使用“jwks_uri"中的值验证从 azure ad b2c 收到的令牌端点 [英] Validating the token recieved from azure ad b2c using the Values from "jwks_uri" endpoint

问题描述

我从实用服务获取天蓝色广告访问令牌，我想使用一些标准令牌验证参数来验证它，其中包括颁发者、受众和颁发者签名密钥.现在我有颁发者和受众，但我没有颁发者签名密钥.

I am getting the azure ad access token from an Utility Service and I want to validate it using some standard token validation parameters which includes issuer, audience and issuer signing key.Now I have the issuer and audience but I don't have the issuer signing key.

但是我已经使用 azure ad b2c 的 jwks_uri 端点提取了关键信息，这给了我一个 json 输出

However I have extracted the key information using the jwks_uri end point of azure ad b2c which gives me a json output as

{
  "keys": [
    {
      "kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4......",
      "nbf": 1493763266,
      "use": "sig",
      "kty": "RSA",
      "e": "AQAB",
      "n": "tVKUtcx_n9rt5afY_2WFNvU6PlFMggCatsZ3l4RjKxH0jgdLq6CScb0P3ZGXYbPzXvmmL...."
    }
  ]
}

我尝试仅使用 n 值作为键，但我收到令牌验证失败的异常.现在我想知道如何获取颁发者签名密钥来验证令牌.n+e(字符串连接?)是一个解决方案吗?我看到了一个类似的问题 Azure AD B2C - 令牌验证不起作用 但它没有回答我的问题，因此想知道在 .net 核心中执行此操作的确切方法.

I tried using just the n value as the key but I am getting an exception that token validation failed. Now I want to know how do I get the issuer signing key to validate the token. Is n+e (string concatenation ?) a solution? I saw a similar question Azure AD B2C - Token validation does not work but it did not answer my question and hence would like to know the exact way to do it in .net core.

推荐答案

据我了解，你想验证访问令牌.如果是这样，我们可以使用 sdk System.IdentityModel.Tokens 来实现它.例如

According to my understanding, you want to validate the access token. If so, we can use the sdk System.IdentityModel.Tokens to implement it. For example

 var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
                                   "https://testb2ctenant05.b2clogin.com/testB2CTenant05.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_test",
                                    new OpenIdConnectConfigurationRetriever(), new HttpDocumentRetriever());
            CancellationToken ct = default(CancellationToken);
            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
            var discoveryDocument = await configurationManager.GetConfigurationAsync(ct);
            var signingKeys = discoveryDocument.SigningKeys;
            var validationParameters = new TokenValidationParameters
            {
                RequireExpirationTime = true,
                RequireSignedTokens = true,
                ValidateIssuer = true,
                ValidIssuer = discoveryDocument.Issuer,
                ValidateIssuerSigningKey = true,
                IssuerSigningKeys = signingKeys,
                ValidateLifetime = true,

            };

 var principal = new JwtSecurityTokenHandler()
            .ValidateToken(token, validationParameters, out var rawValidatedToken);

这篇关于使用“jwks_uri"中的值验证从 azure ad b2c 收到的令牌端点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！