Microsoft帐户JWT身份验证令牌如何签名? [英] How are Microsoft account JWT authentication tokens signed?
问题描述
在我的Web应用程序中,我需要验证从Live SDK 5.6获得的JWT身份验证令牌. 不久前,这些令牌的签名是使用签名密钥的base64编码标头+有效载荷的HMACSHA256哈希,这是应用程序的秘密(来自account.live.com/developers/applications)+"JWTSig". 看来现在情况并非如此.
In my web application I need to validate the JWT authentication tokens which I get from Live SDK 5.6. A while ago the signature of those tokens was a HMACSHA256 hash of base64 encoded header+payload using signing key which was the app secret (from account.live.com/developers/applications) + "JWTSig". It seems that is not the case now.
有人知道这些令牌现在如何签名吗?
Does anyone know how are those tokens signed now?
对不起,我的英语.
推荐答案
做到这一点的最佳方法是获取Azure移动服务返回的JWT令牌,并验证它是否使用与AMS相同的主密钥签名. GitHub上有一个项目显示了如何执行此操作:
The best way to do this is to get the JWT token returned from Azure Mobile Services and validate it was signed using the same master key from AMS. There is a project on GitHub that shows how to do this:
这基本上是另一个GitHub项目的派生,该项目在这里具有原始ASP.NET示例:
This was basically a derivative of another GitHub project that has the original ASP.NET sample here:
当调用ValidateSignature()方法时,将进行主要验证,该方法采用JWT Claim段的UTF-8表示形式的字节,并使用来自Azure Mobile Services的共享密钥在其上计算HMAC SHA-256 MAC.如果JWT加密段和先前计算出的值,则可以确认该密钥已用于在JWT上生成HMAC,并且JWT Claim段的内容未被篡改.
The main validation occurs when calling the ValidateSignature() method which takes the bytes of the UTF-8 representation of the JWT Claim segment and calculate an HMAC SHA-256 MAC on them using the shared key from Azure Mobile Services. If the JWT Crypto Segment and the previously calculated value then one has confirmation that the key was used to generate the HMAC on the JWT and that the contents of the JWT Claim Segment have not be tampered with.
我发现的主要一件事是删除附加的"JWTSig"字符串,使其不附加到ValidateSignature()方法中的主键上.看来,已签名的令牌不再从AMS将该字符串附加到主密钥.在删除该段之前,我很难通过验证.
The one main thing I found is to remove the appended "JWTSig" string from being appended to the master key in the ValidateSignature() method. It appears the tokens being signed no longer append that string to the master key anymore from AMS. I had all sorts of trouble getting the validation to pass until I removed that segment.
这篇关于Microsoft帐户JWT身份验证令牌如何签名?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
