use*_*146 11 c# x509securitytokenmanager wif jwt
我执行JwtSecurityTokenHandler()时遇到以下错误.ValidateToken()函数:
这是我的伪代码:
var jwtToken = {...}
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters {...};
var claimsPrincipal = tokenHandler.ValidateToken(jwtToken, validationParameters);
这是错误:
Jwt10316: Signature validation failed. Keys tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'.
Exceptions caught:
'System.InvalidOperationException: Jwt10518: AsymmetricSecurityKey.GetHashAlgorithmForSignature( 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' ) threw an exception.
AsymmetricSecurityKey: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'
SignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256', check to make sure the SignatureAlgorithm is supported.
Exception: 'System.NotSupportedException: Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' not supported in this context.
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetHashAlgorithmForSignature(String algorithm)
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)'.
---> System.NotSupportedException: Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' not supported in this context.
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetHashAlgorithmForSignature(String algorithm)
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)
--- End of inner exception stack trace ---
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)
at System.IdentityModel.Tokens.SignatureProviderFactory.CreateProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at System.IdentityModel.Tokens.SignatureProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(SecurityKey key, String algorithm, Byte[] encodedBytes, Byte[] signature)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(JwtSecurityToken jwt, Byte[] signatureBytes, IEnumerable`1 signingTokens)'.
System.NotSupportedException:加密算法' http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 '
奇怪的部分是错误消息的这一部分之外的是被编码到令牌中的声明.作为解决方法,我正在进行一些文本解析和重构我的ClaimsPrincipal,但我不应该这样做.
有关如何为此上下文启用sha256的任何想法?
更新:由于我没有在这个问题上有任何动作(除了获得风滚草徽章)我将添加更多细节也许有人可以帮助我解决问题的来源.我必须假设,因为没有其他人遇到这个问题,我必须在某处出现用户错误.如果听起来不对劲,请告诉我.
我的猜测是,由于我们失败了jwt验证,那么它可能与验证机器/ idP上的证书有关.
例:
var jwtToken = response.AccessToken;
var store = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 cert = store.Certificates.Find(X509FindType.FindByThumbprint, "thinktecture identityserver 2.Configuration => Key Configuration => Signing Thumbprint>", false)[0];
store.Close();
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
AllowedAudience = "<thinktecture identityserver 2.Configuration => Relying Party => Realm/Scope Name>",
ValidIssuer = "<thinktecture identityserver 2.Configuration => General Configuration => Site ID>",
SigningToken = new X509SecurityToken(cert)
};
ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(jwtToken, validationParameters);
请注意我使用以下占位符来显示数据的填充位置:
在这种情况下,你有什么可以看到我做错了吗?
更新2
我遇到了这个代码:http://pastebin.com/DvQz8vdb,在运行我的JWT之后,我给了我同样的错误:基本上它说它只支持"RS256","HS384"或"HS512".也许这是我的问题..我的JWT回来了HS256,而不是RS256或HS> 256(384/512)
如何将签名算法从HS256更改为HS512?
在这一点上,我想我们又回到了身份服务器问题?
我终于可以结束这一切了。看来签名证书实际上与IdentityServer下的oAuth2协议中的jwt无关。无论我使用什么证书,我都会收到错误。
我通过使用对称签名密钥来验证 jwt(而不是在 IdentityServer 的密钥配置部分下找到的签名证书)解决了该问题。
| 归档时间: |
|
| 查看次数: |
10335 次 |
| 最近记录: |