如果您不想使用MachineKey
,并且希望它跨不同的服务器和用户具有唯一的MachineKey
,那么这可能会有点棘手。
在Asp.NET Core和Framework中实现数据保护提供程序(生成密码重置链接)
我开始使用DataProtectionTokenProvider.cs
来实现自己的ValidateAsync
。这个类真的帮助我找到了解决方案。
https://github.com/aspnet/Identity/blob/master/src/Identity/DataProtectionTokenProvider.cs
使用DataProtectorTokenProvider<TUser, TKey>
时,令牌是从SecurityStamp
生成的,但深入了解很困难。考虑到如果在单个服务器上更改了应用程序池标识
,则验证将失败,这表明实际的保护机制可能如下所示:
System.Security.Cryptography.ProtectedData.Protect(userData, entropy, DataProtectionScope.CurrentUser);
假设所有站点都使用相同的应用程序池标识
,则此方法有效。它也可以是具有protectionDescriptor
"LOCAL=user"
的DataProtectionProvider
。
new DataProtectionProvider("LOCAL=user")
https://learn.microsoft.com/en-us/previous-versions/aspnet/dn613280(v%3dvs.108)
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.dataprotector?view=netframework-4.7.2
https://learn.microsoft.com/en-us/uwp/api/windows.security.cryptography.dataprotection.dataprotectionprovider
当阅读关于DpapiDataProtectionProvider
(DPAPI代表数据保护应用程序编程接口)的描述时,它说:
用于提供从数据保护API派生的数据保护服务。当您的应用程序未由ASP.NET托管且所有进程都以相同的域标识运行时,它是数据保护的最佳选择。
创建方法的目的如下所述:
使用额外的熵来确保受保护的数据只能出于正确的目的而被解除保护。
https://learn.microsoft.com/en-us/previous-versions/aspnet/dn253784(v%3dvs.113)
鉴于这些信息,我认为使用 Microsoft
提供的普通类没有前进的方法。
最终我实现了自己的 IUserTokenProvider<TUser, TKey>
、IDataProtectionProvider
和 IDataProtector
来解决问题。
我选择使用证书来实现 IDataProtector
,因为我可以相对容易地在服务器之间传输它们。我还可以使用运行网站的 应用程序池身份
从 X509Store
中获取它,因此不需要将密钥存储在应用程序本身中。
public class CertificateProtectorTokenProvider<TUser, TKey> : IUserTokenProvider<TUser, TKey>
where TUser : class, IUser<TKey>
where TKey : IEquatable<TKey>
{
private IDataProtector protector;
public CertificateProtectorTokenProvider(IDataProtector protector)
{
this.protector = protector;
}
public virtual async Task<string> GenerateAsync(string purpose, UserManager<TUser, TKey> manager, TUser user)
{
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
var ms = new MemoryStream();
using (var writer = new BinaryWriter(ms, new UTF8Encoding(false, true), true))
{
writer.Write(DateTimeOffset.UtcNow.UtcTicks);
writer.Write(Convert.ToInt32(user.Id));
writer.Write(purpose ?? "");
string stamp = null;
if (manager.SupportsUserSecurityStamp)
{
stamp = await manager.GetSecurityStampAsync(user.Id);
}
writer.Write(stamp ?? "");
}
var protectedBytes = protector.Protect(ms.ToArray());
return Convert.ToBase64String(protectedBytes);
}
public virtual async Task<bool> ValidateAsync(string purpose, string token, UserManager<TUser, TKey> manager, TUser user)
{
try
{
var unprotectedData = protector.Unprotect(Convert.FromBase64String(token));
var ms = new MemoryStream(unprotectedData);
using (var reader = new BinaryReader(ms, new UTF8Encoding(false, true), true))
{
var creationTime = new DateTimeOffset(reader.ReadInt64(), TimeSpan.Zero);
var expirationTime = creationTime + TimeSpan.FromDays(1);
if (expirationTime < DateTimeOffset.UtcNow)
{
return false;
}
var userId = reader.ReadInt32();
var actualUser = await manager.FindByIdAsync(user.Id);
var actualUserId = Convert.ToInt32(actualUser.Id);
if (userId != actualUserId)
{
return false;
}
var purp = reader.ReadString();
if (!string.Equals(purp, purpose))
{
return false;
}
var stamp = reader.ReadString();
if (reader.PeekChar() != -1)
{
return false;
}
if (manager.SupportsUserSecurityStamp)
{
return stamp == await manager.GetSecurityStampAsync(user.Id);
}
return stamp == "";
}
}
catch (Exception e)
{
}
return false;
}
public Task NotifyAsync(string token, UserManager<TUser, TKey> manager, TUser user)
{
throw new NotImplementedException();
}
public Task<bool> IsValidProviderForUserAsync(UserManager<TUser, TKey> manager, TUser user)
{
throw new NotImplementedException();
}
}
public class CertificateProtectionProvider : IDataProtectionProvider
{
public IDataProtector Create(params string[] purposes)
{
return new CertificateDataProtector(purposes);
}
}
public class CertificateDataProtector : IDataProtector
{
private readonly string[] _purposes;
private X509Certificate2 cert;
public CertificateDataProtector(string[] purposes)
{
_purposes = purposes;
X509Store store = null;
store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);
var certificateThumbprint = ConfigurationManager.AppSettings["CertificateThumbprint"].ToUpper();
cert = store.Certificates.Cast<X509Certificate2>()
.FirstOrDefault(x => x.GetCertHashString()
.Equals(certificateThumbprint, StringComparison.InvariantCultureIgnoreCase));
}
public byte[] Protect(byte[] userData)
{
using (RSA rsa = cert.GetRSAPrivateKey())
{
return rsa.Encrypt(userData, RSAEncryptionPadding.OaepSHA1);
}
}
public byte[] Unprotect(byte[] protectedData)
{
using (RSA rsa = cert.GetRSAPrivateKey())
{
return rsa.Decrypt(protectedData, RSAEncryptionPadding.OaepSHA1);
}
}
}
客户网站重置:
var provider = new CertificateProtectionProvider();
var protector = provider.Create("ResetPassword");
userManager.UserTokenProvider = new CertificateProtectorTokenProvider<ApplicationUser, int>(protector);
if (!await userManager.UserTokenProvider.ValidateAsync("ResetPassword", model.Token, UserManager, user))
{
return GetErrorResult(IdentityResult.Failed());
}
var result = await userManager.ResetPasswordAsync(user.Id, model.Token, model.NewPassword);
后台管理:
var createdUser = userManager.FindByEmail(newUser.Email)
var provider = new CertificateProtectionProvider()
var protector = provider.Create("ResetPassword")
userManager.UserTokenProvider = new CertificateProtectorTokenProvider<ApplicationUser, int>(protector)
var token = userManager.GeneratePasswordResetToken(createdUser.Id)
关于普通的
DataProtectorTokenProvider<TUser, TKey>
的工作原理,以下是更多信息:
https://dev59.com/qYXca4cB1Zd3GeqPHFuc#53390287