验证使用hmac-sh256签名的JWT [英] Validating JWT signed with hmac-sh256
问题描述
我正在研究一个项目,该项目使用Katana OpenID Connect中间件与第三方(OpenAM)提供程序进行身份验证.提供者正在使用hmac-sh256签署JWT.当OpenID中间件通过对ValidateToken的调用来验证JWT时,它将引发以下异常:
I am working on a project to use the Katana OpenID Connect middleware to authenticate with a third party (OpenAM) provider. The provider is signing the JWT with hmac-sh256. When the OpenID middleware is validating the JWT via a call to ValidateToken it is throwing the following exception:
{"IDX10503:签名验证失败.尝试的密钥:'System.IdentityModel.Tokens.X509AsymmetricSecurityKey \ r \ n'.\ n捕获的异常:\ n'System.InvalidOperationException:IDX10618:AsymmetricSecurityKey.GetHashAlgorithmForSignature(...)被抛出\ nAsymmetricSecurityKey:'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'\ nSignatureAlgorithm:... hmac-sha256',请检查以确保支持SignatureAlgorithm.\ nException:'System.NotSupportedException:加密算法' http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 '在这种情况下不受支持.\ r \ n在System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetHashAlgorithmForSignature(String algorithm)\ r \ n在......
{"IDX10503: Signature validation failed. Keys tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey\r\n'.\nExceptions caught:\n 'System.InvalidOperationException: IDX10618: AsymmetricSecurityKey.GetHashAlgorithmForSignature( ... ) threw an exception.\nAsymmetricSecurityKey: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'\nSignatureAlgorithm: ...hmac-sha256', check to make sure the SignatureAlgorithm is supported.\nException: 'System.NotSupportedException: Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' not supported in this context.\r\n at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetHashAlgorithmForSignature(String algorithm)\r\n at ......
我缺少什么?默认的SecurityTokenHandler确实不支持该算法吗?
What am I missing or does the default SecurityTokenHandler really not support that algorithm?
谢谢
戈登
推荐答案
我不熟悉Katana,但对我来说似乎触发了错误的代码路径:异常抱怨存在不对称的安全密钥,但hmac-sha256算法基于对称密钥(即客户机密)
I'm not familiar with Katana but to me it looks like the wrong code path is triggered: the exception complains about an assymetric security key but the hmac-sha256 algorithm is based on a symmetric key (i.e. the client secret)
还请注意,您需要相对较新的OpenAM版本,因为它之前包含与HMAC相关的错误:
also note that you need a relatively recent version of OpenAM because it contained an HMAC related bug before: https://bugster.forgerock.org/jira/browse/CAF-112; something at least more recent than OpenAM-12.0.0-SNAPSHOT_20140417
这篇关于验证使用hmac-sh256签名的JWT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!