OWIN OpenID Connect中间件中的SecurityTokenSignatureKeyNotFoundException连接到Google [英] SecurityTokenSignatureKeyNotFoundException in OWIN OpenID Connect middleware connecting to Google
问题描述
我们正在使用通用的OpenID Connect中间件来将Google用作使用IdentityServer3的外部身份提供程序.我们没有设置MetadataAddress或任何特殊的TokenValidationParameters(因此它应该基于Authority来获取元数据,然后根据该参数来填充参数,这应该没问题).我们间歇性地收到以下错误.我提出的其他有此错误的问题似乎涉及不正确的自定义验证,并且不是间歇性的.
We are using the generic OpenID Connect middleware to use Google as an external identity provider using IdentityServer3. We don't have MetadataAddress or any special TokenValidationParameters set up (so it should be getting the metadata based on Authority, and then filling in parameters based on that, which should be fine). We are getting the following error highly intermittently. Other questions I've come up with that have this error seem to involve incorrect custom validation and are not intermittent.
Authentication Failed : Microsoft.IdentityModel.Protocols.OpenIdConnectMessage : System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException : IDX10500 : Signature validation failed.Unable to resolve SecurityKeyIdentifier : 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
',
token : '{"alg":"RS256","kid":"74e0db263dbc69ac75d8bf0853a15d05e04be1a2"}.{"iss":"https://accounts.google.com","iat":1484922455,"exp":1484926055, <snip more claims>}'.
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)in c : \ workspace \ WilsonForDotNet45Release \ src \ System.IdentityModel.Tokens.Jwt \ JwtSecurityTokenHandler.cs : line 943
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(String securityToken, TokenValidationParameters validationParameters, SecurityToken & validatedToken)in c : \ workspace \ WilsonForDotNet45Release \ src \ System.IdentityModel.Tokens.Jwt \ JwtSecurityTokenHandler.cs : line 671
at Microsoft.IdentityModel.Extensions.SecurityTokenHandlerCollectionExtensions.ValidateToken(SecurityTokenHandlerCollection tokenHandlers, String securityToken, TokenValidationParameters validationParameters, SecurityToken & validatedToken)in c : \ workspace \ WilsonForDotNet45Release \ src \ Microsoft.IdentityModel.Protocol.Extensions \ SecurityTokenHandlerCollectionExtensions.cs : line 71
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler. < AuthenticateCoreAsync > d__1a.MoveNext()
当前引用的kid是3个键中的第二个,位于 https://www .googleapis.com/oauth2/v3/certs .
The kid referred to is presently the 2nd of 3 keys at https://www.googleapis.com/oauth2/v3/certs.
我们的选项如下:
var options = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "Google",
Caption = "Sign in with Google",
Scope = "openid email profile",
ClientId = clientId,
Authority = "https://accounts.google.com/",
AuthenticationMode = AuthenticationMode.Passive,
RedirectUri = new Uri(baseUri, "identity/signin-google").ToString(),
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = context => HandleException(context),
RedirectToIdentityProvider = context => AddLoginHint(context),
},
SignInAsAuthenticationType = signInAsType
};
app.UseOpenIdConnectAuthentication(options);
这是配置问题还是需要处理的某种暂时性错误(如果这样,应该如何处理)?最终客户正在重试一次(尽管我根本不等待),但这似乎无济于事.
Is this a configuration issue or some sort of transient error that needs to be dealt with (and if so how)? The end client is doing one retry (though I don't think it's waiting at all) but that doesn't seem to help.
推荐答案
The problem here seems to have been caused by the fact that the default ConfigurationManager caches results for 5 days, while Google rolls over their keys much more frequently (more like daily). With the default behavior of the OWIN middleware, the first request with an unrecognized key will fail, and then on the next request it will refresh the keys.
解决方案是使用更快的AutomaticRefreshInterval传入自己的ConfigurationManager.下面的大多数设置与 OpenIdConnectAuthenticationMiddleware
The solution is to pass in your own ConfigurationManager with a faster AutomaticRefreshInterval. Most of the settings below are as in OpenIdConnectAuthenticationMiddleware
private static void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
var baseUri = new Uri("https://localhost:44333");
var googleAuthority = "https://accounts.google.com/";
var metadataAddress = googleAuthority + ".well-known/openid-configuration";
var httpClient = new HttpClient(new WebRequestHandler());
httpClient.Timeout = TimeSpan.FromMinutes(1);
httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
var configMgr = new ConfigurationManager<OpenIdConnectConfiguration>(metadataAddress, httpClient)
{
// Default is 5 days, while Google is updating keys daily
AutomaticRefreshInterval
=
TimeSpan
.FromHours(12)
};
var options = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "Google",
Caption = "Google",
Scope = "openid email profile",
ClientId = GoogleClientId,
Authority = googleAuthority,
ConfigurationManager = configMgr,
AuthenticationMode = AuthenticationMode.Passive,
RedirectUri =
new Uri(baseUri, "identity/signin-google").ToString(),
SignInAsAuthenticationType = signInAsType
};
app.UseOpenIdConnectAuthentication(options);
}
这篇关于OWIN OpenID Connect中间件中的SecurityTokenSignatureKeyNotFoundException连接到Google的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
