ASP.NET 核心 RC2 Jwt 令牌 KID 错误

ASP.NET Core RC2 Jwt Token KID error

我在尝试使用 JwtBearerAuthentication 进行身份验证时遇到此异常:

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Failed to validate the token eyJhbGciOiJSUzI1NiIsImtpZCI6IldYVDdGSUU3SlI5U1A0R09SUlVJSUMxX0pSTDJPVkhNRzkyVjFYVl8iLCJ0eXAiOiJKV1QifQ.eyJNYXN0ZXIiOiIxIiwiY2FzYSI6IjEiLCJ1bmlxdWVfbmFtZSI6InRlc3RlIiwianRpIjoiOWNiYmUzMDEtYjdhYy00MDQ5LTlhZjAtNzQ2MzhhNDZiYjg5IiwidXNhZ2UiOiJhY2Nlc3NfdG9rZW4iLCJjb25maWRlbnRpYWwiOnRydWUsInNjb3BlIjoib2ZmbGluZV9hY2Nlc3MiLCJzdWIiOiI4ZDRmNTdiOS1kMDk0LTRhYmUtOTcxNi03Y2Y1NTcyYTg0M2EiLCJhenAiOiJkdXgiLCJuYmYiOjE0NjQyODM1ODYsImV4cCI6MTQ2NDI4NzE4NiwiaWF0IjoxNDY0MjgzNTg2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjUwMDAvIn0.nzT0K30EIbhW4OX4sq3w038c6C5U8LzJHMwszMVFvc6J18aaTUMuKx1txTzUnscZvTcHoMTV7Dyvlj9qCoVpJjnQmqhlP8Q2g-gVSPzKmX6TxB9lT4IF1hrneGj-4p1vRr9HRWb1JftMMnLwY1tfxJYcofvRTBzdofSfVtKRB1FR215VRFxUb8x4ipnICexZiSELEEC8GIN2koOVzoUAMZLQIkTVtKXV7gwi-lF0ECZem28FQ4ar2cmZPrQr0z0B8b-YemPhcLzJplIdCpDx8XHhLIIqLWO5ep7cK29HON8_LobvbXDCXrwUqJbNt2m5wtKYJ5qodfL5aWeo9Y09Wg.

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': 'WXT7FIE7JR9SP4GORRUIIC1_JRL2OVHMG92V1XV_', 
token: '{"alg":"RS256","typ":"JWT","kid":"WXT7FIE7JR9SP4GORRUIIC1_JRL2OVHMG92V1XV_"}.{"Master":"1","casa":"1","unique_name":"teste","jti":"9cbbe301-b7ac-4049-9af0-74638a46bb89","usage":"access_token","confidential":true,"scope":"offline_access","sub":"8d4f57b9-d094-4abe-9716-7cf5572a843a","azp":"dux","nbf":1464283586,"exp":1464287186,"iat":1464283586,"iss":"http://localhost:5000/"}'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Error: Exception occurred while processing message.

我正在使用 OpenIdConnectServer 发行令牌

        // Add a new middleware issuing tokens.
        app.UseOpenIdConnectServer(options =>
        {
            options.AllowInsecureHttp = true;
            options.Provider = new AuthorizationProvider();
            options.UseJwtTokens();                
        });

        // Add a new middleware validating access tokens issued by the server.
        app.UseJwtBearerAuthentication(new JwtBearerOptions
        {
            AutomaticAuthenticate = true,
            AutomaticChallenge = true,
            RequireHttpsMetadata = false,                                
            TokenValidationParameters = new TokenValidationParameters
            {
                ValidateAudience = false,
                ValidateIssuer = false,
                ValidateIssuerSigningKey = false
            }
        });

出于某些原因,IdentityModel(JWT 承载中间件背后的库)似乎忽略了您的 ValidateIssuerSigningKey = false 指令(这在实践中非常糟糕,因为每个人都可以伪造一个假令牌,该令牌将被JWT 承载中间件)。

要解决此问题(并使您的 API 真正安全),请配置 Authority 属性 以允许 JWT 承载中间件从 OpenID Connect 服务器下载签名密钥中间件:

app.UseJwtBearerAuthentication(new JwtBearerOptions {
    Authority = "http://localhost:5000/", // base address of your OIDC server.
    Audience = "http://localhost:5000/", // base address of your API.
    RequireHttpsMetadata = false
});