忽略JWT中的签名 [英] Ignoring signature in JWT

问题描述

我有一个使用OpenId Connect的Web应用程序.我创建了一个自签名证书，但是它仍然没有被CA签名. 如何忽略签名验证?

I have an web application that is using OpenId Connect. I created a self signed certificate but it is still not signed by a CA. How can I ignore the signature validation?

这是我到目前为止所拥有的:

This is what I have so far:

SecurityToken validatedToken = null;

var tokenHandler = new JwtSecurityTokenHandler {
    Configuration = new SecurityTokenHandlerConfiguration {
        CertificateValidator = X509CertificateValidator.None
    },
};

TokenValidationParameters validationParams =
    new TokenValidationParameters()
    {
        ValidAudience = ConfigurationManager.AppSettings["Audience"],
        ValidIssuer = ConfigurationManager.AppSettings["Issuer"],
        AudienceValidator = AudienceValidator,
        ValidateAudience = true,
        ValidateIssuer = true
    };

return tokenHandler.ValidateToken(jwtToken, validationParams, out validatedToken);

它引发以下异常:

IDX10500:签名验证失败.无法解决 SecurityKeyIdentifier:'SecurityKeyIdentifier \ r \ n(\ r \ n
IsReadOnly = False，\ r \ n Count = 1，\ r \ n Clause [0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause \ r \ n
)\ r \ n'，\ ntoken: '{\"typ \":\"JWT \"，\"alg \":\"RS256 \"，\"kid \":\"issuer_rsaKey \"}.{\"iss \":...

IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier\r\n (\r\n
IsReadOnly = False,\r\n Count = 1,\r\n Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause\r\n
)\r\n', \ntoken: '{\"typ\":\"JWT\",\"alg\":\"RS256\",\"kid\":\"issuer_rsaKey\"}.{\"iss\":...

推荐答案

不要忽略签名，这很危险！

即使您使用自签名证书，也可以使用公钥进行签名验证.

Even if you use a self-signed certificate, you will be able to use the public key for signature validation.

由于使用的是OpenId Connect，因此您应该可以转到/.well-known/jwks来获取签名证书的公钥.

Since you are using OpenId Connect, you should be able to get the public key for your signing certificate by heading over to /.well-known/jwks.

然后，您可以像这样设置验证参数:

Then you can setup your validation parameters like this:

var certificate = new X509Certificate2(Convert.FromBase64String(yourPublicKeyGoesHere));

var validationParameters = new TokenValidationParameters { 
    IssuerSigningTokens = new[] { new X509SecurityToken(certificate) }  
};

之后，您可以拨打ValidateToken:

SecurityToken token;
var claimsPrincipal = handler.ValidateToken(encodedToken, validationParameters, out token);

您真的要忽略签名吗?

请记住，如果您这样做，怎么知道有人没有篡改令牌中的数据?您可以轻松解码base64 url​​编码的有效负载并更改主题.而且，如果您在应用程序中依赖它，将会遇到麻烦(提示:有人正在访问别人的数据)

Remember, if you do, how do you know someone didn't tamper with the data inside the token? You could easily decode the base64 url encoded payload and change the subject. And if you rely on that in your application, you'll be in trouble (hint: someone accessing someone else data)

您真的要忽略它吗?

您可以使用ReadToken并跳过其中的所有验证:

You can use ReadToken and just skip every validation there is:

var badJwt = new JwtSecurityTokenHandler()
                 .ReadToken(encodedMaliciousToken) as JwtSecurityToken;

但是不要这样做，这是不好的做法.

这篇关于忽略JWT中的签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！