Azure AD B2C - 令牌验证不起作用 [英] Azure AD B2C - Token validation does not work
问题描述
我想使用 Azure AD B2C,但在使用时遇到了一些困难.我遇到的一个问题是验证令牌的签名.首先,我想使用 jwt.io 手动"验证令牌.
根据
但是Jwt.io、jsonwebtoken.io、jose-jwt都说签名无效.
我错过了什么?
Jwt.io 似乎只支持带字符串密钥的 HS265 和带字符串密钥或证书的 RS256.
Azure AD B2C 使用更原生的 RS256 形式,根据 RFC 3447,第 3.1 节 定义公钥由两部分组成:n
和 e
.JWK 包含 n
和 e
可用于生成公钥和验证令牌签名.
为了使用 Jwt.io,您需要将 Azure AD B2C 的 n + e 格式的密钥转换为证书格式.有关如何执行此操作的参考,请参阅此示例:Go Language将模数指数转换为 X.509 证书
I would like to use Azure AD B2C but have several difficulties using it. One problem I have is to validate the signature of the token. First I wanted to validate the token "manually" using jwt.io.
According to the Microsoft Docs, validating the signature should work like this:
Your app can use the kid claim in the JWT header to select the public key in the JSON document that is used to sign a particular token. It can then perform signature validation by using the correct public key and the indicated algorithm.
My understandig: Grab the kid value out of the header, lookup the key in the metadata under the location of jwks_uri, (assumption) use the value of "n" to verify the signature.
But Jwt.io, jsonwebtoken.io, and jose-jwt all say, that the siganture is invalid.
What am I missing?
Jwt.io seems to only support HS265 with a string secret and RS256 with a string secret or a certificate.
Azure AD B2C uses the more native form of RS256 which as per RFC 3447, section 3.1 defines that the public key consists of two components: n
and e
. The JWK contains both n
and e
which can be used to generate public key and validate the token signature.
In order to use Jwt.io, you'll need to convert Azure AD B2C's n + e format for the key to a cert format. See this example for a reference on how to do this: Go Language Convert Modulus exponent to X.509 certificate
这篇关于Azure AD B2C - 令牌验证不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!