiceProvider cryptoProvider = new RNGCryptoServiceProvider();
byte[] keyForHmacSha256 = new byte[64];
cryptoProvider.GetNonZeroBytes(keyForHmacSha256);

///////////////////////////////////////////////////////////////////
// Create signing credentials for the signed JWT.
// This object is used to cryptographically sign the JWT by the issuer.
SigningCredentials sc = new SigningCredentials(
                                new InMemorySymmetricSecurityKey(keyForHmacSha256),
                                "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
                                "http://www.w3.org/2001/04/xmlenc#sha256");

///////////////////////////////////////////////////////////////////
// Create token validation parameters for the signed JWT
// This object will be used to verify the cryptographic signature of the received JWT
TokenValidationParameters validationParams =
    new TokenValidationParameters()
    {
        AllowedAudience = s_jwtAudience,
        ValidIssuer = s_jwtIssuer,
        ValidateExpiration = true,
        ValidateNotBefore = true,
        ValidateIssuer = true,
        ValidateSignature = true,
        SigningToken = new BinarySecretSecurityToken(keyForHmacSha256),
    };

///////////////////////////////////////////////////////////////////
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();

// Create a simple JWT claim set
IList<Claim> payloadClaims = new List<Claim>() { new Claim("clm1", "clm1 value"), };

// Create a JWT with signing credentials and lifetime of 12 hours
JWTSecurityToken jwt =
    new JWTSecurityToken(jwtIssuer, jwtAudience, payloadClaims, sc, DateTime.UtcNow, DateTime.UtcNow.AddHours(12.0));

// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);

// Validate the token signature (we provide the shared symmetric key in `validationParams`)
// This will throw if the signature does not validate
jwtHandler.ValidateToken(jwtOnTheWire, validationParams);

// Parse JWT from the Base64UrlEncoded wire form (<Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>)
JWTSecurityToken parsedJwt = jwtHandler.ReadToken(jwtOnTheWire) as JWTSecurityToken;