JWTSecurityTokenHandler.ValidateToken() 什么时候真正有效? [英] When is JWTSecurityTokenHandler.ValidateToken() actually valid?

问题描述

我正在尝试创建一个令牌验证方法，如果 JWT 令牌基于签名有效，则该方法返回 true.我不认为我真的需要验证令牌中的所有内容，但是在调用 ValidateToken() 之后，真正表示令牌有效的是什么?存在原则吗?out 引用的令牌包含某些值?不确定何时从此方法返回 true.

I am attempting to create a token validation method that returns true if a JWT token is valid based on the signature. I don't think I really need to validate everything in the token but what actually signifies a token is valid after calling ValidateToken()? The existence of a principle? The out referenced token contains certain values? Not sure when to return true from this method.

public bool ValidateToken(string tokenString)
{
    var validationParameters = new TokenValidationParameters()
    {
        ValidIssuer = "My Company",
        ValidAudience = ApplicationId,
        IssuerSigningKey = JsonWebTokenSecretKey
    };

    SecurityToken token = new JwtSecurityToken();
    var tokenHandler = new JwtSecurityTokenHandler();
    var principal = tokenHandler.ValidateToken(tokenString, validationParameters, out token);

    return principal != null;
}

推荐答案

我手动检查所有声明值.我一直在寻找同一个问题的明确答案，但我唯一看到的是，如果出现问题，ValidateToken 函数会抛出异常，所以我首先将调用包装在 try-catch 中并从渔获.

I check all of the claims values manually. I've been searching for a definitive answer to your same question but the only thing I have seen is that the ValidateToken function will throw an Exception if something is wrong, so I begin by wrapping the call in a try-catch and return false from the catch.

不过，这只是我验证令牌的第一步".之后，我做了一些繁重的工作来手动检查某些值.例如，我确保声明部分中的 unique_name 值实际上作为用户存在于我的数据库中，该用户尚未被停用，以及其他类似的专有系统内容.

That's just my "first-pass" at validating the token, though. Afterwards I do a little more heavy lifting to check certain values manually. For example, I make sure that the unique_name value in the claims section actually exists as a user in my database, that the user has not been deactivated, and other proprietary system stuff like that.

    public static bool VerifyToken(string token)
    {
        var validationParameters = new TokenValidationParameters()
        {
            IssuerSigningToken = new BinarySecretSecurityToken(_key),
            ValidAudience = _audience,
            ValidIssuer = _issuer,
            ValidateLifetime = true,
            ValidateAudience = true,
            ValidateIssuer = true,
            ValidateIssuerSigningKey = true
        };

        var tokenHandler = new JwtSecurityTokenHandler();
        SecurityToken validatedToken = null;
        try
        {
            tokenHandler.ValidateToken(token, validationParameters, out validatedToken);
        }
        catch(SecurityTokenException)
        {
            return false; 
        }
        catch(Exception e)
        { 
            log(e.ToString()); //something else happened
            throw;
        }
        //... manual validations return false if anything untoward is discovered
        return validatedToken != null;
    }

最后一行 return validToken != null 纯粹是我的迷信.我从来没有见过 validToken 为空.

The last line, return validatedToken != null, is purely superstition on my part. I've never seen the validatedToken be null.

这篇关于JWTSecurityTokenHandler.ValidateToken() 什么时候真正有效?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！