問(wèn)題描述

我正在嘗試為我的組織實(shí)施 OpenID Connect 規(guī)范.我在測(cè)試依賴(lài)方應(yīng)用程序中使用 Microsoft 的 OpenID Connect OWIN 實(shí)現(xiàn)來(lái)驗(yàn)證我的協(xié)議實(shí)現(xiàn).

I'm trying to implement the OpenID Connect specification for my organisation. I'm using Microsoft's OWIN implementation of OpenID Connect in a test relying party application to verify my implementation of the protocol.

我公開(kāi)了以下元數(shù)據(jù)文檔:

I've exposed the following metadata document:

{
  "issuer": "https://acs.contoso.com/",
  "authorization_endpoint": "http://localhost:53615/oauth2/auth",
  "token_endpoint": "http://localhost:53615/oauth2/token",
  "userinfo_endpoint": "http://localhost:53615/connect/userinfo",
  "jwks_uri": "http://localhost:53615/connect/keys",
  "ui_locales_supported": [
    "en-GB"
  ]
}

簽名密鑰公開(kāi)為該文檔:

The signing key is exposed as this document:

{
  "keys": [
    {
      "n": "xpXxl3M-YkZlzQJdArO1TfOGT2no-UL4dbZ7WuSCNIsSfyGDaqUXjMMHNyq9yD3vp-NCyk8kmn7d5XqHufnceXJM8q4xTrhN3lvywdBSbR-dwXsA-B-MJVgfiK0d_z-mxP9ew2Hj9-KkWbWCzsswlWp3gZ4mB4RGutB1IRSzXVIbvZ-MtKUb6XUDU4LDb_c1xCEXWZxhR-o1a1dLfObH2hHJ-w5y6odGlKtOFx4i4h0u7-Oj5R6k5b2YXEHM0IuYeN0u0sQvrTecokntGzPrvhnKy69I7Z_az5rC5kgloh25D9lTbe4vcRU7FXlYCFYDZsT0_IkGIXRi7brOS4f1ow",
      "e": "AQAB",
      "kty": "RSA",
      "use": "sig",
      "alg": "RS256",
      "kid": "F8A59280B3D13777CC7541B3218480984F421450"
    }
  ]
}

正在使用 JwtSecurityToken 類(lèi)及其關(guān)聯(lián)的處理程序，使用 X509SigningCredentials 類(lèi).這段代碼代表了令牌是如何構(gòu)造的，并作為響應(yīng)數(shù)據(jù)的參數(shù)返回給調(diào)用系統(tǒng).

The identity token is being generated using the JwtSecurityToken class and its associated handler, using the X509SigningCredentials class. This code is representative of how the token is constructed and returned to the calling system as a parameter of the response data.

var credentials = new X509SigningCredentials(cert); // My certificate.
var issuedTime = DateTime.UtcNow;
var expiresTime = issuedTime.AddMinutes(5);
var epoch = new DateTime(1970, 01, 01, 0, 0, 0);

var claims = new[]
{
    new Claim("sub", Guid.NewGuid().ToString()),
    new Claim("iat" Math.Floor((issuedTime - epoch).TotalSeconds).ToString()),
    new Claim("nonce", nonce), // Value from client
}

var token = new JwtSecurityToken(
    "https://acs.contoso.com",
    client_id, // Value from client
    claims,
    new Lifetime(issuedTime, expiresTime),
    credentials);

var handler = new JwtSecurityTokenHandler();
parameters.Add("id_token", handler.WriteToken(token)); // Outgoing parameters.

當(dāng)我嘗試將簽名的令牌傳遞回依賴(lài)方應(yīng)用程序時(shí)，OWIN 中間件接受 POST 并嘗試驗(yàn)證令牌的簽名.這樣做會(huì)引發(fā)以下異常:

When I attempt to pass the signed token back to the relying party application, the OWIN middleware accepts the POST and attempts to verify the signature of the token. In doing so, the following exception is thrown:

SecurityTokenSignatureKeyNotFoundException: IDX10500: 簽名驗(yàn)證失敗.無(wú)法解析 SecurityKeyIdentifier:'SecurityKeyIdentifier (IsReadOnly = False, Count = 1, Clause[0] =X509ThumbprintKeyIdentifierClause(哈希 =0xF8A59280B3D13777CC7541B3218480984F421450) ) '，令牌:'{"typ":"JWT","alg":"RS256","x5t":"-KWSgLPRN3fMdUGzIYSAmE9CFFA"}.{"iss":"https://test.accesscontrol.net/","aud":"test","nbf":1404917162,"exp":1404917462,"sub":"60eb55ec-0699-4068-bfa6-41666fc2b2e9","iat":"1404917162"}原始數(shù)據(jù):eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LV1NnTFBSTjNmTWRVR3pJWVNBbUU5Q0ZGQSJ9.eyJpc3MiOiJodHRwczovL2Fjcy5zdXJlY2xvdWQuY29tLyIsImF1ZCI6InRlc3QiLCJuYmYiOjE0MDQ5MTcxNjIsImV4cCI6MTQwNDkxNzQ2Miwic3ViIjoiNjBlYjU1ZWMtMDY5OS00MDY4LWJmYTYtNDE2NjZmYzJiMmU5IiwiaWF0IjoiMTQwNDkxNzE2MiJ9.xkP0RwlX3CYfU0KhFsVvLJC94WK22DTqNTm71cfjiJ8VUHv3b2YhDqfq70N8mQEyiR8vTR6OQqnO6UqXqX4RXUs6ZkfK9Liv3n9NhCs97wJhP2jfefJYeScYtRmWcNNWSSL7vkm2JXQfwKOQTnOGp-ba04TtI6jVrjhOQXH43eCJ9vNuBUzdD-t8CAdmnbvH0nWpIB8kWbw5v8Sa0aQuxMjJYbLC_2Iw3X13dqnyVjp4fA7eSB8N7c1it0KEB-VKfUqiGD3VecyEZGGZbaGE8rvVet5QrY1lJ3V4yM8j6-xDc5Yndc4swOun0L3D6TYk-8gdVXUJDRjbv1ZuhZltsw".

SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 1, Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0xF8A59280B3D13777CC7541B3218480984F421450) ) ', token: '{"typ":"JWT","alg":"RS256","x5t":"-KWSgLPRN3fMdUGzIYSAmE9CFFA"}.{"iss":"https://test.accesscontrol.net/","aud":"test","nbf":1404917162,"exp":1404917462,"sub":"60eb55ec-0699-4068-bfa6-41666fc2b2e9","iat":"1404917162"} RawData: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LV1NnTFBSTjNmTWRVR3pJWVNBbUU5Q0ZGQSJ9.eyJpc3MiOiJodHRwczovL2Fjcy5zdXJlY2xvdWQuY29tLyIsImF1ZCI6InRlc3QiLCJuYmYiOjE0MDQ5MTcxNjIsImV4cCI6MTQwNDkxNzQ2Miwic3ViIjoiNjBlYjU1ZWMtMDY5OS00MDY4LWJmYTYtNDE2NjZmYzJiMmU5IiwiaWF0IjoiMTQwNDkxNzE2MiJ9.xkP0RwlX3CYfU0KhFsVvLJC94WK22DTqNTm71cfjiJ8VUHv3b2YhDqfq70N8mQEyiR8vTR6OQqnO6UqXqX4RXUs6ZkfK9Liv3n9NhCs97wJhP2jfefJYeScYtRmWcNNWSSL7vkm2JXQfwKOQTnOGp-ba04TtI6jVrjhOQXH43eCJ9vNuBUzdD-t8CAdmnbvH0nWpIB8kWbw5v8Sa0aQuxMjJYbLC_2Iw3X13dqnyVjp4fA7eSB8N7c1it0KEB-VKfUqiGD3VecyEZGGZbaGE8rvVet5QrY1lJ3V4yM8j6-xDc5Yndc4swOun0L3D6TYk-8gdVXUJDRjbv1ZuhZltsw'.

該組件仍處于預(yù)發(fā)布狀態(tài)，因此這可能是實(shí)現(xiàn)中的一個(gè)缺陷，但我想在排除所有可能性之前假設(shè)這是我的錯(cuò)誤.

The component is still pre-release, so this may be a flaw in the implementation, however I want to assume it's my error until all possibilities have been ruled out.

我在做什么顯然是錯(cuò)誤的，或者我應(yīng)該做些什么來(lái)準(zhǔn)確了解簽名無(wú)法驗(yàn)證的原因?

Is there anything I'm doing which is obviously wrong, or is there something I should do to understand exactly why the signature is failing to be validated?

推薦答案

問(wèn)題出在此處的異常信息中:

The problem is nestled in the exception message here:

Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0xF8A59280B3D13777CC7541B3218480984F421450)

Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0xF8A59280B3D13777CC7541B3218480984F421450)

令牌使用 X.509 證書(shū)的默認(rèn)密鑰標(biāo)識(shí)符子句進(jìn)行簽名:其指紋.元數(shù)據(jù)僅公開(kāi) RSA 參數(shù)和名稱(chēng)標(biāo)識(shí)符.當(dāng)客戶(hù)端檢索元數(shù)據(jù)時(shí)，它使用此信息設(shè)置 RSA 密鑰，而不是 X.509 指紋.

The token is signed with the default key identifier clause for an X.509 certificate: its thumbprint. The metadata is exposing just the RSA parameters and a name identifier. When the client retrieves the metadata, it sets up an RSA key using this information, not an X.509 thumbprint.

要更正此錯(cuò)誤，必須更改簽名憑據(jù)以包含正確的名稱(chēng)標(biāo)識(shí)符:

To correct this error, the signing credentials have to be changed to include the correct name identifier:

var credentials = new X509CertificateCredentials(
    cert,
    new SecurityKeyIdentifier(
        new NamedKeySecurityKeyIdentifierClause(
            "kid",
            "F8A59280B3D13777CC7541B3218480984F421450")));

這在簽名中包含了預(yù)期的標(biāo)識(shí)符，并且簽名驗(yàn)證成功.

This includes the expected identifier in the signature, and the signature is validated successfully.

這篇關(guān)于驗(yàn)證 JWT 簽名時(shí)出現(xiàn) SecurityTokenSignatureKeyNotFoundException的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！