使用 JwtBearerAuthentication 签名密钥
UseJwtBearerAuthentication signing key
我正在尝试使用 JwtBearerMiddleware 在我的 AspNetCore MVC 应用程序(仅限 Web API)中实施 JWT 承载身份验证,但我收到 401 响应 header:
WWW-Authenticate: Bearer error="invalid_token", error_description="The signature key was not found"
Startup.cs中的相关代码如下所示:
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = "https://example.okta.com",
Audience = "myClientId"
});
授权 URL 我希望中间件从 https://example.okta.com/.well-known/openid-configuration 查询我的身份提供者元数据以获取 jwks_uri 然后从 [=15= 获取签名密钥].我认为这不会发生。我需要做什么才能找到并使用签名密钥?谢谢
在遵循参考资料并深入研究 AspNet Security repo (specifically the JwtBearerHandler and JwtBearerMiddleware classes), which led me to the Microsoft.IdentityModel namespace which is in an Azure Extensions repo 之后(首先是 ConfigurationManager<T> class,然后是 OpenIdConnectConfigurationRetriever class(GetAsync方法),然后到 JsonWebKeySet.GetSigningKeys() 方法),我终于发现 JwtBearerMiddleware 确实从 jwks_uri 在元数据中。呸
为什么它不起作用?我应该早点检查的是 Bearer JWT header 中的 kid 实际上不匹配kid 来自 jwks_uri,因此未找到。这是我作为不记名令牌发送的 access_code。另一方面,id_token 确实有一个匹配的 kid,所以使用它就可以了!
我读过:
The OIDC Access Token is applicable only for the Okta
/oauth2/v1/userinfo endpoint and thus should be treated as opaque by
the application. The application does not need to validate it since it
should not be used against other resource servers. The format of it
and the key used to sign it are subject to change without prior
notice.
source
...所以我无法使用访问令牌。
我正在尝试使用 JwtBearerMiddleware 在我的 AspNetCore MVC 应用程序(仅限 Web API)中实施 JWT 承载身份验证,但我收到 401 响应 header:
WWW-Authenticate: Bearer error="invalid_token", error_description="The signature key was not found"
Startup.cs中的相关代码如下所示:
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = "https://example.okta.com",
Audience = "myClientId"
});
授权 URL 我希望中间件从 https://example.okta.com/.well-known/openid-configuration 查询我的身份提供者元数据以获取 jwks_uri 然后从 [=15= 获取签名密钥].我认为这不会发生。我需要做什么才能找到并使用签名密钥?谢谢
在遵循参考资料并深入研究 AspNet Security repo (specifically the JwtBearerHandler and JwtBearerMiddleware classes), which led me to the Microsoft.IdentityModel namespace which is in an Azure Extensions repo 之后(首先是 ConfigurationManager<T> class,然后是 OpenIdConnectConfigurationRetriever class(GetAsync方法),然后到 JsonWebKeySet.GetSigningKeys() 方法),我终于发现 JwtBearerMiddleware 确实从 jwks_uri 在元数据中。呸
为什么它不起作用?我应该早点检查的是 Bearer JWT header 中的 kid 实际上不匹配kid 来自 jwks_uri,因此未找到。这是我作为不记名令牌发送的 access_code。另一方面,id_token 确实有一个匹配的 kid,所以使用它就可以了!
我读过:
The OIDC Access Token is applicable only for the Okta /oauth2/v1/userinfo endpoint and thus should be treated as opaque by the application. The application does not need to validate it since it should not be used against other resource servers. The format of it and the key used to sign it are subject to change without prior notice. source
...所以我无法使用访问令牌。