JWT验证失败 [英] JWT Validation fails

问题描述

我通过设置有效载荷(如下所示)创建了一个JwtToken

I have created a JwtToken by setting up the Payload as shown below

var payload = new JwtPayload
        {
            {"aud", "wellmark.com" },
            {"iss", "wellmark" },
            {"iat", DateTime.Now.Ticks },
            {"exp", DateTime.Now.AddDays(90).Ticks },
        };

我必须使用刻度的原因是，这是获取at和expirate时间的整数值的唯一方法.我同意壁虱实际上是很长的时间，而不是整数，但这是唯一的方法.

The reason I had to use ticks is because that is the only way to get an integer value for the issued at and expiration times. I agree that ticks is in fact a long and not an int, but that was the only way.

现在，当我再次验证令牌时，我正在执行以下操作

Now when I come back to validate the token, I am doing the below

var tokenValidationParams = new TokenValidationParameters
            {
                IssuerSigningKey = new X509SecurityKey(jwtCert),
                ValidAudience = "masked",
                ValidIssuer = "masked",
                IssuerSigningKeyResolver = (string token, Microsoft.IdentityModel.Tokens.SecurityToken securityToken, string kid, TokenValidationParameters validationParameters) => new List<X509SecurityKey> { new X509SecurityKey(jwtCert) }
            };

            tokenHandler.ValidateToken(id, tokenValidationParams
                   , out validatedToken);

但是没有说

终身验证失败.令牌缺少到期时间. 令牌类型:"System.IdentityModel.Tokens.Jwt.JwtSecurityToken".

Lifetime validation failed. The token is missing an Expiration Time. Tokentype: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.

这很可能是因为验证方法试图将long转换为int，并且由于无法将其转换为int，因此仅返回null，如在

This is most likely because the validation method is trying to convert the long to an int and because it is unable to convert it, it simply returns a null as indicated in the documentation shown here.

有人在此机制上取得成功.请注意，我正在使用X509证书对我的Jwt进行签名.

Has anyone had success with this mechanism. Please note that I am using X509 Certificate to Sign my Jwt.

Narasimham

Narasimham

推荐答案

exp时间戳不能使用Ticks

You can't use Ticks for the exp timestamp

JWT中的时间戳是从1970年1月1日00:00 UTC开始计数的UNIX时间戳: https://tools.ietf.org/html/rfc7519#section-4.1.4 解释说，数字日期用于exp声明(也用于nbf(不早于此)和iat(发布于) )声明

The timestamps in JWT are UNIX timestamps counting from 01.01.1970 00:00 UTC: https://tools.ietf.org/html/rfc7519#section-4.1.4 explains that a numeric date is used for the exp claim (and also for the nbf (not before) and iat (issued at) claims)

https://tools.ietf.org/html/rfc7519#section-2 定义数字日期:

一个JSON数值，表示从 1970-01-01T00:00:00Z UTC直到指定的UTC日期/时间，忽略 秒.

A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.

如果像您在示例中一样直接创建有效负载，则需要计算自世界标准时间1.1.1970起的秒数，例如:

If you create the payload directly like you did in your example you need to calculate the seconds since 1.1.1970 UTC for example like this:

DateTime centuryBegin = new DateTime(1970, 1, 1);
var exp = new TimeSpan(DateTime.Now.AddDays(90).Ticks - centuryBegin.Ticks).TotalSeconds;

exp距现在90天.当然，您也可以使用其他任何Add ...方法来计算有效时间. 请参考 https://msdn.microsoft. com/de-de/library/system.datetimeoffset(v = vs.110).aspx 来查看其他添加方法.

exp is then 90 days from now. Of course you can use any of the other Add... methods as well to calculate the expriation time. Refer to https://msdn.microsoft.com/de-de/library/system.datetimeoffset(v=vs.110).aspx to see the other Add methods.

某些框架(例如System.IdentityModel.Tokens.Jwt)提供了创建令牌的功能，这些令牌接受类型为DateTimeOffset的参数，该参数更易于处理.

Some frameworks (e.g. System.IdentityModel.Tokens.Jwt) offer functions to create tokens which accept parameters of the type DateTimeOffset, which is easier to handle.

使用 http://www.unixtimestamp.com/或类似网站检查时间戳

Use http://www.unixtimestamp.com/ or similar sites to check your timestamps

这篇关于JWT验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！