使用HMAC256验证JWT令牌时，是否需要将ValidateIssuerSigningKey设置为true？ [英] Is it necessary to set ValidateIssuerSigningKey to true when using HMAC256 for verifying JWT Token?

问题描述

我正在使用AspNet Core构建一个Web API和JWT令牌来对用户进行身份验证。

我看到TokenValidationParameters中ValidateIssuerSigningKey属性的默认值为false。

在使用HMAC256对称密钥对令牌进行签名和验证时(其中没有向令牌添加公钥，就像RSA一样)，如果将其设置为true，会有什么不同吗？

    services
        .AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(cfg =>
        {
            cfg.RequireHttpsMetadata = false;
            cfg.SaveToken = true;
            string jwtIssuer = configuration["JwtIssuer"];
            SymmetricSecurityKey securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JwtKey"]));
            cfg.TokenValidationParameters = new TokenValidationParameters
            {
                ValidIssuer = jwtIssuer,
                ValidAudience = jwtIssuer,
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = securityKey,
                ClockSkew = TimeSpan.Zero
            };
        });

还是只有在使用RSA密钥时才需要将ValidateIssuerSigningKey设置为true？

以下是此属性的代码级文档：

    //
    // Summary:
    //     Gets or sets a boolean that controls if validation of the Microsoft.IdentityModel.Tokens.SecurityKey
    //     that signed the securityToken is called.
    //
    // Remarks:
    //     It is possible for tokens to contain the public key needed to check the signature.
    //     For example, X509Data can be hydrated into an X509Certificate, which can be used
    //     to validate the signature. In these cases it is important to validate the SigningKey
    //     that was used to validate the signature.
    [DefaultValue(false)]
    public bool ValidateIssuerSigningKey { get; set; }

推荐答案

根据Microsoft.IdentityModel.Tokens源代码，我只能找到一个使用ValidateIssuerSigningKey布尔值属性的位置，如下所示：

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Tokens/Validators.cs

最终导致执行此代码挡路：

    X509SecurityKey x509SecurityKey = securityKey as X509SecurityKey;
    if (x509SecurityKey?.Certificate is X509Certificate2 cert)
    {
        DateTime utcNow = DateTime.UtcNow;
        var notBeforeUtc = cert.NotBefore.ToUniversalTime();
        var notAfterUtc = cert.NotAfter.ToUniversalTime();

        if (notBeforeUtc > DateTimeUtil.Add(utcNow, validationParameters.ClockSkew))
            throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10248, notBeforeUtc, utcNow)));

        LogHelper.LogInformation(LogMessages.IDX10250, notBeforeUtc, utcNow);

        if (notAfterUtc < DateTimeUtil.Add(utcNow, validationParameters.ClockSkew.Negate()))
            throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10249, notAfterUtc, utcNow)));

        LogHelper.LogInformation(LogMessages.IDX10251, notAfterUtc, utcNow);
    }

即该标志仅与X509证书有关，并测试它们的有效时间段。所以我怀疑它不会影响使用HMAC256验证的令牌.除非HMAC密钥是从X509证书获取的！

这篇关于使用HMAC256验证JWT令牌时，是否需要将ValidateIssuerSigningKey设置为true？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！