AzureAD 令牌验证
AzureAD Token Validation
我正在尝试验证 Azure AD 在 AWS Lambda 函数内提供的令牌。目前我有一个 MVC 网站,您可以使用它向 Azure AD 进行身份验证,其中 returns 一个 JWT 令牌。此 JWT 将向上传递到 AWS API 网关,Lambda 授权方将在其中对其进行验证。
起初我认为正确的方法是将 JWT 传回 Azure AD 以验证令牌。但是在阅读 this, it appears I need to decrypt the token, and validate the issuer and audience. This lead me to this 后,它确实成功验证了令牌。但是,如果我将 mySecret 更改为与 Azure AD 中配置的不匹配,它仍然可以成功验证吗?
var authToken = "JWTToken";
string key = "I thought this needed to be the client secret in Azure AD but any string will still pass verification";
string myTenant = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
var myAudience = "api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
var myIssuer = string.Format(CultureInfo.InvariantCulture, "https://sts.windows.net/{0}/", myTenant);
var mySecurityKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(key));
var stsDiscoveryEndpoint = String.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/{0}/.well-known/openid-configuration", myTenant);
var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
var config = await configManager.GetConfigurationAsync();
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
ValidAudience = myAudience,
ValidIssuer = myIssuer,
IssuerSigningKeys = config.SigningKeys,
ValidateLifetime = false,
IssuerSigningKey = mySecurityKey,
ValidateAudience = true,
ValidateIssuer = true,
};
var validatedToken = (SecurityToken)new JwtSecurityToken();
// Throws an Exception as the token is invalid (expired, invalid-formatted, etc.)
tokenHandler.ValidateToken(authToken, validationParameters, out validatedToken);
我将 Azure AD 配置为 this,其中客户端是 MVC 网站,服务是 Lambda Auhorizer。 TLDR:这基本上是两个客户端注册,其中 Lambda Authoizer 有一个公开的 API,而 MVC 网站有一个客户端密码。
采取了正确的方法吗?如果是这样,我该如何解决我面临的问题?
如有任何帮助,我们将不胜感激
我用过这样的东西:
string authority = "https://login.microsoftonline.com/<your-tenant-id>/";
string clientId = "<your-client-id>";
IConfigurationManager<OpenIdConnectConfiguration> configurationManager =
new ConfigurationManager<OpenIdConnectConfiguration>($"{authority}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = await configurationManager.GetConfigurationAsync(CancellationToken.None);
var validationParams = new TokenValidationParameters
{
ValidAudience = clientId,
IssuerSigningKeys = openIdConfig.SigningKeys
};
它使用权限下载有效的颁发者、签名密钥等
我正在尝试验证 Azure AD 在 AWS Lambda 函数内提供的令牌。目前我有一个 MVC 网站,您可以使用它向 Azure AD 进行身份验证,其中 returns 一个 JWT 令牌。此 JWT 将向上传递到 AWS API 网关,Lambda 授权方将在其中对其进行验证。
起初我认为正确的方法是将 JWT 传回 Azure AD 以验证令牌。但是在阅读 this, it appears I need to decrypt the token, and validate the issuer and audience. This lead me to this 后,它确实成功验证了令牌。但是,如果我将 mySecret 更改为与 Azure AD 中配置的不匹配,它仍然可以成功验证吗?
var authToken = "JWTToken";
string key = "I thought this needed to be the client secret in Azure AD but any string will still pass verification";
string myTenant = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
var myAudience = "api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
var myIssuer = string.Format(CultureInfo.InvariantCulture, "https://sts.windows.net/{0}/", myTenant);
var mySecurityKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(key));
var stsDiscoveryEndpoint = String.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/{0}/.well-known/openid-configuration", myTenant);
var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
var config = await configManager.GetConfigurationAsync();
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
ValidAudience = myAudience,
ValidIssuer = myIssuer,
IssuerSigningKeys = config.SigningKeys,
ValidateLifetime = false,
IssuerSigningKey = mySecurityKey,
ValidateAudience = true,
ValidateIssuer = true,
};
var validatedToken = (SecurityToken)new JwtSecurityToken();
// Throws an Exception as the token is invalid (expired, invalid-formatted, etc.)
tokenHandler.ValidateToken(authToken, validationParameters, out validatedToken);
我将 Azure AD 配置为 this,其中客户端是 MVC 网站,服务是 Lambda Auhorizer。 TLDR:这基本上是两个客户端注册,其中 Lambda Authoizer 有一个公开的 API,而 MVC 网站有一个客户端密码。
采取了正确的方法吗?如果是这样,我该如何解决我面临的问题?
如有任何帮助,我们将不胜感激
我用过这样的东西:
string authority = "https://login.microsoftonline.com/<your-tenant-id>/";
string clientId = "<your-client-id>";
IConfigurationManager<OpenIdConnectConfiguration> configurationManager =
new ConfigurationManager<OpenIdConnectConfiguration>($"{authority}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = await configurationManager.GetConfigurationAsync(CancellationToken.None);
var validationParams = new TokenValidationParameters
{
ValidAudience = clientId,
IssuerSigningKeys = openIdConfig.SigningKeys
};
它使用权限下载有效的颁发者、签名密钥等