无法使用 nimbus 验证来自 azure 的访问令牌签名
[英]Can't verify access token signature from azure using nimbus
问题描述
following this example I wrote some code to validate an access token return by implicit flow from azure.
在这个示例之后,我编写了一些代码来验证通过隐式流从 azure 返回的访问令牌。
RemoteJWKSet remoteJWKSet = new RemoteJWKSet(new URL(jwksUri));
JWSKeySelector keySelector = new JWSVerificationKeySelector(JWSAlgorithm.RS256, remoteJWKSet);
ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor<>();
jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier(
new JWTClaimsSet.Builder().issuer("https://sts.windows.net/3283e312-f73b-47d0-81c6-75e3ac726c21/").build(),
new HashSet<>(Arrays.asList("sub", "iat", "exp", "scp"))));
jwtProcessor.setJWSKeySelector(keySelector);
JWTClaimsSet claimsSet = jwtProcessor.process(accessToken.getValue(), null);
But the verification fails and I get:但是验证失败,我得到:
com.nimbusds.jose.proc.BadJWSException: Signed JWT rejected: Invalid signature
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:378)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:303)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:294)
I think I don't need DefaultJWTClaimsVerifier part, but removing it doesn't change anything.我想我不需要DefaultJWTClaimsVerifier部分,但删除它不会改变任何东西。 I iust keept it to stick with the example.我只是坚持这个例子。
Do you know why this happends?你知道为什么会这样吗?
Thanks for your help.谢谢你的帮助。
PS: Can't verify with jwt.io. PS:无法通过 jwt.io 进行验证。 I pasted access_token and the first entry from "keys" section from jwk.我粘贴了 access_token 和 jwk 的“keys”部分的第一个条目。
1 个解决方案
解决方案1
2 已采纳 2022-03-01 19:30:01
You need to expose an API scope in Azure, and get the client to use that.您需要在 Azure 中expose an API scope scope,并让客户端使用它。 Also ensure that there is no nonce field in the JWT header of the access token.还要确保访问令牌的 JWT header 中没有nonce字段。 My blog post has further info.我的 博客文章有更多信息。
AZURE AD BEHAVIOR AZURE 广告行为
The above behavior is quite specific to Microsoft, and is required when using Azure AD as a provider:上述行为非常特定于 Microsoft,并且在使用 Azure AD 作为提供者时是必需的:
Tokens with a nonce field in the JWT header are designed only for MS APIs, eg Graph, and use an in-house validation mechanism.
在 JWT header 中带有 nonce 字段的令牌专为 MS API(例如 Graph)设计,并使用内部验证机制。 The intent is for these to always fail validation in custom APIs.目的是让这些在自定义 API 中始终无法通过验证。Tokens for your own custom APIs must be retrieved via clients that request custom scopes.
您自己的自定义 API 的令牌必须通过请求自定义范围的客户端检索。 Note that the OAuth client configured in Azure AD can be a logical entry, rather than needing to maintain one for each individual API.注意Azure AD中配置的OAuth客户端可以是一个逻辑入口,而不需要为每个API单独维护一个。
I believe the MS behavior is based on OAuth resource indicators , though my personal preference is to use more mainstream techniques of scopes , claims and audience checks when receiving access tokens in APIs.我相信 MS 行为是基于OAuth 资源指示器的,尽管我个人的偏好是在 API 中接收访问令牌时使用更主流的范围、声明和受众检查技术。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.