忽略 JWT 中的签名 [英] Ignoring signature in JWT

问题描述

我有一个使用 OpenId Connect 的 Web 应用程序.我创建了一个自签名证书，但它仍未由 CA 签名.如何忽略签名验证?

I have an web application that is using OpenId Connect. I created a self signed certificate but it is still not signed by a CA. How can I ignore the signature validation?

这是我目前所拥有的:

SecurityToken validatedToken = null;

var tokenHandler = new JwtSecurityTokenHandler {
    Configuration = new SecurityTokenHandlerConfiguration {
        CertificateValidator = X509CertificateValidator.None
    },
};

TokenValidationParameters validationParams =
    new TokenValidationParameters()
    {
        ValidAudience = ConfigurationManager.AppSettings["Audience"],
        ValidIssuer = ConfigurationManager.AppSettings["Issuer"],
        AudienceValidator = AudienceValidator,
        ValidateAudience = true,
        ValidateIssuer = true
    };

return tokenHandler.ValidateToken(jwtToken, validationParams, out validatedToken);

它会抛出以下异常:

IDX10500:签名验证失败.无法解决SecurityKeyIdentifier: 'SecurityKeyIdentifier (
IsReadOnly = False， 计数 = 1， 子句[0] =System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
) ', 令牌:'{"typ":"JWT","alg":"RS256","kid":"issuer_rsaKey"}.{"iss":...

IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier (
IsReadOnly = False, Count = 1, Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
) ', token: '{"typ":"JWT","alg":"RS256","kid":"issuer_rsaKey"}.{"iss":...

推荐答案

不要忽略签名，这很危险！

即使您使用自签名证书，您也可以使用公钥进行签名验证.

Even if you use a self-signed certificate, you will be able to use the public key for signature validation.

由于您使用的是 OpenId Connect，因此您应该能够通过前往 /.well-known/jwks 获取签名证书的公钥.

Since you are using OpenId Connect, you should be able to get the public key for your signing certificate by heading over to /.well-known/jwks.

然后您可以像这样设置验证参数:

Then you can setup your validation parameters like this:

var certificate = new X509Certificate2(Convert.FromBase64String(yourPublicKeyGoesHere));

var validationParameters = new TokenValidationParameters { 
    IssuerSigningTokens = new[] { new X509SecurityToken(certificate) }  
};

之后，你可以调用ValidateToken:

SecurityToken token;
var claimsPrincipal = handler.ValidateToken(encodedToken, validationParameters, out token);

您真的要忽略签名吗?

记住，如果你这样做了，你怎么知道有人没有篡改令牌内的数据?您可以轻松解码 base64 url​​ 编码的有效负载并更改主题.如果您在应用程序中依赖它，您将遇到麻烦(提示:有人访问其他人的数据)

Remember, if you do, how do you know someone didn't tamper with the data inside the token? You could easily decode the base64 url encoded payload and change the subject. And if you rely on that in your application, you'll be in trouble (hint: someone accessing someone else data)

你真的，真的想忽略它吗?

您可以使用 ReadToken 并跳过所有验证:

You can use ReadToken and just skip every validation there is:

var badJwt = new JwtSecurityTokenHandler()
                 .ReadToken(encodedMaliciousToken) as JwtSecurityToken;

不要这样做，这是不好的做法.

这篇关于忽略 JWT 中的签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！