Azure AD B2C-令牌验证不起作用 [英] Azure AD B2C - Token validation does not work
问题描述
我想使用Azure AD B2C,但是在使用它时遇到了一些困难. 我遇到的一个问题是验证令牌的签名. 首先,我想使用jwt.io手动"验证令牌.
I would like to use Azure AD B2C but have several difficulties using it. One problem I have is to validate the signature of the token. First I wanted to validate the token "manually" using jwt.io.
根据 Microsoft Docs ,用于验证签名的工作方式如下:
According to the Microsoft Docs, validating the signature should work like this:
您的应用程序可以使用JWT标头中的kid声明在JSON文档中选择用于签署特定令牌的公钥.然后可以使用正确的公钥和指示的算法执行签名验证.
Your app can use the kid claim in the JWT header to select the public key in the JSON document that is used to sign a particular token. It can then perform signature validation by using the correct public key and the indicated algorithm.
我的理解:从标头中获取kid值,在jwks_uri位置下的元数据中查找键,(假设)使用值"n"来验证签名.
My understandig: Grab the kid value out of the header, lookup the key in the metadata under the location of jwks_uri, (assumption) use the value of "n" to verify the signature.
但是Jwt.io,jsonwebtoken.io和jose-jwt都说 siganture无效.
But Jwt.io, jsonwebtoken.io, and jose-jwt all say, that the siganture is invalid.
我想念什么?
推荐答案
Jwt.io似乎仅支持带字符串密码的HS265和带字符串密码或证书的RS256.
Jwt.io seems to only support HS265 with a string secret and RS256 with a string secret or a certificate.
Azure AD B2C uses the more native form of RS256 which as per RFC 3447, section 3.1 defines that the public key consists of two components: n
and e
. The JWK contains both n
and e
which can be used to generate public key and validate the token signature.
为了使用Jwt.io,您需要将密钥的Azure AD B2C的n + e格式转换为cert格式.请参阅此示例以获取有关如何执行此操作的参考: Go语言将Modulus指数转换为X.509证书
In order to use Jwt.io, you'll need to convert Azure AD B2C's n + e format for the key to a cert format. See this example for a reference on how to do this: Go Language Convert Modulus exponent to X.509 certificate
这篇关于Azure AD B2C-令牌验证不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!