JwtSecurityTokenHandler 4.0.0重大更改? [英] JwtSecurityTokenHandler 4.0.0 Breaking Changes?
问题描述
这是JwtSecurityTokenHandler 4.0.0在Linqpad简化测试。在code效果很好用JwtSecurityTokenHandler 3.0.2,生成和验证令牌。在4.0.0,经过必要的修改,我不断收到SecurityTokenSignatureKeyNotFoundException:IDX10500:签名验证失败。无法解析SecurityKeyIdentifier。显然,事情已经改变还是我做错了什么,新版本更严格。有什么建议?
字符串jwtIssuer =发行人;
字符串jwtAudience =观众;店内的X509Store =新的X509Store(StoreName.My,StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2证书= store.Certificates.OfType&所述; X509Certificate2方式>()FirstOrDefault(C => c.SubjectName.Name.Equals(CN = DEV_CERT,StringComparison.OrdinalIgnoreCase));
store.Close();
//令牌生成和签名
X509SigningCredentials signingCredentials =新X509SigningCredentials(CERT);
JwtSecurityTokenHandler jwtHandler =新JwtSecurityTokenHandler();
IList的< System.Security.Claims.Claim> payloadClaims =新的List< System.Security.Claims.Claim>(){
新System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Name,名),
};#如果JWT302
生命期=新的生命周期(DateTime.UtcNow,DateTime.UtcNow.AddSeconds(24 * 60 * 60));
JwtSecurityToken JWT =新JwtSecurityToken(jwtIssuer,jwtAudience,payloadClaims,寿命,signingCredentials);
#其他
JwtSecurityToken JWT =新JwtSecurityToken(jwtIssuer,jwtAudience,payloadClaims,DateTime.UtcNow,DateTime.UtcNow.AddSeconds(24 * 60 * 60),signingCredentials);
#万一字符串标记= jwtHandler.WriteToken(JWT);//令牌验证
VAR signingToken =新RsaSecurityToken((的RSACryptoServiceProvider)cert.PublicKey.Key);JwtSecurityTokenHandler jwtHandler2 =新JwtSecurityTokenHandler();#如果JWT302
TokenValidationParameters VP =新TokenValidationParameters(){
AllowedAudience = jwtAudience,
ValidIssuer = jwtIssuer,
ValidateIssuer =真
,SigningToken = signingToken
}; VAR本金= jwtHandler2.ValidateToken(令牌,VP);
#其他
TokenValidationParameters VP =新TokenValidationParameters(){
ValidAudience = jwtAudience,
ValidIssuer = jwtIssuer,
ValidateIssuer =真
,IssuerSigningToken = signingToken
}; SecurityToken validatedToken; VAR本金= jwtHandler2.ValidateToken(令牌,副总裁,出validatedToken);
#万一
这异常被抛出,如果:
- 智威汤逊有一个'孩子'
- 运行时无法匹配任何SigningTokens的。
我们正在调查这个问题,你可以使用委托的 TokenValidationParameters.IssuerSigningKeyResolver 即可直接返回签名密钥检查签名时使用。
要实现这一集:TokenValidationParameters.IssuerSigningkeyResolver来,将返回您在上面TokenValidationParameters.SigningToken设置相同的键的功能。此委托的目的是为了指示运行时忽略任何'匹配'的语义,只是尝试的关键。
如果该签名验证仍然失败,这可能是一个关键问题。
如果签名验证不会失败,运行时可能需要修正。
如果您能为我们提供一个JWT与公共密钥签署,这将有助于我们做出的修正。
感谢给我们一个尝试,遗憾的麻烦。
This is a simplified test for JwtSecurityTokenHandler 4.0.0 in Linqpad. The code works well with JwtSecurityTokenHandler 3.0.2, the token is generated and validated. In 4.0.0, after the necessary changes, I keep getting SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier. Obviously something has changed or I am doing something wrong and the new version is more strict. Any suggestions?
string jwtIssuer = "issuer";
string jwtAudience = "audience";
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 cert = store.Certificates.OfType<X509Certificate2>().FirstOrDefault( c => c.SubjectName.Name.Equals("CN=DEV_CERT", StringComparison.OrdinalIgnoreCase));
store.Close();
// Token generation and signing
X509SigningCredentials signingCredentials = new X509SigningCredentials(cert);
JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
IList<System.Security.Claims.Claim> payloadClaims = new List<System.Security.Claims.Claim>() {
new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Name , "name"),
};
#if JWT302
Lifetime lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddSeconds(24*60*60));
JwtSecurityToken jwt = new JwtSecurityToken( jwtIssuer, jwtAudience, payloadClaims, lifetime, signingCredentials);
#else
JwtSecurityToken jwt = new JwtSecurityToken( jwtIssuer, jwtAudience, payloadClaims, DateTime.UtcNow, DateTime.UtcNow.AddSeconds(24*60*60), signingCredentials);
#endif
string token = jwtHandler.WriteToken(jwt);
// Token validation
var signingToken = new RsaSecurityToken((RSACryptoServiceProvider)cert.PublicKey.Key);
JwtSecurityTokenHandler jwtHandler2 = new JwtSecurityTokenHandler();
#if JWT302
TokenValidationParameters vp = new TokenValidationParameters() {
AllowedAudience = jwtAudience,
ValidIssuer = jwtIssuer,
ValidateIssuer = true
,SigningToken = signingToken
};
var principal = jwtHandler2.ValidateToken(token, vp);
#else
TokenValidationParameters vp = new TokenValidationParameters() {
ValidAudience = jwtAudience,
ValidIssuer = jwtIssuer,
ValidateIssuer = true
,IssuerSigningToken = signingToken
};
SecurityToken validatedToken;
var principal = jwtHandler2.ValidateToken(token, vp, out validatedToken);
#endif
This exception is thrown if:
- The jwt has a 'kid'
- The runtime was unable to match any of the SigningTokens.
While we investigate the issue, you can use the delegate TokenValidationParameters.IssuerSigningKeyResolver to directly return the signing key to use when checking the signature.
To achieve this set: TokenValidationParameters.IssuerSigningkeyResolver to a function that will return the same key that you set above in TokenValidationParameters.SigningToken. The purpose of this delegate is to instruct the runtime to ignore any 'matching' semantics and just try the key.
If the signature validation still fails, it may be a key issue.
If the signature validation doesn't fail, the runtime may need a fix.
If you can provide us with a jwt signed with that public key, that would help us make a fix.
thanks for giving us a try, sorry for the hassle.
这篇关于JwtSecurityTokenHandler 4.0.0重大更改?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
