問題描述

請幫忙！我在使用 Microsoft 的 System.IdentityModel.Tokens.Jwt 庫驗證使用 RS256 簽名的 JWT 令牌時遇到問題.

Please help! I'm having trouble validating a JWT token signed with RS256 using Microsoft's System.IdentityModel.Tokens.Jwt library.

這個令牌在 JWT.io 上驗證得很好.

This token validates just fine on JWT.io.

這是錯誤:

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureExceptionIDX10503:簽名驗證失敗.嘗試的鍵:'[PII 被隱藏]'.捕獲的異常:'[PII 被隱藏]'.token: '[PII is hidden]'.

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException IDX10503: Signature validation failed. Keys tried: '[PII is hidden]'. Exceptions caught: '[PII is hidden]'. token: '[PII is hidden]'.

這是示例代碼(我使用的是 LinqPad，帶有 System.IdentityModel.Tokens.Jwt v5.2.2 NuGet 包):

void Main()
{
    var cText =
        "-----BEGIN CERTIFICATE-----
" +
        "MIIBljCCAUACCQCIDMpqK7WfWDANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJV
" + 
        "UzETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UECgwJTHV4b3R0aWNhMRowGAYD
" +
        "VQQLDBFMdXhvdHRpY2EgZXllY2FyZTAeFw0xODA1MjMxNTE1MjdaFw0yODA1MjAx
" +
        "NTE1MjdaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYD
" +
        "VQQKDAlMdXhvdHRpY2ExGjAYBgNVBAsMEUx1eG90dGljYSBleWVjYXJlMFwwDQYJ
" +
        "KoZIhvcNAQEBBQADSwAwSAJBAKuMYcirPj81WBtMituJJenF0CG/HYLcAUOtWKl1
" +
        "HchC0dM8VRRBI/HV+nZcweXzpjhX8ySa9s7kJneP0cuJiU8CAwEAATANBgkqhkiG
" +
        "9w0BAQsFAANBAKEM8wQwlqKgkfqnNFcbsZM0RUxS+eWR9LvycGuMN7aL9M6GOmfp
" +
        "QmF4MH4uvkaiZenqCkhDkyi4Cy81tz453tQ=
" +
        "-----END CERTIFICATE-----";

    var c = new X509Certificate2(Encoding.ASCII.GetBytes(cText));
    var p = new TokenValidationParameters();
    p.IssuerSigningKeyResolver = (s, securityToken, identifier, parameters)
        => new[] { new X509SecurityKey(c) };
    var h = new JwtSecurityTokenHandler();
    var token = @"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJuLmNoaWVmZm8iLCJleHAiOjE1MjcyMzg4ODEsImlzcyI6Imx1eCJ9.BAaYzLwokmdKqLi6zKjGIpDXd__dZxi5PUWWHS3PSLPDYAInzPbEK8o4WxunoGD7eA0qtQNaxNpzeOc3BHrd4w";
    h.ValidateToken(token, p, out SecurityToken _);
}

最后也很高興知道如何刪除 [PII is hidden] 以便我可以看到有關錯誤的更多詳細信息.在 app.config 甚至 machine.config 文件中將 enableLoggingKnownPii 和 logKnownPII 設置為 true 似乎沒有什么區(qū)別.

Finally it would be nice to also know how to remove the [PII is hidden] so I can see more detail on the error. Setting the enableLoggingKnownPii and logKnownPII to true in the app.config or even the machine.config file did not seem to make a difference.

推薦答案

原來X509SecurityKey的KeySize至少需要1024長才能驗證.這在異常中并不明顯，因為它被 [PII is hidden] 過濾器隱藏了.

It turns out that the KeySize for X509SecurityKey needs to be at least 1024 in length for verifying. This is not obvious from the exception, since it is hidden with the [PII is hidden] filter.

添加以下行使異常文本更加有用(添加到 Startup.cs 中的 ConfigureServices 方法):

Adding the following line made the exception text a lot more useful (add to ConfigureServices method in Startup.cs):

IdentityModelEventSource.ShowPII = true;

新的異常文本:

System.ArgumentOutOfRangeException: IDX10631: 用于驗證的Microsoft.IdentityModel.Tokens.X509SecurityKey"不能小于1024"位.密鑰大小:'512'.

'System.ArgumentOutOfRangeException: IDX10631: The 'Microsoft.IdentityModel.Tokens.X509SecurityKey' for verifying cannot be smaller than '1024' bits. KeySize: '512'.

將非對稱密鑰的長度增加到 1024 解決了這個問題.

Increasing the length of the assymetric key to 1024 solved the problem.

這篇關于隱藏使用 RS256 PII 的 JWT SecurityTokenInvalidSignatureException的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！