我正在Net Core WebApi应用程序中使用以下代码,并且运行良好.
I'm using the code below in a Net Core WebApi app and it's working well.
我可以解码它产生的JWT,但是我也想验证它的签名.但是,我从哪里获得验证密钥?
I can decode the JWT that it produces, but I would also like to verify it's signature. But, where do I get the key to verify it with?
tenant = Configuration.GetSection("AzureAD:Tenant").Value; Logger.AppLogDebug("tenat value found: [{0}]", tenant); azureAdInstance = Configuration.GetSection("AzureAD:AzureADInstance").Value; Logger.AppLogDebug("azureAdInstance value found: [{0}]", azureAdInstance); audience = Configuration.GetSection("AzureAD:Audience").Value; Logger.AppLogDebug("Audience value found: [{0}]", audience); var authority = $"{azureAdInstance}{tenant}"; Logger.AppLogDebug("authority value set to: [{0}]", authority); var authContext = new AuthenticationContext(authority); var clientCredential = new ClientCredential(key, secret); var token = authContext.AcquireTokenAsync(audience, clientCredential).Result.AccessToken; return new ObjectResult($"Bearer {token}");推荐答案
您可以使用JwtBearer或AddAzureADBearer中间件来验证访问令牌.这样,当接收到来自客户端的请求时,您的Web api将自动解码令牌并验证签名.您可以参考以下链接,了解如何使用两种中间件:
You can use JwtBearer or AddAzureADBearer middleware to validate the access token . So that when receiving request form client , your web api will automatically decode token and verify the signature . You can refer to below link for how to use the two middlewares :
stackoverflow/a/57619013/5751404
如果要手动验证jwt令牌,则在验证访问令牌的签名时,应该获取公共密钥,因为Azure AD可以使用一组特定的公共-私有密钥对中的任何一个对令牌进行签名,因此这些密钥可以在以下位置找到:
If you want to manually verify the jwt token , When validating the signature of access token , you should get the public key since Azure AD may sign token using any one of a certain set of public-private key pairs , the keys could be found at :
login.microsoftonline/{tenant}/.well-known/openid-configuration在JSON响应中,您将看到属性jwks_uri,该属性是URI,其中包含Azure AD的JSON Web密钥集.匹配jwt令牌中的kid声明,您可以找到AAD用于通过非对称加密算法(默认情况下为RSA 256)对令牌进行签名的密钥.
Within the JSON response, you’ll see a property jwks_uri which is the URI that contains the JSON Web Key Set for Azure AD. Matching the kid claim in jwt token , you can find the key which AAD used to sign the token with asymmetric encryption algorithms, such as RSA 256 by default .
然后您可以使用:
public JwtSecurityToken validate(string token,string key){ var rsa = new RSACryptoServiceProvider(); string exponentvalue = "AQAB"; var e = Base64UrlEncoder.DecodeBytes(exponentvalue); var N = key; var modulus = Base64UrlEncoder.DecodeBytes(N); rsa.ImportParameters( new RSAParameters() { Modulus = modulus, Exponent = e }); var signingKey = new RsaSecurityKey(rsa); TokenValidationParameters validationParameters = new TokenValidationParameters { ValidateAudience = false, ValidateIssuer = false, ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, ValidateLifetime = false }; JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler(); SecurityToken jwt; var result = tokendHandler.ValidateToken(token, validationParameters, out jwt); return jwt as JwtSecurityToken; }我还没有测试上面的代码,但是您可以尝试从上面开始.
I haven't test above codes but you can try and start with that .
此外,您正在使用客户端凭证流来获取特定资源的令牌.如果资源是Microsoft hosted apis,例如Microsoft Graph API,Azure Management API等.您无需在应用程序中验证访问令牌.将带有令牌的请求发送到Microsoft托管的api时,它将为您验证令牌.
In addition , you are using client credential flow to acquiring token for specific resource . If the resource is the Microsoft hosted apis such as Microsoft Graph API, Azure Management API etc.. You don't need to validate the access token in your application . When sending request with token to Microsoft hosted apis , it will validate the tokens for you .
更多推荐
使用Azure Active Directory手动解码承载令牌,如何验证?
发布评论