JwtSecurityTokenHandler 4.0.0 重大变化? [英] JwtSecurityTokenHandler 4.0.0 Breaking Changes?
问题描述
这是 Linqpad 中 JwtSecurityTokenHandler 4.0.0 的简化测试.该代码适用于 JwtSecurityTokenHandler 3.0.2,生成并验证令牌.在 4.0.0 中,经过必要的更改后,我不断收到 SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed.无法解析 SecurityKeyIdentifier.显然有些事情发生了变化,或者我做错了什么,新版本更加严格.有什么建议吗?
This is a simplified test for JwtSecurityTokenHandler 4.0.0 in Linqpad. The code works well with JwtSecurityTokenHandler 3.0.2, the token is generated and validated. In 4.0.0, after the necessary changes, I keep getting SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier. Obviously something has changed or I am doing something wrong and the new version is more strict. Any suggestions?
string jwtIssuer = "issuer";
string jwtAudience = "audience";
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 cert = store.Certificates.OfType<X509Certificate2>().FirstOrDefault( c => c.SubjectName.Name.Equals("CN=DEV_CERT", StringComparison.OrdinalIgnoreCase));
store.Close();
// Token generation and signing
X509SigningCredentials signingCredentials = new X509SigningCredentials(cert);
JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
IList<System.Security.Claims.Claim> payloadClaims = new List<System.Security.Claims.Claim>() {
new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Name , "name"),
};
#if JWT302
Lifetime lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddSeconds(24*60*60));
JwtSecurityToken jwt = new JwtSecurityToken( jwtIssuer, jwtAudience, payloadClaims, lifetime, signingCredentials);
#else
JwtSecurityToken jwt = new JwtSecurityToken( jwtIssuer, jwtAudience, payloadClaims, DateTime.UtcNow, DateTime.UtcNow.AddSeconds(24*60*60), signingCredentials);
#endif
string token = jwtHandler.WriteToken(jwt);
// Token validation
var signingToken = new RsaSecurityToken((RSACryptoServiceProvider)cert.PublicKey.Key);
JwtSecurityTokenHandler jwtHandler2 = new JwtSecurityTokenHandler();
#if JWT302
TokenValidationParameters vp = new TokenValidationParameters() {
AllowedAudience = jwtAudience,
ValidIssuer = jwtIssuer,
ValidateIssuer = true
,SigningToken = signingToken
};
var principal = jwtHandler2.ValidateToken(token, vp);
#else
TokenValidationParameters vp = new TokenValidationParameters() {
ValidAudience = jwtAudience,
ValidIssuer = jwtIssuer,
ValidateIssuer = true
,IssuerSigningToken = signingToken
};
SecurityToken validatedToken;
var principal = jwtHandler2.ValidateToken(token, vp, out validatedToken);
#endif
推荐答案
如果发生以下情况会抛出此异常:
This exception is thrown if:
- jwt 有一个孩子"
- 运行时无法匹配任何 SigningToken.
在我们调查该问题时,您可以使用委托 TokenValidationParameters.IssuerSigningKeyResolver 直接返回签名密钥以在检查签名时使用.
While we investigate the issue, you can use the delegate TokenValidationParameters.IssuerSigningKeyResolver to directly return the signing key to use when checking the signature.
要实现此设置:TokenValidationParameters.IssuerSigningkeyResolver 到一个函数,该函数将返回您在上面在 TokenValidationParameters.SigningToken 中设置的相同密钥.此委托的目的是指示运行时忽略任何匹配"语义并尝试密钥.
To achieve this set: TokenValidationParameters.IssuerSigningkeyResolver to a function that will return the same key that you set above in TokenValidationParameters.SigningToken. The purpose of this delegate is to instruct the runtime to ignore any 'matching' semantics and just try the key.
如果签名验证仍然失败,可能是关键问题.
If the signature validation still fails, it may be a key issue.
如果签名验证没有失败,运行时可能需要修复.
If the signature validation doesn't fail, the runtime may need a fix.
如果您可以向我们提供使用该公钥签名的 jwt,这将有助于我们进行修复.
If you can provide us with a jwt signed with that public key, that would help us make a fix.
感谢您试一试,麻烦您了.
thanks for giving us a try, sorry for the hassle.
这篇关于JwtSecurityTokenHandler 4.0.0 重大变化?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
