Google identiy 工具包令牌验证异常与 .NET JSON 网络令牌处理程序
Google identiy toolkit token validation exception with .NET JSON web token handler
我正在尝试将 GIT 整合到我的网站中。我已成功实施该工具包,并希望使用安装期间提供的 *.p12 证书验证从 Google API 发送的 JWT。
异常详细信息:System.IdentityModel.SignatureVerificationFailedException:IDX10501:签名验证失败。密钥尝试:'System.IdentityModel.Tokens.X509SecurityKey'.
JSON 已收到网络令牌:
标记:'{"alg":"RS256","kid":"qwYevA"}.{"iss":"https://identitytoolkit.google.com/","aud": "238895676270-i8o5fe2poogs83nki8jl5tgtfm7h9n5l.apps.googleusercontent.com","iat":1445739256,"exp":1446948856,"user_id":"","email":"","provider_id": "google.com","verified":真,"display_name":""}'
var signingToken = new X509SecurityToken(new X509Certificate2(fileName, "notasecret"));
TokenValidationParameters validationParameters =
new TokenValidationParameters()
{
IssuerSigningKey = new X509SecurityKey(new X509Certificate2(fileName, "notasecret")),
ValidAudience = "238895676270-i8o5fe2poogs83nki8jl5tgtfm7h9n5l.apps.googleusercontent.com",
ValidIssuer = "https://identitytoolkit.google.com/",
IssuerSigningKeyResolver = (token, a, ski, tvp) => { return new X509SecurityKey(new X509Certificate2(fileName, "notasecret")); },
IssuerSigningToken = signingToken,
};
SecurityToken st;
var result = tokenHandler.ValidateToken((Request.Cookies["gtoken"]).Value, validationParameters, out st);
Identity Toolkit 生成的 JWT 由 Identity Toolkit 自己的 RSA 私钥签名,而不是您在安装过程中下载的 .p12。
您需要从 https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys?key={YOUR_SERVER_API_KEY} 下载当前有效的 Identity Toolkit X509 public 证书,select 您收到的 JWT 中 'kid' 的证书,然后构建使用该证书的 X509Certificate2。
SERVER_API_KEY 可以在您创建 OAuth2 客户端的 Google 开发者控制台中生成。
我正在尝试将 GIT 整合到我的网站中。我已成功实施该工具包,并希望使用安装期间提供的 *.p12 证书验证从 Google API 发送的 JWT。
异常详细信息:System.IdentityModel.SignatureVerificationFailedException:IDX10501:签名验证失败。密钥尝试:'System.IdentityModel.Tokens.X509SecurityKey'.
JSON 已收到网络令牌: 标记:'{"alg":"RS256","kid":"qwYevA"}.{"iss":"https://identitytoolkit.google.com/","aud": "238895676270-i8o5fe2poogs83nki8jl5tgtfm7h9n5l.apps.googleusercontent.com","iat":1445739256,"exp":1446948856,"user_id":"","email":"","provider_id": "google.com","verified":真,"display_name":""}'
var signingToken = new X509SecurityToken(new X509Certificate2(fileName, "notasecret"));
TokenValidationParameters validationParameters =
new TokenValidationParameters()
{
IssuerSigningKey = new X509SecurityKey(new X509Certificate2(fileName, "notasecret")),
ValidAudience = "238895676270-i8o5fe2poogs83nki8jl5tgtfm7h9n5l.apps.googleusercontent.com",
ValidIssuer = "https://identitytoolkit.google.com/",
IssuerSigningKeyResolver = (token, a, ski, tvp) => { return new X509SecurityKey(new X509Certificate2(fileName, "notasecret")); },
IssuerSigningToken = signingToken,
};
SecurityToken st;
var result = tokenHandler.ValidateToken((Request.Cookies["gtoken"]).Value, validationParameters, out st);
Identity Toolkit 生成的 JWT 由 Identity Toolkit 自己的 RSA 私钥签名,而不是您在安装过程中下载的 .p12。
您需要从 https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys?key={YOUR_SERVER_API_KEY} 下载当前有效的 Identity Toolkit X509 public 证书,select 您收到的 JWT 中 'kid' 的证书,然后构建使用该证书的 X509Certificate2。
SERVER_API_KEY 可以在您创建 OAuth2 客户端的 Google 开发者控制台中生成。