IDX10501:签名验证失败.无法匹配键 [英] IDX10501: Signature validation failed. Unable to match keys

问题描述

请帮助我理解来自 ASP netcore 应用程序和 netcore Kestrel 托管应用程序的 JWT 令牌验证之间的区别.

Please help me to understand the difference between JWT token validation from the ASP netcore application and the netcore Kestrel hosted application.

有两个应用程序使用如下源代码验证令牌:

There are two applications that verifies token using the source code like below:

public static IServiceCollection AddJwtToken(this IServiceCollection services, OAuthConfig config)
{
    services.AddMvc();
    services.AddAuthorization();

    Logger.DebugFormat("AddJwtBearer authority:{0} audience:{1}", config.GetAuthority(), config.Resource);

    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(options => new JwtBearerOptions
        {
            Authority = config.GetAuthority(),
            Audience = config.Resource,
    });

    return services;
}

它非常简单，如果令牌是从 asp net core 2.2 应用程序验证的，则它运行良好

it is pretty simple and it works well if token is being validated from the asp net core 2.2 application

// in the asp.net core
var builder = WebHost.CreateDefaultBuilder(args);
builder
        .UseStartup<Startup>()
        .ConfigureKestrel(_ => _.ConfigureEndpoints())
        .UseSerilog();

还有另一个应用程序(控制台)使用 UseKestrel

And there is another application (console) that starts the same rest service host using the UseKestrel

//in the console app
var builder = WebHost.CreateDefaultBuilder()
    .UseNLog()
    .UseKestrel(_ => _.ConfigureEndpoints())
    .UseStartup<Startup>();

唯一的一个显着区别是在控制台中有 UseKestrel 通过 ConfigureKestrel for asp.net core.

the only one significant difference is that there is UseKestrel in the console via ConfigureKestrel for asp.net core.

相同的源代码(和配置)用于从 Azure AD 获取令牌.请在此处的要点中找到它.它被配置为从 https://login.microsoftonline.com/{tenant}/v2.0 提供程序获取令牌.两种情况都使用相同的令牌端点、clientid、secret 和 scope 值.

The same source code (and configuration) is used to get token from the Azure AD. Please find it as the gist here. It is configured to get token from the https://login.microsoftonline.com/{tenant}/v2.0 provider. The same token endpoint, clientid, secret and scope values are used for both cases.

问题是 AddJwtBearer 在 asp.net 核心中验证令牌，而不是在控制台应用程序中.错误是

The problem is that AddJwtBearer validates the token in the asp.net core and does not in the console app. the error is

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys:
kid: 'BB8CeFVqyaGrGNuehJIiL4dfjzw',
token: '{"typ":"JWT","alg":"RS256","kid":"BB8CeFVqyaGrGNuehJIiL4dfjzw"}.{"aud":"2c163c99-935b-4362-ae0d-657f589f5565","iss":"https://login.microsoftonline.com/{tenantidhere}/v2.0

为什么 asp.net 核心主机验证令牌(对于第一个 AddJwtBearer 实现)并且控制台主机失败?

Why asp.net core host validates the token (for the first AddJwtBearer implementation) and console host fails?

谢谢

推荐答案

要解决此错误，我必须从 openid 提供程序加载密钥，如下所示:

to solve this error I've to load keys from the openid provider as below:

Logger.DebugFormat("AddJwtBearer authority:{0} audience:{1}", config.GetAuthority(), config.Resource);

IList<string> validissuers = new List<string>()
{
    config.GetAuthority(),
};

var configManager = new ConfigurationManager<OpenIdConnectConfiguration>($"{validissuers.Last()}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());

var openidconfig = configManager.GetConfigurationAsync().Result;

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, _ =>
    {
        _.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
        {
            ValidateAudience = true,
            ValidAudience = config.Resource,

            ValidateIssuer = true,
            ValidIssuers = new[] { config.GetAuthority() },

            ValidateIssuerSigningKey = true,
            IssuerSigningKeys = openidconfig.SigningKeys,

            RequireExpirationTime = true,
            ValidateLifetime = true,
            RequireSignedTokens = true,
        };

        _.RequireHttpsMetadata = false;

    });

它开始适用于这两种情况.但是旧的 AddJwtBearer 实现和新的(与密钥验证相关的)有什么区别?使用 IssuerSigningKeys = openidconfig.SigningKeys 下载和提供的密钥，但为什么不使用 AddJwtBearer.well-known/openid-configuration 自动加载它/code> 中间件?

And it started to work for both cases. But what is the difference with the old AddJwtBearer implementation and the new one (related to the keys validation)? Keys where downloaded and supplied using the IssuerSigningKeys = openidconfig.SigningKeys but why it is not loaded automatically using the .well-known/openid-configuration by the AddJwtBearer middleware ?

这篇关于IDX10501:签名验证失败.无法匹配键的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！