stackoom
  简体   繁体   中英

IdentityServer4 token signing validation

 原文  2017-06-16 13:39:03       c#/ asp.net-core/ jwt/ identityserver4

Question

I have IdentityServer4 that generates signed JWT tokens. In my web api I added auth middleware to validate these tokens: 

         app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
        {
            Authority = env.IsProduction() ? "https://www.example.com/api/" : "http://localhost/api/",
            AllowedScopes = { "WebAPI", "firm",
                IdentityServerConstants.StandardScopes.OpenId,
                IdentityServerConstants.StandardScopes.Profile },
            RequireHttpsMetadata = env.IsProduction(),
        });

It works perfectly. However, I suspect it doesn't verify signature of jwt token because there is no public key configured to validate token. How to configure token signature validation?

PS: I try to use UseJwtBearerAuthentication instead this way: 

        var cert = new X509Certificate2("X509.pfx", "mypassword");
        var TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuerSigningKey = true,
            ValidateIssuer = true,
            ValidIssuer = env.IsProduction() ? "https://www.example.com/api/" : "http://localhost/api/",
            IssuerSigningKey = new X509SecurityKey(cert),
        };
        app.UseJwtBearerAuthentication(new JwtBearerOptions
        {
            Authority = env.IsProduction() ? "https://www.wigwam3d.com/api/" : "http://localhost/api/",
            Audience = "WebAPI",
            RequireHttpsMetadata = env.IsProduction(),
            TokenValidationParameters = TokenValidationParameters
        });

It also works (and I hope validates token signature also!) but gives me another bug: 

UserManager.GetUserAsync(HttpContext.HttpContext.User)

return null, while using UseIdentityServerAuthentication returns me correct User

2 answers

solution1
 3 ACCPTED  2017-06-16 19:23:10

I think there is no need to add certificate to you API for validation. .UseIdentityServerAuthentication() middleware calls your IdentiyServer to retrieve public key on startup from https://www.example.com/api/.well-known/openid-configuration . At least that's my understanding how it works.

solution2
 2  2017-06-16 15:17:36

Finally I done it with JwtBearerAuthentication,

GetUserAsync function failure can be fixed with call to: 

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

because of this issue: https://github.com/aspnet/Security/issues/1043

Any ideas to configure the same using IdentityServer auth are welcome!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using IdentityServer4 with DataProtection API for token signing Delegation token in identityserver4 IdentityServer4 get access token IdentityServer4 - Failed to validate the token IdentityServer4 Refresh Token Is Null IdentityServer4 Add Claims to /connect/token Invalid HTTP request for token endpoint in IdentityServer4 IdentityServer4 Custom Token Request Validator Not Called IdentityServer4: Generate Refresh Token and ReferenceToken Together Accessing protected API on IdentityServer4 with Bearer Token
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM