SecurityTokenService.GetScope(ClaimsPrincipal, RequestSecurityToken) 方法

定义

获取包含与指定请求(RST)关联的依赖方(RP)信息的 Scope 对象。 实现该 SecurityTokenService 类时,必须重写此方法。

protected:
 abstract System::IdentityModel::Scope ^ GetScope(System::Security::Claims::ClaimsPrincipal ^ principal, System::IdentityModel::Protocols::WSTrust::RequestSecurityToken ^ request);
protected abstract System.IdentityModel.Scope GetScope (System.Security.Claims.ClaimsPrincipal principal, System.IdentityModel.Protocols.WSTrust.RequestSecurityToken request);
abstract member GetScope : System.Security.Claims.ClaimsPrincipal * System.IdentityModel.Protocols.WSTrust.RequestSecurityToken -> System.IdentityModel.Scope
Protected MustOverride Function GetScope (principal As ClaimsPrincipal, request As RequestSecurityToken) As Scope

参数

principal
ClaimsPrincipal

一个 ClaimsPrincipal,表示客户发出请求。

request
RequestSecurityToken

RequestSecurityToken 表示传入请求 (RST)。

返回

Scope 封装与请求关联的 RP 信息。

示例

本主题中使用的代码示例取自 Custom Token 示例。 此示例提供自定义类,这些类支持处理简单 Web 令牌 (SWT) ,并包含能够为 SWT 令牌提供服务的被动 STS 的实现。 有关如何实现活动 STS 的示例,请参阅示例 Federation Metadata 。 有关这些示例和可用于 WIF 的其他示例以及下载位置的信息,请参阅 WIF 代码示例索引

下面的代码示例演示 GetScope 方法的实现。 此实现验证 RP 是否被 STS 识别,验证 ReplyTo 请求中的地址并相应地设置 Scope.ReplyToAddress 属性,并根据文件中硬编码的证书设置要与 RP 一起使用的签名和加密凭据。

// Certificate Constants
private const string SIGNING_CERTIFICATE_NAME = "CN=localhost";
private const string ENCRYPTING_CERTIFICATE_NAME = "CN=localhost";

private SigningCredentials _signingCreds;
private EncryptingCredentials _encryptingCreds;
// Used for validating applies to address, set to URI used in RP app of application, could also have been done via config
private string _addressExpected = "http://localhost:19851/";
/// <summary>
/// This method returns the configuration for the token issuance request. The configuration
/// is represented by the Scope class. In our case, we are only capable of issuing a token to a
/// single RP identity represented by the _encryptingCreds field.
/// </summary>
/// <param name="principal">The caller's principal</param>
/// <param name="request">The incoming RST</param>
/// <returns></returns>
protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
{
    // Validate the AppliesTo address
    ValidateAppliesTo( request.AppliesTo );

    // Create the scope using the request AppliesTo address and the RP identity
    Scope scope = new Scope( request.AppliesTo.Uri.AbsoluteUri, _signingCreds );

    if (Uri.IsWellFormedUriString(request.ReplyTo, UriKind.Absolute))
    {
        if (request.AppliesTo.Uri.Host != new Uri(request.ReplyTo).Host)
            scope.ReplyToAddress = request.AppliesTo.Uri.AbsoluteUri;
        else
            scope.ReplyToAddress = request.ReplyTo;
    }
    else
    {
        Uri resultUri = null;
        if (Uri.TryCreate(request.AppliesTo.Uri, request.ReplyTo, out resultUri))
            scope.ReplyToAddress = resultUri.AbsoluteUri;
        else
            scope.ReplyToAddress = request.AppliesTo.Uri.ToString() ;
    }

    // Note: In this sample app only a single RP identity is shown, which is localhost, and the certificate of that RP is 
    // populated as _encryptingCreds
    // If you have multiple RPs for the STS you would select the certificate that is specific to 
    // the RP that requests the token and then use that for _encryptingCreds
    scope.EncryptingCredentials = _encryptingCreds;

    return scope;
}
/// <summary>
/// Validates the appliesTo and throws an exception if the appliesTo is null or appliesTo contains some unexpected address.
/// </summary>
/// <param name="appliesTo">The AppliesTo parameter in the request that came in (RST)</param>
/// <returns></returns>
void ValidateAppliesTo(EndpointReference appliesTo)
{
    if (appliesTo == null)
    {
        throw new InvalidRequestException("The appliesTo is null.");
    }

    if (!appliesTo.Uri.Equals(new Uri(_addressExpected)))
    {
        throw new InvalidRequestException(String.Format("The relying party address is not valid. Expected value is {0}, the actual value is {1}.", _addressExpected, appliesTo.Uri.AbsoluteUri));
    }
}

注解

方法 GetScope 在 方法之后从令牌颁发管道调用, ValidateRequest 应返回 Scope 为传入请求配置的 对象。 (令牌颁发管道在 方法中 Issue 实现。) Scope 对象封装与安全令牌请求关联的 RP 的信息, (RST) 。 这包括有关要与 RP 一起使用的加密和签名凭据以及是否加密响应中任何颁发的令牌和/或对称密钥的信息。 在 方法中 GetScope 执行的一些典型任务包括:

实施者说明

实现该 SecurityTokenService 类时,必须重写此方法。

适用于

另请参阅