A, jwt three components
A first look at a standard token issued by IdentityServer
eyJhbGciOiJSUzI1NiIsImtpZCI6IjBiNTE3ZjIzYWY0OGM4ZjkyZjExMzM5MDMwZTI5NDkwIiwidHlwIjoiSldUIn0.
eyJuYmYiOjE1Njk4MDUxNzgsImV4cCI6MTU2OTgwNTQ3OCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoiYXBpQ2xpZW50SHlicmlkIiwibm9uY2UiOiI2MzcwNTQwMTk
2OTg5ODM3MjAuTnpZM016RTFObVF0WXpBMFlpMDBNR1k1TFdGbE1qY3RORGc0WldJMVl6RmpOemMzWW1Sa05URXdabUV0T1RKbU9DMDBZemRsTFdFNE16TXRaV0l6T0dabE5tWmlOamRoIi
wiaWF0IjoxNTY5ODA1MTc4LCJhdF9oYXNoIjoiMzRmemR5QzJmWFNCN3QzYl9mOW1VUSIsInNpZCI6IjIyOWU0OWRmOTZkY2U0OTVjMjZkMzI4MDhjMDM3MTk3Iiwic3ViIjoiMCIsImF1d
GhfdGltZSI6MTU2OTgwNTE3NSwiaWRwIjoibG9jYWwiLCJuYW1lIjoiYXBpVXNlciIsInBob25lbW9kZWwiOiJodWF3ZWkiLCJhbXIiOlsicHdkIl19.
rjksvMQkguG6qgQed7NZumdtcyDiEBuy9pDpEB-DOCGjqHF8BwI9CAWEOEbdb6PI9qBdFaZdafREZSodoL8qZMbd5ss2yrt01jhCaT00V54_ySFfyaBwpy8PFlasdygQEgEF44ZMLkaMWuV
u_dV22wkE1y5TCsPj-5hM7CpLiDDwaQvEVMe8FEZbJAZ8wskvnAFLY7P37LzjjPDWXW3hB10e-teNel2yXzsnlwpebQnLwUD46tKwAt4XDJ7yYqkuQ1y_dVvqJYf2awEeZPSn7tzThTaz5H
PCNvPwiO_9w7O1nb9gk-t97DR9uOC1Iz5fFHPuRjI7Gcm5dm3dgmgBfg
. "" This token symbol to divide it into three parts:
1, the head: Base64-encoded string through JSON
"Alg" field indicates the signature encryption token, we use the above RSA256 asymmetric encryption, "type", it said it was a token JWT format. A value of "kid" is issued by the token freely defined, varying usefulness, it can be used to represent a message number, but more to increase the complexity of the signature. The difficulty of such a md5 encrypted string, if the string is very simple, regular, then it is easy to crack, but with a certain algorithm after processing, such as before and after the string with a set of keys, then to crack on great, but not to the processing algorithm was easy to guess, because the kid is a value anyone can see.
2, the message body: payload, but also through a Base64 encoded JSON string, comprising the Claim token, the token acquisition is part of the main information.
3, the signature string.
Once the token is issued, the contents of the first two parts are visible to everyone, without any security measures. So how do you ensure that the token has not been tampered and forged people? That is, by a signature string generated by the signature algorithm.
IdentityServer4 signature algorithm using RSA encryption algorithm is a RSA asymmetric encryption algorithm with the private key encrypted with the public key to decrypt. Private key stored only in IdentityServer end, while the public key can be published out, IdentityServer by a publicly the URL of: HTTP: // localhost: 5000 / .well-Known / openid-the Configuration / jwks published public key. Here we should pay attention to a problem, because the public key is then necessary to protect the private key, the private key is compromised if it is vulnerable to tampering and forgery token people. IdentityServer4 order to protect the private key secure, separate development environment and release the key environmental load. IdentityServer4 exposes two methods AddSigningCredential and AddDeveloperSigningCredential, respectively, for the development and publishing environment environmental load key. AddDeveloperSigningCredential creates a temporary key used for debugging environment. Practical application development environment key certificate can be placed directly on the server, the server publish a project to point to this key through the configuration file.
Second, the use Openssl create key certificate.
From https://www.openssl.org/ download and install the openssl package installed, open a command line, enter openssl, if prompted Openssl not an internal or external command, you need to set the environment variable, the Openssl installation directory to the path environment variable .
In addition a new environment variable, as shown below, entitled: OPENSSL_CONF, pointing openssl.cfg file your installation directory, enter openssl now should be no problem.
Create a new folder for placing the key, open a command line in the directory.
1, to apply a private key, at the command line: openssl genrsa -out private_ids.key 2048. Apply for a 2048 RSA encryption private key. The more a directory file named private_ids.key of.
2, to apply a public key, openssl req -new -x509 -key private_ids.key -days 3650 -out public_ids.crt. -Key private_ids.key which is designated the private key paired public key, private key application is the first step. x509 is a standard X.509 public key format.
Next you will be prompted to enter some information, show authority for information, such as company, country, city, etc.
PS E:\ssl\tch> openssl req -new -x509 -key private_ids.key -days 3650 -out public_ids.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:GUANGDONG Locality Name (eg, city) []:DONGGUANG Organization Name (eg, company) [Internet Widgits Pty Ltd]:KINGSUN Organizational Unit Name (eg, section) []:KINGSUN-IN Common Name (e.g. server FQDN or YOUR name) []:LIUJB Email Address []:[email protected] PS E:\ssl\tch>
If you do not have to enter them every time, you can use the "-config profile directory," the manner specified configuration file, after Openssl after installation, there is a named openssl.cnf the default configuration file in the installation directory bin / cnf directory. Edit the file, find req_distinguished_name
[ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = AU countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Some-State localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Internet Widgits Pty Ltd # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64
Here you can specify the default values for these parameters, such as the countries designated default value CN. CountryName_default into the CN on the line. After completion of the application public, the directory will be more than a public_ids.crt file.
3, extracts the encrypted public key and private key. In consideration of the spread of security needs to be a public key and private key encryption, support for Microsoft PCK12 (public-key cryptography standard No. 12: Public Key Cryptography Standards # 12), PCK12 together the public and private keys in a PFX file extension and use password protection, such as the need to extract the public key and private key password confirmation. Another feel public and private key encryption is extracted JKS (JAVA Key Store) for public and private key extraction JAVA environment. Both formats can be converted to each other.
Enter the command line
openssl pkcs12 -export -in public_ids.crt -inkey private_ids.key -out ids.pfx
After entering the password and confirm the password, the current directory will be more of a file: ids.pfx. This is our use of a key certificate.
Third, using the key
The second step will generate ids.pfx file replication server publishing directory, if only to test the project can be copied to a local directory. The directory information and certificates extract passwords stored in the configuration file
"Certificates": {
"CertPath": "Certificates/idsrv4.pfx",
"Password": "123456"
}
You can use the configuration information is loaded key certificate for the development environment
if (Environment.IsDevelopment())
{
builder.AddDeveloperSigningCredential();
}
else
{
builder.AddSigningCredential(new X509Certificate2(Path.Combine(Environment.ContentRootPath,
Configuration["Certificates:CertPath"]),
Configuration["Certificates:Password"]));
}
If you want to have a unified debugging environment certificate, you can remove the judge environment, only key certificate is loaded with AddSigningCredential way.
