如何使用 RSA SHA-256 哈希对 JWT 进行签名
How to sign JWT with a RSA SHA-256 hash
我正在尝试通过客户端凭据获取访问令牌以使用 office365 api。我正在使用本指南:
我正在使用邮递员发送我的请求(见下文)
Postman Picture
但是当我发送请求时邮递员给我这个错误"AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature"
所以我很确定我没有正确签署 JWT,它用于我请求中的 client_assertion 参数。参考这个堆栈溢出问题 我发现我需要使用 RSA SHA-256 哈希对其进行签名。但是,我仍然无法让我的 JWT 使用我在网上找到的关于如何执行此操作的任何资源,它仍然会返回相同的错误。是否有可用于使用 RSA SHA-256 哈希对我的 JWT 进行签名的在线生成器?或者任何专门在 C# 中以这种方式唱歌的代码示例?提前致谢。
首先,您需要在 Azure AD 清单上设置证书,请参阅博客 Building Daemon or Service Apps with Office 365 Mail, Calendar, and Contacts APIs (OAuth2 client credential flow)
关于如何对token进行签名,这里有C#示例供大家参考,
var x509Certificate2 = new X509Certificate2(@"{FILE PATH}\office_365_app.pfx", "PASS_WORD");
X509SigningCredentials signingCredentials = new X509SigningCredentials(x509Certificate2, SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.Sha256Digest);
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
var originalIssuer = "{YOUR CLIENT ID}";
var issuer = originalIssuer;
DateTime utcNow = DateTime.UtcNow;
DateTime expired = utcNow + TimeSpan.FromHours(1);
var claims = new List<Claim> {
new Claim("aud", "https://login.microsoftonline.com/{YOUR_TENENT_ID}/oauth2/token", ClaimValueTypes.String, issuer, originalIssuer),
new Claim("exp", "1460534173", ClaimValueTypes.DateTime, issuer, originalIssuer),
new Claim("jti", "{SOME GUID YOU ASSIGN}", ClaimValueTypes.String, issuer, originalIssuer),
new Claim("nbf", "1460533573", ClaimValueTypes.String, issuer, originalIssuer),
new Claim("sub", "{YOUR CLIENT ID}", ClaimValueTypes.String, issuer, originalIssuer)
};
ClaimsIdentity subject = new ClaimsIdentity(claims: claims);
JwtSecurityToken jwtToken = tokenHandler.CreateToken(
issuer: issuer,
signingCredentials: signingCredentials,
subject: subject) as JwtSecurityToken;
jwtToken.Header.Remove("typ");
var token = tokenHandler.WriteToken(jwtToken);
您还可以在 GitHub
上找到该项目
https://github.com/dream-365/OfficeDev-Samples/blob/master/samples/Office365DevQuickStart/JWT-Token
您还可以使用 https://github.com/jwtk/jjwt
中提供的 JJWT API 为您的 JWT 令牌签名
示例代码可能如下所示:
Map<String, Object> claims = new HashMap<>();
claims.put("user", "some user");
Calendar expires = Calendar.getInstance();
expires.roll(Calendar.HOUR, 1000);
Jwts.builder()
.setClaims(claims)
.setIssuedAt(new Date())
.setExpiration(expires.getTime())
.signWith(SignatureAlgorithm.RS256, key)
.compact();
您还可以在 JWT.io
上验证您的令牌
我正在尝试通过客户端凭据获取访问令牌以使用 office365 api。我正在使用本指南:
我正在使用邮递员发送我的请求(见下文) Postman Picture
但是当我发送请求时邮递员给我这个错误"AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature"
所以我很确定我没有正确签署 JWT,它用于我请求中的 client_assertion 参数。参考这个堆栈溢出问题
首先,您需要在 Azure AD 清单上设置证书,请参阅博客 Building Daemon or Service Apps with Office 365 Mail, Calendar, and Contacts APIs (OAuth2 client credential flow)
关于如何对token进行签名,这里有C#示例供大家参考,
var x509Certificate2 = new X509Certificate2(@"{FILE PATH}\office_365_app.pfx", "PASS_WORD");
X509SigningCredentials signingCredentials = new X509SigningCredentials(x509Certificate2, SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.Sha256Digest);
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
var originalIssuer = "{YOUR CLIENT ID}";
var issuer = originalIssuer;
DateTime utcNow = DateTime.UtcNow;
DateTime expired = utcNow + TimeSpan.FromHours(1);
var claims = new List<Claim> {
new Claim("aud", "https://login.microsoftonline.com/{YOUR_TENENT_ID}/oauth2/token", ClaimValueTypes.String, issuer, originalIssuer),
new Claim("exp", "1460534173", ClaimValueTypes.DateTime, issuer, originalIssuer),
new Claim("jti", "{SOME GUID YOU ASSIGN}", ClaimValueTypes.String, issuer, originalIssuer),
new Claim("nbf", "1460533573", ClaimValueTypes.String, issuer, originalIssuer),
new Claim("sub", "{YOUR CLIENT ID}", ClaimValueTypes.String, issuer, originalIssuer)
};
ClaimsIdentity subject = new ClaimsIdentity(claims: claims);
JwtSecurityToken jwtToken = tokenHandler.CreateToken(
issuer: issuer,
signingCredentials: signingCredentials,
subject: subject) as JwtSecurityToken;
jwtToken.Header.Remove("typ");
var token = tokenHandler.WriteToken(jwtToken);
您还可以在 GitHub
上找到该项目https://github.com/dream-365/OfficeDev-Samples/blob/master/samples/Office365DevQuickStart/JWT-Token
您还可以使用 https://github.com/jwtk/jjwt
中提供的 JJWT API 为您的 JWT 令牌签名示例代码可能如下所示:
Map<String, Object> claims = new HashMap<>();
claims.put("user", "some user");
Calendar expires = Calendar.getInstance();
expires.roll(Calendar.HOUR, 1000);
Jwts.builder()
.setClaims(claims)
.setIssuedAt(new Date())
.setExpiration(expires.getTime())
.signWith(SignatureAlgorithm.RS256, key)
.compact();
您还可以在 JWT.io
上验证您的令牌