UseJwtBearerAuthentication签名密钥 [英] UseJwtBearerAuthentication signing key

问题描述

我正在尝试使用JwtBearerMiddleware在我的AspNetCore MVC应用程序(仅Web API)中实现JWT承载身份验证，但收到带有标头的401响应:

I'm trying to implement the JWT Bearer Authentication in my AspNetCore MVC app (Web API only) using the JwtBearerMiddleware but am getting a 401 response with header:

WWW-Authenticate: Bearer error="invalid_token", error_description="The signature key was not found"

Startup.cs中的相关代码如下:

The relevant code in Startup.cs looks like this:

app.UseJwtBearerAuthentication(new JwtBearerOptions
{
    Authority = "https://example.okta.com",
    Audience = "myClientId"
});

使用授权URL，我希望中间件从https://example.okta.com/.well-known/openid-configuration查询我的身份提供程序元数据以获取jwks_uri，然后从https://example.okta.com/oauth2/v1/keys获取签名密钥.我不认为这正在发生.我需要怎么做才能使其找到并使用签名密钥?谢谢

With the Authority URL I'd expect the middleware to query my Identity Provider metadata from https://example.okta.com/.well-known/openid-configuration to get the jwks_uri to then get the signature keys from https://example.okta.com/oauth2/v1/keys. I don't think this is happening. What do I need to do to get it to find and use the signature keys? Thanks

推荐答案

在遵循参考文献并深入研究 AspNet安全存储库之后(特别是JwtBearerHandler和JwtBearerMiddleware类)，这使我进入了 Microsoft.IdentityModel 命名空间，该命名空间位于

After following references and digging into the AspNet Security repo (specifically the JwtBearerHandler and JwtBearerMiddleware classes), which led me to the Microsoft.IdentityModel namespace which is in an Azure Extensions repo (first the ConfigurationManager<T> class, then to the OpenIdConnectConfigurationRetriever class (GetAsync method), then to the JsonWebKeySet.GetSigningKeys() method), I finally discovered that the JwtBearerMiddleware does indeed get the keys from the jwks_uri in the metadata. Phew.

那为什么不起作用呢?我之前应该检查的是Bearer JWT标头中的 kid 实际上与任何 kid 都不匹配.来自 jwks_uri ，因此未找到.这是我作为承载令牌发送的access_code.另一方面，id_token确实具有匹配的 kid ，因此使用它就可以了！

So why wasn't it working? What I should've checked earlier is that the kid in the header of the Bearer JWT did not in fact match either of the kid's from the jwks_uri, hence it wasn't found. It was the access_code that I was sending as the bearer token. The id_token on the other hand does have a kid that matches, so using that instead it worked!

自此我读过:

OIDC访问令牌仅适用于Okta /oauth2/v1/userinfo端点，因此应被/oauth2/v1/userinfo端点视为不透明 应用程序.该应用程序无需对其进行验证，因为它可以 不应与其他资源服务器一起使用.格式 以及用于签名的密钥如有更改，恕不另行通知 注意. 源

The OIDC Access Token is applicable only for the Okta /oauth2/v1/userinfo endpoint and thus should be treated as opaque by the application. The application does not need to validate it since it should not be used against other resource servers. The format of it and the key used to sign it are subject to change without prior notice. source

...所以我不能使用访问令牌.

...so I can't use the access token.

这篇关于UseJwtBearerAuthentication签名密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！