Azure AD B2C - 令牌验证不起作用 [英] Azure AD B2C - Token validation does not work

问题描述

我想使用 Azure AD B2C，但在使用时遇到了一些困难.我遇到的一个问题是验证令牌的签名.首先，我想使用 jwt.io 手动"验证令牌.

根据

但是Jwt.io、jsonwebtoken.io、jose-jwt都说签名无效.

我错过了什么?

解决方案

Jwt.io 似乎只支持带字符串密钥的 HS265 和带字符串密钥或证书的 RS256.

Azure AD B2C 使用更原生的 RS256 形式，根据 RFC 3447，第 3.1 节 定义公钥由两部分组成:n 和 e.JWK 包含 n 和 e 可用于生成公钥和验证令牌签名.

为了使用 Jwt.io，您需要将 Azure AD B2C 的 n + e 格式的密钥转换为证书格式.有关如何执行此操作的参考，请参阅此示例:Go Language将模数指数转换为 X.509 证书

I would like to use Azure AD B2C but have several difficulties using it. One problem I have is to validate the signature of the token. First I wanted to validate the token "manually" using jwt.io.

According to the Microsoft Docs, validating the signature should work like this:

Your app can use the kid claim in the JWT header to select the public key in the JSON document that is used to sign a particular token. It can then perform signature validation by using the correct public key and the indicated algorithm.

My understandig: Grab the kid value out of the header, lookup the key in the metadata under the location of jwks_uri, (assumption) use the value of "n" to verify the signature.

But Jwt.io, jsonwebtoken.io, and jose-jwt all say, that the siganture is invalid.

What am I missing?

解决方案

Jwt.io seems to only support HS265 with a string secret and RS256 with a string secret or a certificate.

Azure AD B2C uses the more native form of RS256 which as per RFC 3447, section 3.1 defines that the public key consists of two components: n and e. The JWK contains both n and e which can be used to generate public key and validate the token signature.

In order to use Jwt.io, you'll need to convert Azure AD B2C's n + e format for the key to a cert format. See this example for a reference on how to do this: Go Language Convert Modulus exponent to X.509 certificate

这篇关于Azure AD B2C - 令牌验证不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！