关于JWT的验证 [英] Regarding the validation of JWTs

问题描述

你好.我一直在关注这份文件...

Hello. I've been following this document...

https://docs.microsoft.com/zh-cn/azure/active-directory/develop/access-tokens#validating-tokens

https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens

，我有一个可以对令牌验证进行原型设计的应用程序.我只想确保我正在验证需要检查的所有内容.

and I have an app which prototypes the validation of tokens. I just want to be sure that I'm validating everything that needs to be checked.

据我了解，我需要检查的索赔是...

From what I understand, the claims I need to check are...

然后，我需要验证签名.这就是我知道令牌来自微软的原因.

Then I need to validate the signature. That's how I know that the token came from Microsoft.

算法(RS256)

颁发者-这就是我知道令牌用于Azure AD中我的一个应用程序的方式.这样可以防止某人在Azure AD中注册我的应用程序，并提供我的应用程序URI作为自己的应用程序的URI，然后再向他们自己的应用程序请求令牌.

The issuer -- This is how I know that the token is for one of my apps in Azure AD. This prevents somebody from registering my app in Azure AD and providing my app URI as the URI for their own app, then requesting a token from their own app.

资源-本质上，这就是我检查客户端是否尝试访问我的应用程序的方式，而不是我的租户中其他一些应用程序的方式.

The Resource -- This is essentially how I check that the client is trying to access my app specifically, not some other app in my tenant.

我认为有必要进行其他任何验证，例如角色

那我没事吧?
另外，我的租户ID(以及我的应用程序需要检查的发行方)是否可能会更改?我问是因为上面的文档提到针对租户对照OpenID发现文档中的内容检查值.我想知道我是否可以跳过 检查它，然后直接在我的应用程序中设置发行者ID.
谢谢！

Any other validation that I decide is necessary such as roles

So have I got this all right?
Also, is it possible that my tenant ID (and thus the issuer that my app needs to check against) might change? I ask because the above document mentions checking the value against what's in the OpenID discover document for my tenant. I'm wondering if I can skip checking it and just set the issuer ID directly in my app.
Thanks!

推荐答案

Drew，

您说对了.您需要确保检查Azure AD用于签名JWT令牌的密钥对是否有任何更改. Azure AD会定期旋转这些键.它在同一篇文章中进行了记录，并且很重要，因为它可能会破坏 如果您使用陈旧的密钥，请进行验证.

You got it right. You need to make sure you are checking for any changes in the key pairs that are used by Azure AD to sign the JWT token. Azure AD rotates these keys periodically. It's documented in the same article and is important as it could break the validation if you use stale keys.

您的租户ID将永远不会更改，并且将始终保持不变.您也可以直接在您的应用中对其进行配置.

Your tenant ID will never change and will always remain the same. You can configure it directly in your app as well.

这篇关于关于JWT的验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！