为什么 JWT 颁发者签名密钥验证总是 return 有效?
Why does JWT issuer signing key validation always return valid?
我有一个 Google Pub/Sub 推送订阅,可将 JWT 令牌发送到端点。端点需要验证此令牌。从 Google 文档中,我需要检查发行者、受众和签名。这工作正常,除了我添加到 IssuerSigningKey(s) 的任何内容,令牌都是有效的。我希望这会在我例如时中断。删除密钥的一部分。
我为 IssuerSigningKey 和 IssuerSigningKeys 尝试了各种不同的值。无论如何,我都会得到有效的回应。改变例如域或受众参数 return 401 未经授权。
public void ConfigureServices(IServiceCollection services)
{
string domain = "https://accounts.google.com";
string audience = "theaudience";
// Just to debug/test
string signingKey = "---- - BEGIN PRIVATE KEY-----\nMIIfujHGitJ\n---- - END PRIVATE KEY-----\n";
var certificates =
this.FetchGoogleCertificates().GetAwaiter().GetResult();
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.Authority = domain;
options.Audience = audience;
options.TokenValidationParameters = new TokenValidationParameters
{
ClockSkew = TimeSpan.FromHours(48), // This is just for debugging. Maybe we do need a little clock skew if the clock in Google is not aligned with the VD system
ValidateAudience = true, // Validate the audience, this will change in production to the endpoint URL
ValidateIssuer = true, // Validate the issuer (Google). If this is wrong, we get a 500 error instead of 40x
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(signingKey)),
/* Stuff I also tried:
IssuerSigningKey = new RsaSecurityKey(new RSACryptoServiceProvider(2048))
IssuerSigningKeys = certificates.Values.Select(x => new X509SecurityKey(x)),
IssuerSigningKeyResolver = (token, securityToken, kid, validationParameters) =>
{
return certificates
.Where(x => x.Key.ToUpper() == kid.ToUpper())
.Select(x => new X509SecurityKey(x.Value));
}
*/
};
});
services.AddAuthorization();
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}
这里发生了什么?
来自ASP.NET blog post on JWT Validation:
First, the Authority property should not be set on the
JwtBearerOptions. If it’s set, the middleware assumes that it can go
to that URI to get token validation information.
您将在您的代码示例中离开权限 属性 集,这会导致验证库向 accounts.google.com 发出网络请求以获取令牌验证信息。如果您未设置权限 属性,它将被迫使用您的 TokenValidationParameters。
我有一个 Google Pub/Sub 推送订阅,可将 JWT 令牌发送到端点。端点需要验证此令牌。从 Google 文档中,我需要检查发行者、受众和签名。这工作正常,除了我添加到 IssuerSigningKey(s) 的任何内容,令牌都是有效的。我希望这会在我例如时中断。删除密钥的一部分。
我为 IssuerSigningKey 和 IssuerSigningKeys 尝试了各种不同的值。无论如何,我都会得到有效的回应。改变例如域或受众参数 return 401 未经授权。
public void ConfigureServices(IServiceCollection services)
{
string domain = "https://accounts.google.com";
string audience = "theaudience";
// Just to debug/test
string signingKey = "---- - BEGIN PRIVATE KEY-----\nMIIfujHGitJ\n---- - END PRIVATE KEY-----\n";
var certificates =
this.FetchGoogleCertificates().GetAwaiter().GetResult();
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.Authority = domain;
options.Audience = audience;
options.TokenValidationParameters = new TokenValidationParameters
{
ClockSkew = TimeSpan.FromHours(48), // This is just for debugging. Maybe we do need a little clock skew if the clock in Google is not aligned with the VD system
ValidateAudience = true, // Validate the audience, this will change in production to the endpoint URL
ValidateIssuer = true, // Validate the issuer (Google). If this is wrong, we get a 500 error instead of 40x
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(signingKey)),
/* Stuff I also tried:
IssuerSigningKey = new RsaSecurityKey(new RSACryptoServiceProvider(2048))
IssuerSigningKeys = certificates.Values.Select(x => new X509SecurityKey(x)),
IssuerSigningKeyResolver = (token, securityToken, kid, validationParameters) =>
{
return certificates
.Where(x => x.Key.ToUpper() == kid.ToUpper())
.Select(x => new X509SecurityKey(x.Value));
}
*/
};
});
services.AddAuthorization();
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}
这里发生了什么?
来自ASP.NET blog post on JWT Validation:
First, the Authority property should not be set on the JwtBearerOptions. If it’s set, the middleware assumes that it can go to that URI to get token validation information.
您将在您的代码示例中离开权限 属性 集,这会导致验证库向 accounts.google.com 发出网络请求以获取令牌验证信息。如果您未设置权限 属性,它将被迫使用您的 TokenValidationParameters。