使用来自"jwks_uri"的值来验证从天蓝色广告b2c接收到的令牌.终点 [英] Validating the token recieved from azure ad b2c using the Values from "jwks_uri" endpoint

问题描述

我正在从效用服务中获取azure广告访问令牌，我想使用一些标准的令牌验证参数(包括发行者，受众和发行者签名密钥)对其进行验证.现在我拥有发行者和受众，但我没有发行人签名密钥.

I am getting the azure ad access token from an Utility Service and I want to validate it using some standard token validation parameters which includes issuer, audience and issuer signing key.Now I have the issuer and audience but I don't have the issuer signing key.

但是我使用azure ad b2c的jwks_uri端点提取了关键信息，这为我提供了json输出

However I have extracted the key information using the jwks_uri end point of azure ad b2c which gives me a json output as

{
  "keys": [
    {
      "kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4......",
      "nbf": 1493763266,
      "use": "sig",
      "kty": "RSA",
      "e": "AQAB",
      "n": "tVKUtcx_n9rt5afY_2WFNvU6PlFMggCatsZ3l4RjKxH0jgdLq6CScb0P3ZGXYbPzXvmmL...."
    }
  ]
}

我尝试仅使用n值作为键，但是出现令牌验证失败的异常. 现在，我想知道如何获取发行者的签名密钥来验证令牌. n + e(字符串串联吗?)是解决方案吗? 我看到了类似的问题 Azure AD B2C-令牌验证无效，但它没有回答我的问题，因此想知道在.net核心中执行此操作的确切方法.

I tried using just the n value as the key but I am getting an exception that token validation failed. Now I want to know how do I get the issuer signing key to validate the token. Is n+e (string concatenation ?) a solution? I saw a similar question Azure AD B2C - Token validation does not work but it did not answer my question and hence would like to know the exact way to do it in .net core.

推荐答案

根据我的理解，您想验证访问令牌.如果是这样，我们可以使用sdk System.IdentityModel.Tokens来实现它. 例如

According to my understanding, you want to validate the access token. If so, we can use the sdk System.IdentityModel.Tokens to implement it. For example

 var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
                                   "https://testb2ctenant05.b2clogin.com/testB2CTenant05.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_test",
                                    new OpenIdConnectConfigurationRetriever(), new HttpDocumentRetriever());
            CancellationToken ct = default(CancellationToken);
            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
            var discoveryDocument = await configurationManager.GetConfigurationAsync(ct);
            var signingKeys = discoveryDocument.SigningKeys;
            var validationParameters = new TokenValidationParameters
            {
                RequireExpirationTime = true,
                RequireSignedTokens = true,
                ValidateIssuer = true,
                ValidIssuer = discoveryDocument.Issuer,
                ValidateIssuerSigningKey = true,
                IssuerSigningKeys = signingKeys,
                ValidateLifetime = true,

            };

 var principal = new JwtSecurityTokenHandler()
            .ValidateToken(token, validationParameters, out var rawValidatedToken);

这篇关于使用来自"jwks_uri"的值来验证从天蓝色广告b2c接收到的令牌.终点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！