IdentityServer4令牌签名验证
[英]IdentityServer4 token signing validation
问题描述
I have IdentityServer4 that generates signed JWT tokens. 
我有IdentityServer4生成签名的JWT令牌。 In my web api I added auth middleware to validate these tokens: 在我的Web API中,我添加了身份验证中间件来验证这些令牌:
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = env.IsProduction() ? "https://www.example.com/api/" : "http://localhost/api/",
AllowedScopes = { "WebAPI", "firm",
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile },
RequireHttpsMetadata = env.IsProduction(),
});
It works perfectly. 它运作完美。 However, I suspect it doesn't verify signature of jwt token because there is no public key configured to validate token. 但是,我怀疑它没有验证jwt令牌的签名,因为没有配置用于验证令牌的公共密钥。 How to configure token signature validation? 如何配置令牌签名验证?
PS: I try to use UseJwtBearerAuthentication instead this way: PS:我尝试通过这种方式使用UseJwtBearerAuthentication:
var cert = new X509Certificate2("X509.pfx", "mypassword");
var TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidIssuer = env.IsProduction() ? "https://www.example.com/api/" : "http://localhost/api/",
IssuerSigningKey = new X509SecurityKey(cert),
};
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = env.IsProduction() ? "https://www.wigwam3d.com/api/" : "http://localhost/api/",
Audience = "WebAPI",
RequireHttpsMetadata = env.IsProduction(),
TokenValidationParameters = TokenValidationParameters
});
It also works (and I hope validates token signature also!) but gives me another bug: 它也可以工作(我希望也可以验证令牌签名!),但是给了我另一个错误:
UserManager.GetUserAsync(HttpContext.HttpContext.User)
return null, while using UseIdentityServerAuthentication returns me correct User 返回null,在使用UseIdentityServerAuthentication时返回正确的用户
2 个解决方案
解决方案1
3 已采纳 2017-06-16 19:23:10
I think there is no need to add certificate to you API for validation. 我认为无需向您的API添加证书以进行验证。 .UseIdentityServerAuthentication() middleware calls your IdentiyServer to retrieve public key on startup from https://www.example.com/api/.well-known/openid-configuration . .UseIdentityServerAuthentication()中间件在启动时会从https://www.example.com/api/.well-known/openid-configuration调用IdentiyServer检索公共密钥。 At least that's my understanding how it works. 至少那是我的理解。
解决方案2
2 2017-06-16 15:17:36
Finally I done it with JwtBearerAuthentication, 最后,我用JwtBearerAuthentication做到了,
GetUserAsync function failure can be fixed with call to: GetUserAsync函数失败可以通过调用以下方法解决:
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
because of this issue: https://github.com/aspnet/Security/issues/1043 由于这个问题: https : //github.com/aspnet/Security/issues/1043
Any ideas to configure the same using IdentityServer auth are welcome! 欢迎使用IdentityServer auth配置相同的任何想法!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.