在 c# 中使用 ---PUBLIC KEY--- 验证 JWT (ES256) 令牌
[英]Validate JWT (ES256) Token with ---PUBLIC KEY--- in c#
问题描述
I have got a JWT that is created by my AWS ALB using an OpenID Connector.
我有一个由我的 AWS ALB 使用 OpenID 连接器创建的 JWT。 I need to verify the Token in my c# application.我需要在我的 c# 应用程序中验证令牌。 But I struggle to get it working.但我很难让它发挥作用。
AWS describes the token validation here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html?icmpid=docs_elbv2_console AWS 在此处描述了令牌验证: https : //docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html?icmpid=docs_elbv2_console
It should work in 3 steps:它应该分 3 个步骤工作:
- Get the key id from the token从令牌中获取密钥 ID
- Read the public key from the aws alb enpoint
(https://public-keys.auth.elb.' + region + '.amazonaws.com/' + key id)从 aws alb enpoint (https://public-keys.auth.elb.' + region + '.amazonaws.com/' + key id) - Decrypt the payload using the key使用密钥解密有效负载
This is the JWT I got:这是我得到的 JWT:
eyJ0eXAiOiJKV1QiLCJraWQiOiJjODE4ZTcxNi01OTAxLTQzOWQtOWFlZC1lYmRmODAyYjZkYTkiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vc2llbWVucy1xYS0wMDA2OS5ldS5hdXRoMC5jb20vIiwiY2xpZW50IjoiMndsS3k0YlRXbGpZWm9KYXZRSVFqVTE3OUprVG4zNDAiLCJzaWduZXIiOiJhcm46YXdzOmVsYXN0aWNsb2FkYmFsYW5jaW5nOmV1LWNlbnRyYWwtMTo0ODU2ODM0ODcxOTY6bG9hZGJhbGFuY2VyL2FwcC9maW5kLXRlc3QtYWxiLzU3YzBmMWYzZjg0YzZjMjEiLCJleHAiOjE1NzU1NDMwMzN9.eyJzdWIiOiJvYXV0aDJ8bWFpbi10ZW5hbnQtb2lkY3xzYW1scHxTaWVtZW5zfFowMDJFSk5VIiwiZ2l2ZW5fbmFtZSI6IlJhcGhhZWwiLCJmYW1pbHlfbmFtZSI6IlNjaG5haXRsIiwibmlja25hbWUiOiJSYXBoYWVsIiwibmFtZSI6IlJhcGhhZWwgU2NobmFpdGwiLCJwaWN0dXJlIjoiaHR0cHM6Ly9zLmdyYXZhdGFyLmNvbS9hdmF0YXIvODkzNWVlY2QzMDc2ZTAyMTQ5ODE2MTZmZjBkZTRkZjI_cz00ODAmcj1wZyZkPWh0dHBzJTNBJTJGJTJGY2RuLmF1dGgwLmNvbSUyRmF2YXRhcnMlMkZyYS5wbmciLCJ1cGRhdGVkX2F0IjoiMjAxOS0xMi0wNVQxMDo0ODozMy4wNjhaIiwiZXhwIjoxNTc1NTQzMDMzLCJpc3MiOiJodHRwczovL3NpZW1lbnMtcWEtMDAwNjkuZXUuYXV0aDAuY29tLyJ9.M39aPefXmaDGzaDd0qHcQHMhvugTVN4i4pyvGJ-7fayewU9vZdtKvSzFF9rVal8GEz7HKTr_auqMw9HemOWyag
The key id therefore is: c818e716-5901-439d-9aed-ebdf802b6da9因此,密钥 ID 是: c818e716-5901-439d-9aed-ebdf802b6da9
Public Key:公钥:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENARdEGaEpfgHph3440UodVsQdqxi
PYz+l1aEcz+Bivr6emXDnor1nET94dbPqYxk+vtUHGkgOb44VPEZUe4ijQ==
-----END PUBLIC KEY-----
I tried to verify the code using the following approaches:我尝试使用以下方法验证代码:
- using the
System.IdentityModel.Tokens.JwtNamespace.使用System.IdentityModel.Tokens.Jwt命名空间。 But I was unable to supply the public key as string to the ValidationParameters.但是我无法将公钥作为字符串提供给 ValidationParameters。 I followed a similar approach of this answer https://stackoverflow.com/a/51866939/2250672 .我遵循了这个答案https://stackoverflow.com/a/51866939/2250672的类似方法。 It felt complicated and error prone.感觉很复杂,容易出错。 As I could not get it to work after a whole day, I decided to move on to one of the nuget packages that supplies the same functionality.由于一整天后我无法让它工作,我决定继续使用提供相同功能的 nuget 软件包之一。 - using the JWT nuget Package, but it does not support the Algorithm used by AWS ALB.使用 JWT nuget 包,但它不支持 AWS ALB 使用的算法。
- using Jose.JWT nuget Package using the following code:使用 Jose.JWT nuget 包使用以下代码:
Jose.JWT.Decode(__token, publicKeyPem, Jose.JwsAlgorithm.ES256)
getting the following error:收到以下错误:
ERROR: Script execution failed.
How can I simply verify the JWT from AWS ALB in C# ?如何在 C# 中简单地从 AWS ALB 验证 JWT?
1 个解决方案
解决方案1
2 已采纳 2019-12-10 22:28:44
The public key is not available on https://siemens-qa-00069.eu.auth0.com/.well-known/openid-configuration .公钥在https://siemens-qa-00069.eu.auth0.com/.well-known/openid-configuration上不可用。 So you can try a manual approach:因此,您可以尝试手动方法:
private static ECDsa LoadPublicKey(byte[] key)
{
byte[] pubKeyX = key.Skip(27).Take(32).ToArray();
byte[] pubKeyY = key.Skip(59).Take(32).ToArray();
return ECDsa.Create(new ECParameters
{
Curve = ECCurve.NamedCurves.nistP256,
Q = new ECPoint
{
X = pubKeyX,
Y = pubKeyY
}
});
}
string key = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENARdEGaEpfgHph3440UodVsQdqxiPYz+l1aEcz+Bivr6emXDnor1nET94dbPqYxk+vtUHGkgOb44VPEZUe4ijQ==";
ECDsa ecdsa = LoadPublicKey(Convert.FromBase64String(key));
string authorizationDomain = "https://siemens-qa-00069.eu.auth0.com/";
string jwt = "eyJ0eXAiOiJKV1QiLCJraWQiOiJjODE4ZTcxNi01OTAxLTQzOWQtOWFlZC1lYmRmODAyYjZkYTkiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vc2llbWVucy1xYS0wMDA2OS5ldS5hdXRoMC5jb20vIiwiY2xpZW50IjoiMndsS3k0YlRXbGpZWm9KYXZRSVFqVTE3OUprVG4zNDAiLCJzaWduZXIiOiJhcm46YXdzOmVsYXN0aWNsb2FkYmFsYW5jaW5nOmV1LWNlbnRyYWwtMTo0ODU2ODM0ODcxOTY6bG9hZGJhbGFuY2VyL2FwcC9maW5kLXRlc3QtYWxiLzU3YzBmMWYzZjg0YzZjMjEiLCJleHAiOjE1NzU1NDMwMzN9.eyJzdWIiOiJvYXV0aDJ8bWFpbi10ZW5hbnQtb2lkY3xzYW1scHxTaWVtZW5zfFowMDJFSk5VIiwiZ2l2ZW5fbmFtZSI6IlJhcGhhZWwiLCJmYW1pbHlfbmFtZSI6IlNjaG5haXRsIiwibmlja25hbWUiOiJSYXBoYWVsIiwibmFtZSI6IlJhcGhhZWwgU2NobmFpdGwiLCJwaWN0dXJlIjoiaHR0cHM6Ly9zLmdyYXZhdGFyLmNvbS9hdmF0YXIvODkzNWVlY2QzMDc2ZTAyMTQ5ODE2MTZmZjBkZTRkZjI_cz00ODAmcj1wZyZkPWh0dHBzJTNBJTJGJTJGY2RuLmF1dGgwLmNvbSUyRmF2YXRhcnMlMkZyYS5wbmciLCJ1cGRhdGVkX2F0IjoiMjAxOS0xMi0wNVQxMDo0ODozMy4wNjhaIiwiZXhwIjoxNTc1NTQzMDMzLCJpc3MiOiJodHRwczovL3NpZW1lbnMtcWEtMDAwNjkuZXUuYXV0aDAuY29tLyJ9.M39aPefXmaDGzaDd0qHcQHMhvugTVN4i4pyvGJ-7fayewU9vZdtKvSzFF9rVal8GEz7HKTr_auqMw9HemOWyag==";
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = authorizationDomain,
ValidateAudience = false,
IssuerSigningKey = new ECDsaSecurityKey(ecdsa)
};
try
{
JwtSecurityTokenHandler jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
jwtSecurityTokenHandler.ValidateToken(jwt, tokenValidationParameters, out _);
return true;
}
catch (SecurityTokenException)
{
return false;
}
The problem is that I can't test it, because on my machine (Windows 10 + .NET Core 2.1) I get this error:问题是我无法测试它,因为在我的机器上(Windows 10 + .NET Core 2.1)我收到这个错误:
System.PlatformNotSupportedException: The specified curve 'nistP256' or its parameters are not valid for this platform.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.