隐藏了使用RS256 PII的JWT SecurityTokenInvalidSignatureException [英] JWT SecurityTokenInvalidSignatureException using RS256 PII is hidden

问题描述

请帮助！我在使用Microsoft的System.IdentityModel.Tokens.Jwt库验证用RS256签名的JWT令牌时遇到问题.

Please help! I'm having trouble validating a JWT token signed with RS256 using Microsoft's System.IdentityModel.Tokens.Jwt library.

此令牌可以在 JWT.io 上很好地验证.

This token validates just fine on JWT.io.

这是错误:

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException IDX10503:签名验证失败.尝试过的键:"[PII隐藏]". 捕获的异常: "[PII隐藏]". 令牌:"[PII隐藏]".

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException IDX10503: Signature validation failed. Keys tried: '[PII is hidden]'. Exceptions caught: '[PII is hidden]'. token: '[PII is hidden]'.

这是示例代码(我将LinqPad与System.IdentityModel.Tokens.Jwt v5.2.2 NuGet包一起使用):

void Main()
{
    var cText =
        "-----BEGIN CERTIFICATE-----\n" +
        "MIIBljCCAUACCQCIDMpqK7WfWDANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJV\n" + 
        "UzETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UECgwJTHV4b3R0aWNhMRowGAYD\n" +
        "VQQLDBFMdXhvdHRpY2EgZXllY2FyZTAeFw0xODA1MjMxNTE1MjdaFw0yODA1MjAx\n" +
        "NTE1MjdaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYD\n" +
        "VQQKDAlMdXhvdHRpY2ExGjAYBgNVBAsMEUx1eG90dGljYSBleWVjYXJlMFwwDQYJ\n" +
        "KoZIhvcNAQEBBQADSwAwSAJBAKuMYcirPj81WBtMituJJenF0CG/HYLcAUOtWKl1\n" +
        "HchC0dM8VRRBI/HV+nZcweXzpjhX8ySa9s7kJneP0cuJiU8CAwEAATANBgkqhkiG\n" +
        "9w0BAQsFAANBAKEM8wQwlqKgkfqnNFcbsZM0RUxS+eWR9LvycGuMN7aL9M6GOmfp\n" +
        "QmF4MH4uvkaiZenqCkhDkyi4Cy81tz453tQ=\n" +
        "-----END CERTIFICATE-----";

    var c = new X509Certificate2(Encoding.ASCII.GetBytes(cText));
    var p = new TokenValidationParameters();
    p.IssuerSigningKeyResolver = (s, securityToken, identifier, parameters)
        => new[] { new X509SecurityKey(c) };
    var h = new JwtSecurityTokenHandler();
    var token = @"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJuLmNoaWVmZm8iLCJleHAiOjE1MjcyMzg4ODEsImlzcyI6Imx1eCJ9.BAaYzLwokmdKqLi6zKjGIpDXd__dZxi5PUWWHS3PSLPDYAInzPbEK8o4WxunoGD7eA0qtQNaxNpzeOc3BHrd4w";
    h.ValidateToken(token, p, out SecurityToken _);
}

最后，也很高兴知道如何删除[隐藏的PII]，这样我才能看到关于此错误的更多详细信息.在app.config甚至machine.config文件中将enableLoggingKnownPii和logKnownPII设置为true似乎没有什么区别.

Finally it would be nice to also know how to remove the [PII is hidden] so I can see more detail on the error. Setting the enableLoggingKnownPii and logKnownPII to true in the app.config or even the machine.config file did not seem to make a difference.

推荐答案

事实证明，用于验证的X509SecurityKey的KeySize至少必须为1024.从例外情况来看这不是很明显，因为它是用[PII is hidden]过滤器隐藏的.

It turns out that the KeySize for X509SecurityKey needs to be at least 1024 in length for verifying. This is not obvious from the exception, since it is hidden with the [PII is hidden] filter.

添加以下行使异常文本更加有用:

Adding the following line made the exception text a lot more useful:

IdentityModelEventSource.ShowPII = true;

新的例外文字:

'System.ArgumentOutOfRangeException:IDX10631:用于验证的'Microsoft.IdentityModel.Tokens.X509SecurityKey'不能小于'1024'位. KeySize:"512".

'System.ArgumentOutOfRangeException: IDX10631: The 'Microsoft.IdentityModel.Tokens.X509SecurityKey' for verifying cannot be smaller than '1024' bits. KeySize: '512'.

将不对称密钥的长度增加到1024，可以解决此问题.

Increasing the length of the assymetric key to 1024 solved the problem.

这篇关于隐藏了使用RS256 PII的JWT SecurityTokenInvalidSignatureException的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！