JWT 验证失败 [英] JWT Validation fails

问题描述

我通过如下所示设置 Payload 创建了一个 JwtToken

var payload = new JwtPayload{{"aud", "wellmark.com" },{"iss", "wellmark" },{"iat", DateTime.Now.Ticks },{"exp", DateTime.Now.AddDays(90).Ticks },};

我必须使用刻度的原因是因为这是获取发布时间和到期时间的整数值的唯一方法.我同意 ticks 实际上是 long 而不是 int，但这是唯一的方法.

现在当我回来验证令牌时，我正在执行以下操作

var tokenValidationParams = new TokenValidationParameters{IssuerSigningKey = new X509SecurityKey(jwtCert),ValidAudience = "蒙面",ValidIssuer = "屏蔽",IssuerSigningKeyResolver =(字符串令牌，Microsoft.IdentityModel.Tokens.SecurityToken securityToken，字符串孩子，TokenValidationParameters 验证参数)=>新列表<X509SecurityKey>{ 新 X509SecurityKey(jwtCert) }};tokenHandler.ValidateToken(id, tokenValidationParams，出验证令牌)；

但是说不出来

<块引用>

生命周期验证失败.令牌缺少过期时间.令牌类型:'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.

这很可能是因为验证方法试图将 long 转换为 int 并且由于它无法转换它，所以它只是返回 null，如显示的文档中所示 这里.

有没有人在这个机制上取得了成功.请注意，我使用 X509 证书来签署我的 Jwt.

纳拉辛哈姆

解决方案

Exp时间戳不能使用Ticks

JWT 中的时间戳是从 01.01.1970 00:00 UTC 开始计算的 UNIX 时间戳:https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4 解释说数字日期用于 exp 声明(也用于 nbf(不是之前)和 iat(签发于)索赔)

https://www.rfc-editor.org/rfc/rfc7519#section-2 定义数字日期:

<块引用>

一个 JSON 数值，表示从1970-01-01T00:00:00Z UTC 直到指定的 UTC 日期/时间，忽略闰秒.

如果您像在示例中那样直接创建有效负载，则需要计算自 1.1.1970 UTC 以来的秒数，例如:

DateTime CenturyBegin = new DateTime(1970, 1, 1);var exp = new TimeSpan(DateTime.Now.AddDays(90).Ticks - CenturyBegin.Ticks).TotalSeconds;

exp 是从现在开始的 90 天.当然，您也可以使用任何其他 Add... 方法来计算到期时间.参考 https://msdn.microsoft.com/de-de/library/system.datetimeoffset(v=vs.110).aspx 查看其他 Add 方法.

一些框架(例如 System.IdentityModel.Tokens.Jwt)提供了创建令牌的函数，这些令牌接受 DateTimeOffset 类型的参数，这更容易处理.

使用 http://www.unixtimestamp.com/ 或类似网站检查您的时间戳p>

I have created a JwtToken by setting up the Payload as shown below

var payload = new JwtPayload
        {
            {"aud", "wellmark.com" },
            {"iss", "wellmark" },
            {"iat", DateTime.Now.Ticks },
            {"exp", DateTime.Now.AddDays(90).Ticks },
        };

The reason I had to use ticks is because that is the only way to get an integer value for the issued at and expiration times. I agree that ticks is in fact a long and not an int, but that was the only way.

Now when I come back to validate the token, I am doing the below

var tokenValidationParams = new TokenValidationParameters
            {
                IssuerSigningKey = new X509SecurityKey(jwtCert),
                ValidAudience = "masked",
                ValidIssuer = "masked",
                IssuerSigningKeyResolver = (string token, Microsoft.IdentityModel.Tokens.SecurityToken securityToken, string kid, TokenValidationParameters validationParameters) => new List<X509SecurityKey> { new X509SecurityKey(jwtCert) }
            };

            tokenHandler.ValidateToken(id, tokenValidationParams
                   , out validatedToken);

It is however failing saying

Lifetime validation failed. The token is missing an Expiration Time. Tokentype: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.

This is most likely because the validation method is trying to convert the long to an int and because it is unable to convert it, it simply returns a null as indicated in the documentation shown here.

Has anyone had success with this mechanism. Please note that I am using X509 Certificate to Sign my Jwt.

Narasimham

解决方案

You can't use Ticks for the exp timestamp

The timestamps in JWT are UNIX timestamps counting from 01.01.1970 00:00 UTC: https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4 explains that a numeric date is used for the exp claim (and also for the nbf (not before) and iat (issued at) claims)

https://www.rfc-editor.org/rfc/rfc7519#section-2 defines the numeric date:

A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.

If you create the payload directly like you did in your example you need to calculate the seconds since 1.1.1970 UTC for example like this:

DateTime centuryBegin = new DateTime(1970, 1, 1);
var exp = new TimeSpan(DateTime.Now.AddDays(90).Ticks - centuryBegin.Ticks).TotalSeconds;

exp is then 90 days from now. Of course you can use any of the other Add... methods as well to calculate the expriation time. Refer to https://msdn.microsoft.com/de-de/library/system.datetimeoffset(v=vs.110).aspx to see the other Add methods.

Some frameworks (e.g. System.IdentityModel.Tokens.Jwt) offer functions to create tokens which accept parameters of the type DateTimeOffset, which is easier to handle.

Use http://www.unixtimestamp.com/ or similar sites to check your timestamps

这篇关于JWT 验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！