.Net Core 2.2容器上的jwt验证失败,出现401 [英] .Net Core 2.2 Validation of jwt failing with 401 on a container
问题描述
在.net core 2.2中,当我对应用程序进行容器化时,出现Bearer错误="invalid_token",error_description =签名无效"
In .net core 2.2 when i containerize the app i get a Bearer error="invalid_token", error_description="The signature is invalid"
当我使用IIS/IIS Express将其托管在Windows上时,它运行良好.
It is working fine when i host it on windows using IIS/IIS express.
我的代码-令牌生成器是IBM API Connect,它使用RSA 256算法生成密钥
My code -- The token generator is IBM API Connect it uses RSA 256 Algorithm to generate the key
var rsa = new RSACryptoServiceProvider();
string exponentvalue = "AQAB";
var e = Base64UrlEncoder.DecodeBytes(exponentvalue);
var N = "public key put your value here"
var modulus = Base64UrlEncoder.DecodeBytes(N);
rsa.ImportParameters(
new RSAParameters()
{
Modulus = modulus,
Exponent = e
});
var signingKey = new RsaSecurityKey(rsa);
var tokenValidationParameters = new TokenValidationParameters
{
// The signing key must match!
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
// Validate the JWT Issuer (iss) claim
ValidateIssuer = false,
ValidIssuer = issuer,
// Validate the JWT Audience (aud) claim
ValidateAudience = false,
ValidAudience = audience,
// Validate the token expiry
//ValidateLifetime = true,
// If you want to allow a certain amount of clock drift, set that here:
//ClockSkew = TimeSpan.FromMinutes(1)
};
有什么想法为什么不能在docker或AKS本地托管的容器上工作?
Any idea why it wouldn't be working on a container hosted either locally on docker or AKS?
推荐答案
经过几天的研究和尝试,终于解决了我的问题.
After few days of researching and trying different things have finally Resolved my issue.
@bartonjs在此处提到的第一个问题在.NET核心中实现RSA 我必须使用RSA.Create()而不是RSACryptoServiceProvider().
First Issue was as mentioned by @bartonjs here implement RSA in .NET core I had to use RSA.Create() Instead of RSACryptoServiceProvider().
如上一篇文章中所建议的第二个问题,我正在使用(使用)在Linux中不起作用的语句来实现它.来自@bartonjs在此帖子上的评论 https://github.com. com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/994 看起来像是引入了一个错误我们可能不小心引入了一个错误,即后处理与新创建的相同.认为只需在首次使用(在本例中为下一个)中构成关键."
Second Issue as recommended in above post i was implementing it with (using) statement which was not working in Linux. From @bartonjs comments on this post https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/994 it looks like a bug introduced "We might have accidentally introduced an error where post-dispose is the same as freshly created, where it thinks it needs to just make up a key on first (next, in this case) use."
在Linux和Windows上均可使用的最终代码
Final code that works both on Linux and Windows
public class JwtConfiguration : IDisposable
{
/// <summary>
/// Configures the JWT Token Validation parameters.
/// </summary>
/// <param name="Configuration">
/// ASP.NET Core Configuration object instance.
/// </param>
/// <returns>
/// A TokenValidationParameters object instance.
/// </returns>
private RSA _publicRsa;
private SecurityKey _issuerSigningKey;
public TokenValidationParameters GetTokenValidationParameters(IConfiguration Configuration)
{
var issuer = Configuration["Jwt:Issuer"];
if (string.IsNullOrWhiteSpace(issuer))
{
throw new MissingJwtTokenParameterException("Missing Jwt:Issuer value.");
}
var audience = Configuration["Jwt:Audience"];
if (string.IsNullOrWhiteSpace(audience))
{
throw new MissingJwtTokenParameterException("Missing Jwt:Audience value.");
}
var secretKey = Configuration["Jwt:Key"];
if (string.IsNullOrWhiteSpace(secretKey))
{
throw new MissingJwtTokenParameterException("Missing Jwt:Key value.");
}
string exponentvalue = "AQAB";
var e = Base64UrlEncoder.DecodeBytes(exponentvalue);
var modulus = Base64UrlEncoder.DecodeBytes(secretKey);
_publicRsa = RSA.Create();
_publicRsa.KeySize = 3072;
_publicRsa.ImportParameters(
new RSAParameters()
{
Modulus = modulus,
Exponent = e
});
_issuerSigningKey = new RsaSecurityKey(_publicRsa);
var tokenValidationParameters = new TokenValidationParameters
{
// The signing key must match!
ValidateIssuerSigningKey = true,
IssuerSigningKey = _issuerSigningKey,
// Validate the JWT Issuer (iss) claim
ValidateIssuer = true,
ValidIssuer = issuer,
// Validate the JWT Audience (aud) claim
ValidateAudience = true,
ValidAudience = audience,
//Validate the token expiry
ValidateLifetime = true,
// If you want to allow a certain amount of clock drift, set that here:
ClockSkew = TimeSpan.FromMinutes(1)
};
return tokenValidationParameters;
}
#region IDisposable Support
private bool disposedValue = false; // To detect redundant calls
protected virtual void Dispose(bool disposing)
{
if (!disposedValue)
{
if (disposing)
{
// TODO: dispose managed state (managed objects).
_publicRsa?.Dispose();
}
// TODO: free unmanaged resources (unmanaged objects) and override a finalizer below.
// TODO: set large fields to null.
disposedValue = true;
}
}
// TODO: override a finalizer only if Dispose(bool disposing) above has code to free unmanaged resources.
~JwtConfiguration() {
// Do not change this code. Put cleanup code in Dispose(bool disposing) above.
Dispose(false);
}
// This code added to correctly implement the disposable pattern.
public void Dispose()
{
// Do not change this code. Put cleanup code in Dispose(bool disposing) above.
Dispose(true);
// TODO: uncomment the following line if the finalizer is overridden above.
GC.SuppressFinalize(this);
}
#endregion
}
这篇关于.Net Core 2.2容器上的jwt验证失败,出现401的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
