.Net Core API JWT 令牌验证 [英] .Net Core API JWT Token Validation
问题描述
在 .Net Core WEB API 中实现了 JWT Bearer Token 验证,如下所述:
Implemented the JWT Bearer Token validation in .Net Core WEB API as mentioned below:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(opt =>
{
opt.Audience = Configuration["AAD:ResourceId"];
opt.Authority = $"{Configuration["AAD:Instance"]}{Configuration["AAD:TenantId"]}";
});
怀疑上面提到的代码只会验证观众和权限吗?或者它会验证所有参数,如过期和签名等?
Doubt here is the above mentioned code will validate only the audience and authority ? or it will validate all the parameters like expiration and signature etc. ?
我们是否需要显式验证签名以检查有效负载是否已被篡改?
Do we need to validate the signature explicitly to check the payload has been tampered ?
推荐答案
我认为您正在寻找这个:
I think you're looking for this:
https://zhiliaxu.github.io/how-do-aspnet-core-services-validate-jwt-signature-signed-by-aad.html
这里zhiliaxu详细解释了使用.AddJwtBearer()
时实际验证的方式和内容,他的结论是:
Here zhiliaxu explains in details how and what is actually validated when using .AddJwtBearer()
and his conclusions are:
现在很明显
- 无需提供任何密钥或证书即可验证 JWT 签名在我们服务的源代码中.
- 从众所周知的 URL https://login.microsoftonline 检索 JWT 签名密钥.com/common/discovery/keys,基于JwtBearerOptions.Authority 属性.
- 签名密钥缓存在 JwtBearerHandler 单例实例中,因此我们的 ASP.NET Core 服务只需要检索它在整个生命周期中一次.
- JWT signature is validated without providing any key or certification in our service’s source code.
- JWT signing key is retrieved from the well-known URL https://login.microsoftonline.com/common/discovery/keys, based on JwtBearerOptions.Authority property.
- The signing key is cached in the JwtBearerHandler singleton instance, and so our ASP.NET Core service only needs to retrieve it once throughout its lifecycle.
同样基于这篇文章,我们可以查看 MSDN 上的 ValidateToken()
文档:https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=azure-dotnet 在哪里可以找到该方法抛出的不同异常:
Also based on this article we can take a look at the ValidateToken()
documentation on MSDN: https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=azure-dotnet Where you can find the different exceptions the method throws:
- SecurityTokenDecryptionFailedException:令牌是无法解密的 JWE.
- SecurityTokenEncryptionKeyNotFoundException:令牌kid"标头声明不为空且解密失败.
- SecurityTokenException:令牌enc"标头声明为 null 或为空.
- SecurityTokenExpiredException:令牌exp"声明为 <日期时间.UtcNow.
- SecurityTokenInvalidAudienceException:令牌aud"声明与 ValidAudience 或 ValidAudience 之一不匹配.
- SecurityTokenInvalidLifetimeException:令牌nbf"声明是 >'exp' 声明.
- SecurityTokenInvalidSignatureException:token.signature 的格式不正确.
- SecurityTokenNoExpirationException:TokenReplayCache 不为 null,且 expireTime.HasValue 为 false.设置 TokenReplayCache 后,令牌需要一个过期时间.
- SecurityTokenNotYetValidException:令牌nbf"声明是 >日期时间.UtcNow.
- SecurityTokenReplayAddFailedException:无法将令牌添加到 TokenReplayCache.
- SecurityTokenReplayDetectedException:在缓存中找到令牌.
- SecurityTokenDecryptionFailedException: token was a JWE was not able to be decrypted.
- SecurityTokenEncryptionKeyNotFoundException: token 'kid' header claim is not null AND decryption fails.
- SecurityTokenException: token 'enc' header claim is null or empty.
- SecurityTokenExpiredException: token 'exp' claim is < DateTime.UtcNow.
- SecurityTokenInvalidAudienceException: token 'aud' claim did not match either ValidAudience or one of ValidAudiences.
- SecurityTokenInvalidLifetimeException: token 'nbf' claim is > 'exp' claim.
- SecurityTokenInvalidSignatureException: token.signature is not properly formatted.
- SecurityTokenNoExpirationException: TokenReplayCache is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time.
- SecurityTokenNotYetValidException: token 'nbf' claim is > DateTime.UtcNow.
- SecurityTokenReplayAddFailedException: token could not be added to the TokenReplayCache.
- SecurityTokenReplayDetectedException: token is found in the cache.
这篇关于.Net Core API JWT 令牌验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!