ASP.net Core 2.0 AzureAd Bearer JWT-Token Auth 在验证签名时不会失败
ASP.net Core 2.0 AzureAd Bearer JWT-Token Auth not fail on validate signature
我有两个应用程序,一个 Web 应用程序 (Web-UI) 和一个 Web api。
首先,我在 Web-UI 中实施了一个使用 Azure AD 的身份验证。
这两个应用程序都在 Azure 中注册并相互推动。--
首先是我的配置
tenant: '99c7da52-56fc-49ca-aa95-111111111111',
clientId: '6b0a79eb-0e0d-4a00-9652-111111111111
登录非常有效,我成功获得了令牌。它看起来像下面这样:
Header
{
"typ": "JWT",
"nonce": "AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzn-GbcsmT8MupNislUn7vudKeuWR-HgBEd2ceWxQ7UulHr-uachkZA9cWVIj5ah3yzI68oYKyzc-QdynAf3a5DSAA",
"alg": "RS256",
"x5t": "z44wMdHu8wKsumrbfaK98qxs5YI",
"kid": "z44wMdHu8wKsumrbfaK98qxs5YI"
}
Payload
{
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/99c7da52-56fc-49ca-aa95-8f7fb09c995e/",
"iat": 1517145610,
"nbf": 1517145610,
"exp": 1517149510,
"acr": "1",
"aio": "ATQAy/8GAAAAYOQzoNWpu5XcyTPibpz9lnb/bMGY3H4iTdEdz/zvWwrTt1mvvWiLToaNPYZwHsBD",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "My Project",
"appid": "6b0a79eb-0e0d-4a00-9652-3098cc95804f",
"appidacr": "0",
"e_exp": 262800,
"family_name": "XXXXXXXXX",
"given_name": "XXXXXXXXXX",
"ipaddr": "93.245.65.135",
"name": "Myname, Firstname",
"oid": "1a4d0d0f-8137-4c1d-aa34-2cccf10f8206",
"platf": "3",
"puid": "100300008AAF747A",
"scp": "Directory.Read.All email Group.Read.All profile User.Read User.Read.All User.ReadBasic.All",
"sub": "IBv63_IIq4zpkv_UlVwaxmAm0RP3d17xq4hKil4HRD0",
"tid": "89c7da52-56fc-49ca-aa95-8f7fb09c995e",
"unique_name": "XXXXXXXXXXXXXXX",
"upn": "XXXXXXXXXXXXXXX",
"uti": "LVVtGIEcXUuEofBatBYVAA",
"ver": "1.0"
}
我删除了个人信息。所以现在我对我的 Web.Api 使用令牌,它包含以下设置:
"AzureAdB2C": {
"Instance": "https://login.microsoftonline.com/common",
"ClientId": "f5afed6b-e09c-4c7d-90cc-222222222222",
"Domain": "myhost.de"
}
我的启动文件看起来是:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddAzureAdBearer(options => Configuration.Bind("AzureAdB2C", options));
services.AddMvc();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseAuthentication();
app.UseMvc();
}
}
当我使用与上述 "Bearer {tokenstring}" 相同的标记通过 Postman 调用 api 时,没有。它告诉我 401 未授权。
在控制台的调试日志中出现:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: z44wMdHu8wKsumrbfaK98qxs5YI
'.
Exceptions caught:
''.
token: '{"alg":"RS256","typ":"JWT","nonce":"AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzn-GbcsmT8MupNislUn7vudKeuWR-HgBEd2ceWxQ7UulHr-uachkZA9cWVIj5ah3yzI68oYKyzc-QdynAf3a5DSAA","x5t":"z44wMdHu8wKsumrbfaK98qxs5YI","kid":"z44wMdHu8wKsumrbfaK98qxs5YI"}.{"aud":"00000003-0000-0000-c000-000000000000","iss":"https://sts.windows.net/99c7da52-56fc-49ca-aa95-8f7fb09c995e/","iat":1517145610,"nbf":1517145610,"exp":1517149510,"acr":"1","aio":"ATQAy/8GAAAAYOQzoNWpu5XcyTPibpz9lnb/bMGY3H4iTdEdz/zvWwrTt1mvvWiLToaNPYZwHsBD","amr":["pwd","mfa"],"app_displayname":"Project Avalon Dev","appid":"6b0a79eb-0e0d-4a00-9652-3098cc95804f","appidacr":"0","e_exp":262800,"family_name":"XXXXX","given_name":"Sascha Peter","ipaddr":"93.245.65.135","name":"XXXX","oid":"da4d0d0f-8137-4c1d-aa34-2cccf10f8206","platf":"3","puid":"100300008AAF747A","scp":"Directory.Read.All email Group.Read.All profile User.Read User.Read.All User.ReadBasic.All","sub":"IBv63_IIq4zpkv_UlVwaxmAm0RP3d17xq4hKil4HRD0","tid":"99c7da52-56fc-49ca-aa95-8f7fb09c995e","unique_name":"XXXXX","upn":"xxxxxxx","uti":"LVVtGIEcXUuEofBatBYVAA","ver":"1.0"}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__6.MoveNext()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
Bearer was not authenticated. Failure message: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: z44wMdHu8wKsumrbfaK98qxs5YI
'.
Exceptions caught:
''.
token: '{"alg":"RS256","typ":"JWT","nonce":"AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzn-GbcsmT8MupNislUn7vudKeuWR-HgBEd2ceWxQ7UulHr-uachkZA9cWVIj5ah3yzI68oYKyzc-QdynAf3a5DSAA","x5t":"z44wMdHu8wKsumrbfaK98qxs5YI...........
我的 web 项目文件api 项目如下:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp2.0</TargetFramework>
<UserSecretsId>aspnet-Portal.Api-B6631B80-5958-40CC-A783-2E86D5ADA6B5</UserSecretsId>
</PropertyGroup>
<ItemGroup>
<Folder Include="wwwroot\" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.5" />
</ItemGroup>
<ItemGroup>
<DotNetCliToolReference Include="Microsoft.Extensions.SecretManager.Tools" Version="2.0.0" />
<DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="2.0.2" />
</ItemGroup>
</Project>
我不知道这个ist有什么问题。我错过了什么吗?我的代码中有错误吗?
aspnetcore jwt 承载实现无法验证 header 中带有随机数的令牌,而这需要特殊处理。您尝试验证的令牌是针对 Microsoft Graph api,而不是针对您的应用程序。
如果您请求 https://login.microsoftonline.com/common/oauth2/authorize?resource={APPID}
,您可以获得应用程序的令牌
我还能够验证 resource/api https://graph.windows.net (instead of https://graph.microsoft.com) as this tokens does not contain nonces, but this api is according to microsoft outdated and should not be used (https://dev.office.com/blogs/microsoft-graph-or-azure-ad-graph) 的令牌。
阅读更多:
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609
我有两个应用程序,一个 Web 应用程序 (Web-UI) 和一个 Web api。 首先,我在 Web-UI 中实施了一个使用 Azure AD 的身份验证。 这两个应用程序都在 Azure 中注册并相互推动。--
首先是我的配置
tenant: '99c7da52-56fc-49ca-aa95-111111111111',
clientId: '6b0a79eb-0e0d-4a00-9652-111111111111
登录非常有效,我成功获得了令牌。它看起来像下面这样:
Header
{
"typ": "JWT",
"nonce": "AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzn-GbcsmT8MupNislUn7vudKeuWR-HgBEd2ceWxQ7UulHr-uachkZA9cWVIj5ah3yzI68oYKyzc-QdynAf3a5DSAA",
"alg": "RS256",
"x5t": "z44wMdHu8wKsumrbfaK98qxs5YI",
"kid": "z44wMdHu8wKsumrbfaK98qxs5YI"
}
Payload
{
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/99c7da52-56fc-49ca-aa95-8f7fb09c995e/",
"iat": 1517145610,
"nbf": 1517145610,
"exp": 1517149510,
"acr": "1",
"aio": "ATQAy/8GAAAAYOQzoNWpu5XcyTPibpz9lnb/bMGY3H4iTdEdz/zvWwrTt1mvvWiLToaNPYZwHsBD",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "My Project",
"appid": "6b0a79eb-0e0d-4a00-9652-3098cc95804f",
"appidacr": "0",
"e_exp": 262800,
"family_name": "XXXXXXXXX",
"given_name": "XXXXXXXXXX",
"ipaddr": "93.245.65.135",
"name": "Myname, Firstname",
"oid": "1a4d0d0f-8137-4c1d-aa34-2cccf10f8206",
"platf": "3",
"puid": "100300008AAF747A",
"scp": "Directory.Read.All email Group.Read.All profile User.Read User.Read.All User.ReadBasic.All",
"sub": "IBv63_IIq4zpkv_UlVwaxmAm0RP3d17xq4hKil4HRD0",
"tid": "89c7da52-56fc-49ca-aa95-8f7fb09c995e",
"unique_name": "XXXXXXXXXXXXXXX",
"upn": "XXXXXXXXXXXXXXX",
"uti": "LVVtGIEcXUuEofBatBYVAA",
"ver": "1.0"
}
我删除了个人信息。所以现在我对我的 Web.Api 使用令牌,它包含以下设置:
"AzureAdB2C": {
"Instance": "https://login.microsoftonline.com/common",
"ClientId": "f5afed6b-e09c-4c7d-90cc-222222222222",
"Domain": "myhost.de"
}
我的启动文件看起来是:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddAzureAdBearer(options => Configuration.Bind("AzureAdB2C", options));
services.AddMvc();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseAuthentication();
app.UseMvc();
}
}
当我使用与上述 "Bearer {tokenstring}" 相同的标记通过 Postman 调用 api 时,没有。它告诉我 401 未授权。
在控制台的调试日志中出现:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: z44wMdHu8wKsumrbfaK98qxs5YI
'.
Exceptions caught:
''.
token: '{"alg":"RS256","typ":"JWT","nonce":"AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzn-GbcsmT8MupNislUn7vudKeuWR-HgBEd2ceWxQ7UulHr-uachkZA9cWVIj5ah3yzI68oYKyzc-QdynAf3a5DSAA","x5t":"z44wMdHu8wKsumrbfaK98qxs5YI","kid":"z44wMdHu8wKsumrbfaK98qxs5YI"}.{"aud":"00000003-0000-0000-c000-000000000000","iss":"https://sts.windows.net/99c7da52-56fc-49ca-aa95-8f7fb09c995e/","iat":1517145610,"nbf":1517145610,"exp":1517149510,"acr":"1","aio":"ATQAy/8GAAAAYOQzoNWpu5XcyTPibpz9lnb/bMGY3H4iTdEdz/zvWwrTt1mvvWiLToaNPYZwHsBD","amr":["pwd","mfa"],"app_displayname":"Project Avalon Dev","appid":"6b0a79eb-0e0d-4a00-9652-3098cc95804f","appidacr":"0","e_exp":262800,"family_name":"XXXXX","given_name":"Sascha Peter","ipaddr":"93.245.65.135","name":"XXXX","oid":"da4d0d0f-8137-4c1d-aa34-2cccf10f8206","platf":"3","puid":"100300008AAF747A","scp":"Directory.Read.All email Group.Read.All profile User.Read User.Read.All User.ReadBasic.All","sub":"IBv63_IIq4zpkv_UlVwaxmAm0RP3d17xq4hKil4HRD0","tid":"99c7da52-56fc-49ca-aa95-8f7fb09c995e","unique_name":"XXXXX","upn":"xxxxxxx","uti":"LVVtGIEcXUuEofBatBYVAA","ver":"1.0"}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__6.MoveNext()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
Bearer was not authenticated. Failure message: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: z44wMdHu8wKsumrbfaK98qxs5YI
'.
Exceptions caught:
''.
token: '{"alg":"RS256","typ":"JWT","nonce":"AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzn-GbcsmT8MupNislUn7vudKeuWR-HgBEd2ceWxQ7UulHr-uachkZA9cWVIj5ah3yzI68oYKyzc-QdynAf3a5DSAA","x5t":"z44wMdHu8wKsumrbfaK98qxs5YI...........
我的 web 项目文件api 项目如下:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp2.0</TargetFramework>
<UserSecretsId>aspnet-Portal.Api-B6631B80-5958-40CC-A783-2E86D5ADA6B5</UserSecretsId>
</PropertyGroup>
<ItemGroup>
<Folder Include="wwwroot\" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.5" />
</ItemGroup>
<ItemGroup>
<DotNetCliToolReference Include="Microsoft.Extensions.SecretManager.Tools" Version="2.0.0" />
<DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="2.0.2" />
</ItemGroup>
</Project>
我不知道这个ist有什么问题。我错过了什么吗?我的代码中有错误吗?
aspnetcore jwt 承载实现无法验证 header 中带有随机数的令牌,而这需要特殊处理。您尝试验证的令牌是针对 Microsoft Graph api,而不是针对您的应用程序。
如果您请求 https://login.microsoftonline.com/common/oauth2/authorize?resource={APPID}
,您可以获得应用程序的令牌我还能够验证 resource/api https://graph.windows.net (instead of https://graph.microsoft.com) as this tokens does not contain nonces, but this api is according to microsoft outdated and should not be used (https://dev.office.com/blogs/microsoft-graph-or-azure-ad-graph) 的令牌。
阅读更多: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609