C# 使用来自授权端点 (crv, x, y) 的值验证 JWT 令牌
C# Validate JWT token with values from an authorize end point (crv, x, y)
我有一个网页显示在 iframe 中的供应商站点上。他们调用我的页面并在查询字符串中传递 JWT。我必须解析 jwt。
eyJraWQiOiIyMDIwLTA5LTAyVDE3OjM2OjE3LjU3MC5lYyIsInR5cCI6IkpXVCIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiJ1cm46Y2VybmVyOmlkZW50aXR5LWZlZGVyYXRpb246cmVhbG06SFdPb0lsUlgyWWRGZjkyNGJBZTZSR0l5WmtuajZrTjctY2g6cHJpbmNpcGFsOnRhNDh6OWdkNTVkNndyNW0iLCJhdWQiOiJodHRwczpcL1wvdXJsMjU4dmowai5leGVjdXRlLWFwaS51cy1lYXN0LTIuYW1hem9uYXdzLmNvbSIsImlzcyI6Imh0dHBzOlwvXC9kZXYuYmF5Y2FyZS5wYXRpZW50cG9ydGFsLnVzLTEuaGVhbHRoZWludGVudC5jb20iLCJleHAiOjE1OTkxNTQ1MTYsImlhdCI6MTU5OTE1MzkxNiwic2lkIjoiZGUwNmJhNmUtYjQyYy00ZmY5LWI4MmQtYmM4NjY0ODJmODU4In0.6Ru5Lyd1Zq016uv84pP-GjSuz6koVNipa_cd939eF21-5N2_A0Nj3I6AkDhuHrE870WzyTiCmZfkIjMOFZkRCA
我想通过从 https://authorizion.x.com/jwk 中提取值来验证签名。我得到的值如下所示:
{
"keys":[
{
"kty":"EC",
"crv":"P-256",
"kid":"2020-09-04T18:16:04.934.ec",
"x":"82WEbXbnfGC1kmMfjJch6gFJRp7hEp08gzZQdBLLFIk",
"y":"ytkPwl4IjLw8M94DzgTmdAbxjq0AmmYu9mMmxpU3eBI"
},
{
"kty":"EC",
"crv":"P-256",
"kid":"2020-09-02T17:36:17.570.ec",
"x":"uAfEPKELRuUVMtB0DCB5oyYWnfiV8-9zHYntvI0lsRE",
"y":"32J6nVgeb9RLdWK21QNDHhWdOsZJbxvyEq2n0IOvLtQ"
},
{
"kty":"EC",
"crv":"P-256",
"kid":"2020-08-31T17:36:17.359.ec",
"x":"HsxFY2vihycZgYnkSTLDHJ0Cagr2nUcZTbf2yQKPS6A",
"y":"4kLClPGM0TG_gCUlBKkYdXrlLFVasPxQ2UOvwSBKyt0"
}
]
}
我根据 JWT header 中的 kid 值选择密钥。如何根据 crv、x 和 y 值验证签名?我似乎需要 public 或私人证书,但我没有。
我还能补充什么。它使用 ECDSA p-256 加密。在 jwt.io 上方和 jwt.io 处有一个 Json Web Token 我得到以下值,
Header
{
"kid": "2020-09-02T17:36:17.570.ec",
"typ": "JWT",
"alg": "ES256"
}
有效负载
{
"sub": "urn:cerner:identity-federation:realm:HWOoIlRX2YdFf924bAe6RGIyZknj6kN7-ch:principal:ta48z9gd55d6wr5m",
"aud": "https://url258vj0j.execute-api.us-east-2.amazonaws.com",
"iss": "https://dev.baycare.patientportal.us-1.healtheintent.com",
"exp": 1599154516,
"iat": 1599153916,
"sid": "de06ba6e-b42c-4ff9-b82d-bc866482f858"
}
签名
6Ru5Lyd1Zq016uv84pP-GjSuz6koVNipa_cd939eF21-5N2_A0Nj3I6AkDhuHrE870WzyTiCmZfkIjMOFZkRCA
我包含了与 JWT 匹配的 Java Web 密钥集。
这是一个基于 Jose.
的非常简短的解决方案
基本上你需要从给定的 URL 中读取 JWKS,选择具有匹配密钥 ID (kid) 的正确 JWK,根据给定创建一个 ECJWKey, Base64 编码,x 和 y 参数,然后使用该密钥验证 JWT:
以下源代码只是流程的简短说明,密钥是硬编码的,不是从 JWKS 端点读取的。
using Jose;
using System;
using System.Security.Cryptography;
namespace JWKValiadation
{
public class ECJWKey
{
public string kty { get; set; }
public string crv { get; set; }
public string kid { get; set; }
public string x { get; set; }
public string y { get; set; }
}
class Program
{
static void Main(string[] args)
{
ECJWKey ecjwkkey = new ECJWKey
{
kty = "EC",
crv = "P-256",
kid = "2020-09-02T17:36:17.570.ec",
x = "uAfEPKELRuUVMtB0DCB5oyYWnfiV8-9zHYntvI0lsRE",
y = "32J6nVgeb9RLdWK21QNDHhWdOsZJbxvyEq2n0IOvLtQ"
};
string tokenEC = "eyJraWQiOiIyMDIwLTA5LTAyVDE3OjM2OjE3LjU3MC5lYyIsInR5cCI6IkpXVCIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiJ1cm46Y2VybmVyOmlkZW50aXR5LWZlZGVyYXRpb246cmVhbG06SFdPb0lsUlgyWWRGZjkyNGJBZTZSR0l5WmtuajZrTjctY2g6cHJpbmNpcGFsOnRhNDh6OWdkNTVkNndyNW0iLCJhdWQiOiJodHRwczpcL1wvdXJsMjU4dmowai5leGVjdXRlLWFwaS51cy1lYXN0LTIuYW1hem9uYXdzLmNvbSIsImlzcyI6Imh0dHBzOlwvXC9kZXYuYmF5Y2FyZS5wYXRpZW50cG9ydGFsLnVzLTEuaGVhbHRoZWludGVudC5jb20iLCJleHAiOjE1OTkxNTQ1MTYsImlhdCI6MTU5OTE1MzkxNiwic2lkIjoiZGUwNmJhNmUtYjQyYy00ZmY5LWI4MmQtYmM4NjY0ODJmODU4In0.6Ru5Lyd1Zq016uv84pP-GjSuz6koVNipa_cd939eF21-5N2_A0Nj3I6AkDhuHrE870WzyTiCmZfkIjMOFZkRCA";
// first read the header to get the kid
var headers = Jose.JWT.Headers(tokenEC);
if(headers.TryGetValue("kid", out var keyId))
{
// in a real application you would need the kid
// to select the right key from the JKWS
Console.WriteLine(keyId);
}
// create the key based on the parameters from the JWK
ECDsa eckey = ECDsa.Create(new ECParameters
{
Curve = ECCurve.NamedCurves.nistP256,
Q = new ECPoint
{
X = Base64Url.Decode(ecjwkkey.x),
Y = Base64Url.Decode(ecjwkkey.y)
}
});
// verify and decode the token
string payload = Jose.JWT.Decode(tokenEC, eckey);
Console.WriteLine(payload);
}
}
}
我有一个网页显示在 iframe 中的供应商站点上。他们调用我的页面并在查询字符串中传递 JWT。我必须解析 jwt。
eyJraWQiOiIyMDIwLTA5LTAyVDE3OjM2OjE3LjU3MC5lYyIsInR5cCI6IkpXVCIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiJ1cm46Y2VybmVyOmlkZW50aXR5LWZlZGVyYXRpb246cmVhbG06SFdPb0lsUlgyWWRGZjkyNGJBZTZSR0l5WmtuajZrTjctY2g6cHJpbmNpcGFsOnRhNDh6OWdkNTVkNndyNW0iLCJhdWQiOiJodHRwczpcL1wvdXJsMjU4dmowai5leGVjdXRlLWFwaS51cy1lYXN0LTIuYW1hem9uYXdzLmNvbSIsImlzcyI6Imh0dHBzOlwvXC9kZXYuYmF5Y2FyZS5wYXRpZW50cG9ydGFsLnVzLTEuaGVhbHRoZWludGVudC5jb20iLCJleHAiOjE1OTkxNTQ1MTYsImlhdCI6MTU5OTE1MzkxNiwic2lkIjoiZGUwNmJhNmUtYjQyYy00ZmY5LWI4MmQtYmM4NjY0ODJmODU4In0.6Ru5Lyd1Zq016uv84pP-GjSuz6koVNipa_cd939eF21-5N2_A0Nj3I6AkDhuHrE870WzyTiCmZfkIjMOFZkRCA
我想通过从 https://authorizion.x.com/jwk 中提取值来验证签名。我得到的值如下所示:
{
"keys":[
{
"kty":"EC",
"crv":"P-256",
"kid":"2020-09-04T18:16:04.934.ec",
"x":"82WEbXbnfGC1kmMfjJch6gFJRp7hEp08gzZQdBLLFIk",
"y":"ytkPwl4IjLw8M94DzgTmdAbxjq0AmmYu9mMmxpU3eBI"
},
{
"kty":"EC",
"crv":"P-256",
"kid":"2020-09-02T17:36:17.570.ec",
"x":"uAfEPKELRuUVMtB0DCB5oyYWnfiV8-9zHYntvI0lsRE",
"y":"32J6nVgeb9RLdWK21QNDHhWdOsZJbxvyEq2n0IOvLtQ"
},
{
"kty":"EC",
"crv":"P-256",
"kid":"2020-08-31T17:36:17.359.ec",
"x":"HsxFY2vihycZgYnkSTLDHJ0Cagr2nUcZTbf2yQKPS6A",
"y":"4kLClPGM0TG_gCUlBKkYdXrlLFVasPxQ2UOvwSBKyt0"
}
]
}
我根据 JWT header 中的 kid 值选择密钥。如何根据 crv、x 和 y 值验证签名?我似乎需要 public 或私人证书,但我没有。
我还能补充什么。它使用 ECDSA p-256 加密。在 jwt.io 上方和 jwt.io 处有一个 Json Web Token 我得到以下值,
Header
{
"kid": "2020-09-02T17:36:17.570.ec",
"typ": "JWT",
"alg": "ES256"
}
有效负载
{
"sub": "urn:cerner:identity-federation:realm:HWOoIlRX2YdFf924bAe6RGIyZknj6kN7-ch:principal:ta48z9gd55d6wr5m",
"aud": "https://url258vj0j.execute-api.us-east-2.amazonaws.com",
"iss": "https://dev.baycare.patientportal.us-1.healtheintent.com",
"exp": 1599154516,
"iat": 1599153916,
"sid": "de06ba6e-b42c-4ff9-b82d-bc866482f858"
}
签名
6Ru5Lyd1Zq016uv84pP-GjSuz6koVNipa_cd939eF21-5N2_A0Nj3I6AkDhuHrE870WzyTiCmZfkIjMOFZkRCA
我包含了与 JWT 匹配的 Java Web 密钥集。
这是一个基于 Jose.
的非常简短的解决方案基本上你需要从给定的 URL 中读取 JWKS,选择具有匹配密钥 ID (kid) 的正确 JWK,根据给定创建一个 ECJWKey, Base64 编码,x 和 y 参数,然后使用该密钥验证 JWT:
以下源代码只是流程的简短说明,密钥是硬编码的,不是从 JWKS 端点读取的。
using Jose;
using System;
using System.Security.Cryptography;
namespace JWKValiadation
{
public class ECJWKey
{
public string kty { get; set; }
public string crv { get; set; }
public string kid { get; set; }
public string x { get; set; }
public string y { get; set; }
}
class Program
{
static void Main(string[] args)
{
ECJWKey ecjwkkey = new ECJWKey
{
kty = "EC",
crv = "P-256",
kid = "2020-09-02T17:36:17.570.ec",
x = "uAfEPKELRuUVMtB0DCB5oyYWnfiV8-9zHYntvI0lsRE",
y = "32J6nVgeb9RLdWK21QNDHhWdOsZJbxvyEq2n0IOvLtQ"
};
string tokenEC = "eyJraWQiOiIyMDIwLTA5LTAyVDE3OjM2OjE3LjU3MC5lYyIsInR5cCI6IkpXVCIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiJ1cm46Y2VybmVyOmlkZW50aXR5LWZlZGVyYXRpb246cmVhbG06SFdPb0lsUlgyWWRGZjkyNGJBZTZSR0l5WmtuajZrTjctY2g6cHJpbmNpcGFsOnRhNDh6OWdkNTVkNndyNW0iLCJhdWQiOiJodHRwczpcL1wvdXJsMjU4dmowai5leGVjdXRlLWFwaS51cy1lYXN0LTIuYW1hem9uYXdzLmNvbSIsImlzcyI6Imh0dHBzOlwvXC9kZXYuYmF5Y2FyZS5wYXRpZW50cG9ydGFsLnVzLTEuaGVhbHRoZWludGVudC5jb20iLCJleHAiOjE1OTkxNTQ1MTYsImlhdCI6MTU5OTE1MzkxNiwic2lkIjoiZGUwNmJhNmUtYjQyYy00ZmY5LWI4MmQtYmM4NjY0ODJmODU4In0.6Ru5Lyd1Zq016uv84pP-GjSuz6koVNipa_cd939eF21-5N2_A0Nj3I6AkDhuHrE870WzyTiCmZfkIjMOFZkRCA";
// first read the header to get the kid
var headers = Jose.JWT.Headers(tokenEC);
if(headers.TryGetValue("kid", out var keyId))
{
// in a real application you would need the kid
// to select the right key from the JKWS
Console.WriteLine(keyId);
}
// create the key based on the parameters from the JWK
ECDsa eckey = ECDsa.Create(new ECParameters
{
Curve = ECCurve.NamedCurves.nistP256,
Q = new ECPoint
{
X = Base64Url.Decode(ecjwkkey.x),
Y = Base64Url.Decode(ecjwkkey.y)
}
});
// verify and decode the token
string payload = Jose.JWT.Decode(tokenEC, eckey);
Console.WriteLine(payload);
}
}
}