問(wèn)題描述

我有一個(gè)使用 OpenId Connect 的 Web 應(yīng)用程序.我創(chuàng)建了一個(gè)自簽名證書(shū)，但它仍未由 CA 簽名.如何忽略簽名驗(yàn)證?

I have an web application that is using OpenId Connect. I created a self signed certificate but it is still not signed by a CA. How can I ignore the signature validation?

這是我目前所擁有的:

SecurityToken validatedToken = null;

var tokenHandler = new JwtSecurityTokenHandler {
    Configuration = new SecurityTokenHandlerConfiguration {
        CertificateValidator = X509CertificateValidator.None
    },
};

TokenValidationParameters validationParams =
    new TokenValidationParameters()
    {
        ValidAudience = ConfigurationManager.AppSettings["Audience"],
        ValidIssuer = ConfigurationManager.AppSettings["Issuer"],
        AudienceValidator = AudienceValidator,
        ValidateAudience = true,
        ValidateIssuer = true
    };

return tokenHandler.ValidateToken(jwtToken, validationParams, out validatedToken);

它會(huì)拋出以下異常:

IDX10500:簽名驗(yàn)證失敗.無(wú)法解決SecurityKeyIdentifier: 'SecurityKeyIdentifier (
IsReadOnly = False， 計(jì)數(shù) = 1， 子句[0] =System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
) ', 令牌:'{"typ":"JWT","alg":"RS256","kid":"issuer_rsaKey"}.{"iss":...

IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier (
IsReadOnly = False, Count = 1, Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
) ', token: '{"typ":"JWT","alg":"RS256","kid":"issuer_rsaKey"}.{"iss":...

推薦答案

不要忽略簽名，這很危險(xiǎn)！

即使您使用自簽名證書(shū)，您也可以使用公鑰進(jìn)行簽名驗(yàn)證.

Even if you use a self-signed certificate, you will be able to use the public key for signature validation.

由于您使用的是 OpenId Connect，因此您應(yīng)該能夠通過(guò)前往 /.well-known/jwks 獲取簽名證書(shū)的公鑰.

Since you are using OpenId Connect, you should be able to get the public key for your signing certificate by heading over to /.well-known/jwks.

然后您可以像這樣設(shè)置驗(yàn)證參數(shù):

Then you can setup your validation parameters like this:

var certificate = new X509Certificate2(Convert.FromBase64String(yourPublicKeyGoesHere));

var validationParameters = new TokenValidationParameters { 
    IssuerSigningTokens = new[] { new X509SecurityToken(certificate) }  
};

之后，你可以調(diào)用ValidateToken:

SecurityToken token;
var claimsPrincipal = handler.ValidateToken(encodedToken, validationParameters, out token);

您真的要忽略簽名嗎?

記住，如果你這樣做了，你怎么知道有人沒(méi)有篡改令牌內(nèi)的數(shù)據(jù)?您可以輕松解碼 base64 url?? 編碼的有效負(fù)載并更改主題.如果您在應(yīng)用程序中依賴它，您將遇到麻煩(提示:有人訪問(wèn)其他人的數(shù)據(jù))

Remember, if you do, how do you know someone didn't tamper with the data inside the token? You could easily decode the base64 url encoded payload and change the subject. And if you rely on that in your application, you'll be in trouble (hint: someone accessing someone else data)

你真的，真的想忽略它嗎?

您可以使用 ReadToken 并跳過(guò)所有驗(yàn)證:

You can use ReadToken and just skip every validation there is:

var badJwt = new JwtSecurityTokenHandler()
                 .ReadToken(encodedMaliciousToken) as JwtSecurityToken;

不要這樣做，這是不好的做法.

這篇關(guān)于忽略 JWT 中的簽名的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！