Azure KeyVault - 签署 JWT 令牌 [英] Azure KeyVault - Sign JWT Token
问题描述
我开始使用 Azure Keyvault 为我的应用程序存储私钥.
I began using Azure Keyvault to store private keys for my application.
我有一个用例,我需要使用 RSA 私钥对 JWT 令牌进行签名.
I have a use case where I need to sign a JWT token with an RSA private key.
当我的应用程序内存中有私钥时,这很容易,我就那样做
When I had the private key in my application memory, it was easy, I would just do that
var token = new JwtSecurityToken(
issuer,
...,
claims,
...,
...,
signingCredentials_PrivateKey);
现在我开始使用 Azure Keyvault,我想看看是否可以通过 KeyVaultClient.SignAsync
方法签署 JWT 令牌.
Now that I began to use Azure Keyvault, I want to see if it's possible to sign JWT tokens via the KeyVaultClient.SignAsync
method.
与
KeyVaultClient client = ...;
var token = new JwtSecurityToken(
issuer,
...,
claims,
...,
...);
var tokenString = client.SignAsync(myKeyIdentifier, token);
推荐答案
首先,一个 JWT 令牌由三部分组成:Header、Payload 和 Signature.它们都是 Base64UrlEncoded.
First, a JWT token consists of three parts: Header, Payload and Signature. All of them are Base64UrlEncoded.
你可以得到如下签名:
HMAC-SHA256(
base64urlEncoding(header) + '.' + base64urlEncoding(payload),
secret
)
所以,你需要生成header和payload,通过dot组合,计算hash,然后就可以得到签名了.
So, you need to generate the header and payload, combine them by dot, compute the hash, and then you can get the signature.
这是一个供您参考的示例:
Here is a sample for your reference:
var byteData = Encoding.Unicode.GetBytes(base64urlEncoding(header) + "." + base64urlEncoding(payload));
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(byteData);
var signature = await keyClient.SignAsync(keyIdentifier, "RS256", digest);
var token = base64urlEncoding(header) + "." + base64urlEncoding(payload) + "." + base64urlEncoding(signature)
这篇关于Azure KeyVault - 签署 JWT 令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!