[英]Verifying JWT signed with the RS256 algorithm using public key in C#
[英]Unable to validate RS256 signed JWT
我正在嘗試在 dotnet webapi 和 KeyCloak 上實現簽名的 JWT (RS256)。 在應用程序啟動時,我可以看到使用預期響應內容(如下所示的請求)對 keycloak 進行的 openid 調用。
在此處獲取 jwks_url
GET https://localhost:8080/auth/realms/core/.well-known/openid-configuration
從這里獲取鑰匙
GET https://localhost:8080/auth/realms/core/protocol/openid-connect/certs
然后我得到一個帶有以下請求的 access_token
POST https://localhost:8080/auth/realms/core/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id=admin-cli&username=jim&password=foobar
然后我測試了以下端點
[ApiController]
[Route("/")]
public class AppController : ControllerBase
{
[Authorize]
[HttpGet]
public OkObjectResult Get()
{
return Ok("This is the secured page");
}
}
有了這個要求
GET https://localhost:5001
Authorization: Bearer MY_TOKEN
但我總是收到 401
HTTP/1.1 401 Unauthorized
Content-Length: 0
Date: Wed, 18 Nov 2020 17:41:28 GMT
Server: Kestrel
Www-Authenticate: Bearer error="invalid_token", error_description="The signature key was not found"
簽名密鑰(第三個“塊”)確實存在於令牌中。 下面是 JWT 驗證代碼。 我錯過了什么嗎?
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
var audience = Configuration["Jwt:Audience"];
var issuer = Configuration["Jwt:Issuer"];
bool.TryParse(Configuration["Jwt:RequireHttpsMetadata"], out var requireHttpsMetadata);
IConfigurationManager<OpenIdConnectConfiguration> configurationManager =
new ConfigurationManager<OpenIdConnectConfiguration>(
$"{Configuration["Jwt:Authority"]}/auth/realms/core/.well-known/openid-configuration",
new OpenIdConnectConfigurationRetriever());
var openIdConfig =
configurationManager.GetConfigurationAsync(CancellationToken.None).Result;
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.SaveToken = true;
options.RequireHttpsMetadata = requireHttpsMetadata;
options.TokenValidationParameters.IssuerSigningKeys = openIdConfig.SigningKeys;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidIssuer = issuer,
ValidAudience = audience,
ValidateIssuerSigningKey = true,
};
});
}
由於 JWT 持有簽名(又名第三塊),我將解釋該消息
"The signature key was not found"
簽名驗證存在問題。
重新檢查響應/可訪問性
GET https://localhost:8080/auth/realms/core/protocol/openid-connect/certs
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.