如何验证MS Azure AD产生的JWT id_token? [英] How to verify JWT id_token produced by MS Azure AD?

问题描述

我有一个angularjs SPA Web应用程序，它使用 ADAL-JS (和adal-angle). 设置它是为了对我们在MS Azure中的企业AD进行身份验证.登录流程似乎正常工作，并且SPA收到一个id_token.

I have an angularjs SPA web app which uses ADAL-JS (and adal-angular). It's set up to authenticate vs our corporate AD in MS Azure. The log-in flow seems to work correctly, and the SPA receives an id_token.

接下来，当用户单击按钮时，SPA会向我托管在AWS API Gateway上的REST API发出请求.我在Authorization: Bearer <id_token>标头上传递了id_token. API网关按预期接收标头，现在必须确定给定的令牌是否正确，以允许或拒绝访问.

Next, when the user clicks a button, the SPA makes a request to a REST API I am hosting on AWS API Gateway. I am passing the id_token on the Authorization: Bearer <id_token> header. The API Gateway receives the header as intended, and now has to determine if the given token is good or not to either allow or deny access.

我有一个示例令牌，它可以在 https://jwt.io/上正确解析，但是我有找不到我应该用来验证签名的公钥或证书.我看过:

I have a sample token, and it parses correctly on https://jwt.io/ but I have so far failed to find the Public Key or Certificate I should use to verify the signature. I have looked in:

• https://login.microsoftonline.com/ {tenantid}/federationmetadata/2007-06/federationmetadata .xml
• https://login.microsoftonline.com/ {tenantId}/discovery/keys
• https://login.microsoftonline.com/common/.well-已知/openid配置(获取jwks_uri)
• https://login.microsoftonline.com/common /v2.0/.well-known/openid-configuration
• https://login.microsoftonline.com/common/discovery/keys
• https://login.microsoftonline.com/common/discovery/v2. 0/键

• https://login.microsoftonline.com/{tenantid}/federationmetadata/2007-06/federationmetadata.xml
• https://login.microsoftonline.com/{tenantId}/discovery/keys
• https://login.microsoftonline.com/common/.well-known/openid-configuration (to get the jwks_uri)
• https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
• https://login.microsoftonline.com/common/discovery/keys
• https://login.microsoftonline.com/common/discovery/v2.0/keys

我认为我应该使用 https://jwt.io/页报告无效签名"(我也尝试将键值包装为"----- BEGIN CERTIFICATE -----"和"----- END CERTIFICATE -----"".

I think I should use the value of the x5c property of the key in https://login.microsoftonline.com/common/discovery/keys matching the kid and x5t properties from the JWT id_token (currently a3QN0BZS7s4nN-BdrjbF0Y_LdMM, which leads to an x5c value starting with "MIIDBTCCAe2gAwIBAgIQY..." ). However, the https://jwt.io/ page reports "Invalid Signature" (I also tried wrapping the key value with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----").

此外，是否有一个(可能是python)库可以像上面的情况那样方便验证给定的id_token(这样我就不必自己亲自去抓取签名密钥了?)...我能找到的最好的(适用于python的ADAL )似乎没有提供此功能?

Also, is there a (possibly python) library that can facilitate the verification of a given id_token as in the case above (so that I won't have to go grab the signing key on the fly myself?)... The best I could find (ADAL for python) doesn't seem to provide this feature?

推荐答案

到目前为止我可以综合考虑的最佳解决方案:

The best solution I could put together so far:

从https://login.microsoftonline.com/common/discovery/keys或https://login.microsoftonline.com/common/discovery/v2.0/keys获取证书(x5c属性数组中的第一个值)，并匹配id_token中的kid和x5t.

Grab the certificate (the first value in the x5c property array) from either https://login.microsoftonline.com/common/discovery/keys or https://login.microsoftonline.com/common/discovery/v2.0/keys, matching kid and x5t from the id_token.

在-----BEGIN CERTIFICATE-----\n和\n-----END CERTIFICATE-----中包裹证书(换行似乎很重要)，然后将结果用作公钥(与id_token结合使用)在当然，您的实际用例很可能是让某些程序验证传入的JWT id_tokens，因此您的目标将不是简单地获取令牌以通过

Of course, your actual use case will likely be to have some program validate the incoming JWT id_tokens, so your goal won't be to simply get the token to validate through the web UI on https://jwt.io/.

例如，在python 中，我需要这样的内容:

For instance, in python, I need something like this:

#!/usr/bin/env python

import jwt
from cryptography.x509 import load_pem_x509_certificate
from cryptography.hazmat.backends import default_backend

PEMSTART = "-----BEGIN CERTIFICATE-----\n"
PEMEND = "\n-----END CERTIFICATE-----\n"

mspubkey = "The value from the x5c property"
IDTOKEN = "the id_token to be validated"
tenant_id = "your tenant id"

cert_str = PEMSTART + mspubkey + PEMEND
cert_obj = load_pem_x509_certificate(cert_str, default_backend())
public_key = cert_obj.public_key()

decoded = jwt.decode(IDTOKEN, public_key, algorithms=['RS256'], audience=tenant_id)
if decoded:
    print "Decoded!"
else:
    print "Could not decode token."

有关各种语言的JWT库列表，请参见 JWT网站. 我正在使用 pyjwt 及其

For a list of JWT libraries in various languages, see the JWT Site. I'm using pyjwt, and its cryptography dependency (which has binary dependencies, so needs to be built and packaged for the target OS).

然后，当然，您可以将其他详细信息(例如声明)验证为

And then, of course, you can verify additional details such as the claims as recommended here.

这篇关于如何验证MS Azure AD产生的JWT id_token?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！