我想从Azure验证令牌。我使用Adal.js来获取令牌。 当我尝试验证令牌时,我总是每次都收到相同的错误消息:IDX10501:签名验证失败。关键尝试:'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'
IDX10501:签名验证失败。键试过:'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'。 令牌:“{‘典型’:‘智威汤逊’,...
从消息省略记号看起来像什么,我可以在客户端上看到,并从以下3个网址的信息似乎要添加到正确的数据结构,即我可以看到填充的字段,这是我期望看到下面的链接和我的客户端令牌。
https://login.windows.net/ {ID} .onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml
https://login.microsoftonline.com/ {ID} .onmicrosoft.com /。好知/ OpenID的配置
https://login.microsoftonline.com/common/discovery/keys
但是每当我到达最后一行ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(...
我总是得到相同的错误。
任何想法之一如何使令牌验证?
// Get the jwt bearer token from the authorization header
string jwtToken = null;
AuthenticationHeaderValue authHeader = request.Headers.Authorization;
if (authHeader != null)
{
jwtToken = authHeader.Parameter;
}
string issuer;
List<SecurityToken> signingTokens;
// The issuer and signingTokens are cached for 24 hours. They are updated if any of the conditions in the if condition is true.
if (DateTime.UtcNow.Subtract(_stsMetadataRetrievalTime).TotalHours > 24 || string.IsNullOrEmpty(_issuer) || _signingTokens == null)
{
// Get tenant information that's used to validate incoming jwt tokens
string stsDiscoveryEndpoint = string.Format("{0}/.well-known/openid-configuration", authority);
ConfigurationManager<OpenIdConnectConfiguration> configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint);
OpenIdConnectConfiguration config = await configManager.GetConfigurationAsync();
_issuer = config.Issuer;
_signingTokens = config.SigningTokens.ToList();
_stsMetadataRetrievalTime = DateTime.UtcNow;
}
issuer = _issuer;
signingTokens = _signingTokens;
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidAudience = audience,
ValidIssuer = issuer,
IssuerSigningTokens = signingTokens,
CertificateValidator = X509CertificateValidator.None
};
try {
// Validate token.
SecurityToken validatedToken = new JwtSecurityToken();
ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(jwtToken, validationParameters, out validatedToken);
}
更新
只是柜面有一些初始化客户端和服务器时,我错过了。
Adal.js初始化选项:
var endpoints = {
"https://graph.windows.net": "https://graph.windows.net"
};
var configOptions = {
tenant: "<ad>.onmicrosoft.com", // Optional by default, it sends common
clientId: "<app ID from azure portal>",
postLogoutRedirectUri: window.location.origin,
endpoints: endpoints,
}
window.authContext = new AuthenticationContext(configOptions);
服务器初始化选项:
static string aadInstance = "https://login.microsoftonline.com/{0}";
static string tenant = "<ad>.onmicrosoft.com";
static string audience = "<app ID from azure portal>";
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
static string scopeClaimType = "http://schemas.microsoft.com/identity/claims/scope";
当你在token处查看(https://shawntabrizi.com/jwt)时,标题中的'kid'是否与https://login.microsoftonline.com上列出的任何'kid'匹配/普通/发现/键? –
是的,它们匹配 – Jeppe