无法使用IdentityServer验证AccessToken [英] Cannot Validate AccessToken with IdentityServer
问题描述
我们正在使用IdentityServer进行身份验证,并且正在使用JwtSecurityTokenHandler ValidateToken验证访问令牌。过去可以正常工作,但是在将客户端应用程序升级到ASP.NET Core 1.0 RTM(来自RC1)之后,验证失败。收到的错误是:
We are using IdentityServer for authentication and we are validating the access token using JwtSecurityTokenHandler ValidateToken. This used to work fine, but after we upgraded our client application to ASP.NET Core 1.0 RTM (from RC1), the validation fails. The received error is:
IDX10501: Signature validation failed. Unable to match 'kid'
当我查看使用的证书的KeyID和证书的孩子时令牌,我可以看到它们是不同的。我检查了IdentityServer jwks-endpoint以检查我是否具有正确的证书,并注意到kid和证书密钥ID也与该端点不同。据我了解,它们应该是相同的吗?
When I look at the KeyID of the used certificate and the kid of the token, I can see that they are different. I checked the IdentityServer jwks-endpoint to check that I had the correct certificate and noticed that the kid and certificate key id are different from that endpoint too. From what I've understood, they are supposed to be the same?
由于证书,令牌和IdentityServer仍然相同并且仅升级了客户端应用程序核心,因此为什么在升级过程中代码会中断,这是任何想法。
Any ideas why the code broke during the upgrade since the certificate, token and IdentityServer are still the same and only the client app core was upgraded.
编辑(更多信息)
我怀疑ValidateIssuerSigningKey默认情况下为false,并且该密钥甚至尚未经过验证之前(因此它正在工作)。现在看来,ValidateIssuerSigningKey似乎被忽略了(作为不良做法?),因此验证失败。
EDIT (More information)
I suspect that ValidateIssuerSigningKey is false by default and the key has not even been validated before (thus it was working). Now it seems that the ValidateIssuerSigningKey is being ignored (as bad practice?) and thus the validation fails.
解决方法/修复
通过手动设置IssuerSigningKeyResolver并明确给出用于验证的密钥,可以解决此问题和验证通过。不确定解决方法有多好,默认设置为何无效,但至少我现在可以继续。
Workaround/Fix
By setting the IssuerSigningKeyResolver manually and giving the key to use in validation explicitly, fixes the issue and validation passes. Not sure how good the workaround is and why the default doesn't work, but at least I can move on for now.
简化代码...
new JwtSecurityTokenHandler().ValidateToken(authTokens.AccessToken,
new TokenValidationParameters()
{
IssuerSigningKeys = keys,
ValidAudience = audience,
ValidIssuer = issuer,
IssuerSigningKeyResolver = (arbitrarily, declaring, these, parameters) => new List<X509SecurityKey> { securityKey }
}, out securityToken);
推荐答案
Client和API应该引用相同的实例IdentityServer。我们正在Azure中运行IdentityServerHost,该服务器具有不同的插槽(主插槽和暂存插槽),并且两个应用程序不一致地引用了不同的插槽。客户端接收到由IdSrv-main提供程序发行的访问令牌,并将其传递给API,该令牌应从其他提供程序IdSrv-staging获得。 API对其进行了验证,并返回了错误。
The Client and API should refer to the same instance of IdentityServer. We are running IdentityServerHost in Azure, which has different slots (main and staging) and two applications inconsistently referred to different slots. The Client received access token issued by IdSrv-main provider and passed it to API, that expected it from different provider IdSrv-staging. API validated it and returned error.
问题在于错误并未提示问题的实际原因。 MS应该提供更多详细的错误消息以帮助调试。
当前错误消息不足以识别原因。
The problem is that the errror doesn't give a hint to the actual cause of the issue. MS should provide much more detailed error message to help debugging. The current error message is not sufficient to identify the cause.
这篇关于无法使用IdentityServer验证AccessToken的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
