問題描述

我通過如下所示設置 Payload 創(chuàng)建了一個 JwtToken

var payload = new JwtPayload{{"aud", "wellmark.com" },{"iss", "wellmark" },{"iat", DateTime.Now.Ticks },{"exp", DateTime.Now.AddDays(90).Ticks },};

我必須使用刻度的原因是因為這是獲取發(fā)布時間和到期時間的整數(shù)值的唯一方法.我同意 ticks 實際上是 long 而不是 int，但這是唯一的方法.

現(xiàn)在當我回來驗證令牌時，我正在執(zhí)行以下操作

var tokenValidationParams = new TokenValidationParameters{IssuerSigningKey = new X509SecurityKey(jwtCert),ValidAudience = "蒙面",ValidIssuer = "屏蔽",IssuerSigningKeyResolver =(字符串令牌，Microsoft.IdentityModel.Tokens.SecurityToken securityToken，字符串孩子，TokenValidationParameters 驗證參數(shù))=>新列表<X509SecurityKey>{ 新 X509SecurityKey(jwtCert) }};tokenHandler.ValidateToken(id, tokenValidationParams，出驗證令牌)；

但是說不出來

生命周期驗證失敗.令牌缺少過期時間.令牌類型:'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.

這很可能是因為驗證方法試圖將 long 轉(zhuǎn)換為 int 并且由于它無法轉(zhuǎn)換它，所以它只是返回 null，如顯示的文檔中所示 這里.

有沒有人在這個機制上取得了成功.請注意，我使用 X509 證書來簽署我的 Jwt.

納拉辛哈姆

Exp時間戳不能使用Ticks

JWT 中的時間戳是從 01.01.1970 00:00 UTC 開始計算的 UNIX 時間戳:https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4 解釋說數(shù)字日期用于 exp 聲明(也用于 nbf(不是之前)和 iat(簽發(fā)于)索賠)

https://www.rfc-editor.org/rfc/rfc7519#section-2 定義數(shù)字日期:

一個 JSON 數(shù)值，表示從1970-01-01T00:00:00Z UTC 直到指定的 UTC 日期/時間，忽略閏秒.

如果您像在示例中那樣直接創(chuàng)建有效負載，則需要計算自 1.1.1970 UTC 以來的秒數(shù)，例如:

DateTime CenturyBegin = new DateTime(1970, 1, 1);var exp = new TimeSpan(DateTime.Now.AddDays(90).Ticks - CenturyBegin.Ticks).TotalSeconds;

exp 是從現(xiàn)在開始的 90 天.當然，您也可以使用任何其他 Add... 方法來計算到期時間.參考 https://msdn.microsoft.com/de-de/library/system.datetimeoffset(v=vs.110).aspx 查看其他 Add 方法.

一些框架(例如 System.IdentityModel.Tokens.Jwt)提供了創(chuàng)建令牌的函數(shù)，這些令牌接受 DateTimeOffset 類型的參數(shù)，這更容易處理.

使用 http://www.unixtimestamp.com/ 或類似網(wǎng)站檢查您的時間戳p>

I have created a JwtToken by setting up the Payload as shown below

var payload = new JwtPayload
        {
            {"aud", "wellmark.com" },
            {"iss", "wellmark" },
            {"iat", DateTime.Now.Ticks },
            {"exp", DateTime.Now.AddDays(90).Ticks },
        };

The reason I had to use ticks is because that is the only way to get an integer value for the issued at and expiration times. I agree that ticks is in fact a long and not an int, but that was the only way.

Now when I come back to validate the token, I am doing the below

var tokenValidationParams = new TokenValidationParameters
            {
                IssuerSigningKey = new X509SecurityKey(jwtCert),
                ValidAudience = "masked",
                ValidIssuer = "masked",
                IssuerSigningKeyResolver = (string token, Microsoft.IdentityModel.Tokens.SecurityToken securityToken, string kid, TokenValidationParameters validationParameters) => new List<X509SecurityKey> { new X509SecurityKey(jwtCert) }
            };

            tokenHandler.ValidateToken(id, tokenValidationParams
                   , out validatedToken);

It is however failing saying

Lifetime validation failed. The token is missing an Expiration Time. Tokentype: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.

This is most likely because the validation method is trying to convert the long to an int and because it is unable to convert it, it simply returns a null as indicated in the documentation shown here.

Has anyone had success with this mechanism. Please note that I am using X509 Certificate to Sign my Jwt.

Narasimham

You can't use Ticks for the exp timestamp

The timestamps in JWT are UNIX timestamps counting from 01.01.1970 00:00 UTC: https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4 explains that a numeric date is used for the exp claim (and also for the nbf (not before) and iat (issued at) claims)

https://www.rfc-editor.org/rfc/rfc7519#section-2 defines the numeric date:

A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.

If you create the payload directly like you did in your example you need to calculate the seconds since 1.1.1970 UTC for example like this:

DateTime centuryBegin = new DateTime(1970, 1, 1);
var exp = new TimeSpan(DateTime.Now.AddDays(90).Ticks - centuryBegin.Ticks).TotalSeconds;

exp is then 90 days from now. Of course you can use any of the other Add... methods as well to calculate the expriation time. Refer to https://msdn.microsoft.com/de-de/library/system.datetimeoffset(v=vs.110).aspx to see the other Add methods.

Some frameworks (e.g. System.IdentityModel.Tokens.Jwt) offer functions to create tokens which accept parameters of the type DateTimeOffset, which is easier to handle.

Use http://www.unixtimestamp.com/ or similar sites to check your timestamps

這篇關于JWT 驗證失敗的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！