个人中心
gpt4 book ai didi

oauth-2.0 - IDX10501 : Signature validation failed. 无法匹配 key

转载 作者:行者123 更新时间:2023-12-03 13:40:36 25 4
gpt4 key购买 nike

我的任务是使用来自外部应用程序的 ADFS token 对 API 进行身份验证,因此我创建了两个应用程序,一个是 MVC 应用程序,可以说 它使用 SSO 凭据进行身份验证,另一个是 WEB API 应用程序,可以说 ,所以在这里从 A,我正在使用 A 的 ADFS token 调用 B 的 API,但是,我收到错误消息。有没有人帮我解决这个问题?

以下是应用程序中 WEB API 中的代码 

           ConfigurationManager<OpenIdConnectConfiguration> configManager =
                new ConfigurationManager<OpenIdConnectConfiguration>(openIdConfig, new 
                                                                     OpenIdConnectConfigurationRetriever());

            OpenIdConnectConfiguration config = 
            configManager.GetConfigurationAsync().GetAwaiter().GetResult();
            result.EmailId = Claims.FirstOrDefault(claim => claim.Type == "upn").Value;
            result.WindowsNTId = Claims.FirstOrDefault(claim => claim.Type == "unique_name").Value;
            var utc0 = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
            result.TokenCreatedOn = utc0.AddSeconds(Convert.ToInt64((Claims.FirstOrDefault(claim => 
            claim.Type == "iat").Value)));
            result.TokenExpiresOn = utc0.AddSeconds(Convert.ToInt64((Claims.FirstOrDefault(claim => 
            claim.Type == "exp").Value)));

            // Use System.IdentityModel.Tokens.Jwt library to validate the token
            JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();

            var tokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuerSigningKey = true,
                ValidateIssuer = true,
                ValidIssuer = config.Issuer,
                IssuerSigningKeys = config.SigningKeys,
                ValidateAudience = true,
                ValidAudience = expectedAudience
            };

            SecurityToken validatedToken;

            try
            {
                var claimsPrincipal = tokenHandler.ValidateToken(RawData, tokenValidationParameters, 
                out validatedToken);

            }
            catch (Exception ex)
            {

            }

下面是异常消息。 
    IDX10501: Signature validation failed. Unable to match key: 
    kid: 'System.String'.
    Exceptions caught:System.Text.StringBuilder'. 
    token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.

最佳答案

当解码的 key (kid) 不是有效 key (可能是旧 key ,因为证书 key 通常会更改)时,就会发生这种情况。
来自 https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs

if (kidExists)
{
     if (kidMatched)
     throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSignatureException(LogHelper.FormatInvariant(TokenLogMessages.IDX10511, keysAttempted, jwtToken.Kid, exceptionStrings, jwtToken)));

     throw LogHelper.LogExceptionMessage(new SecurityTokenSignatureKeyNotFoundException(LogHelper.FormatInvariant(TokenLogMessages.IDX10501, jwtToken.Kid, exceptionStrings, jwtToken)));
}
就我而言,问题的原因是 key 模数中存在空的第一个字节。解决方案是删除第一个空字节。
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1122 
var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(configFileUrl, new OpenIdConnectConfigurationRetriever());
var openIdConfig = configManager.GetConfigurationAsync().Result; #region workaround for "Error validating identity token : IDX10511"
//The issue you are facing is caused by the null first byte.
//This is contrary to the JWA (https://tools.ietf.org/html/rfc7518#section-6.3.1.1).
//.NET Core will account for the null byte and .NET framework, apparently, won't.
List<SecurityKey> keys = new List<SecurityKey>();
foreach (var key in openIdConfig.SigningKeys)
{
     if (key.CryptoProviderFactory.IsSupportedAlgorithm("SHA256"))
     {
          var modulus = ((RsaSecurityKey)key).Parameters.Modulus;
          var exponent = ((RsaSecurityKey)key).Parameters.Exponent;

          if (modulus.Length == 257 && modulus[0] == 0)
          {
               var newModulus = new byte[256];
               Array.Copy(modulus, 1, newModulus, 0, 256);
               modulus = newModulus;
          }
          RSAParameters rsaParams = new RSAParameters();
          rsaParams.Modulus = modulus;
          rsaParams.Exponent = exponent;

          keys.Add(new RsaSecurityKey(rsaParams));
     }
     else
     {
          keys.Add(key);
     }
}
#endregion

TokenValidationParameters validationParameters =
new TokenValidationParameters
{
     // Validate the JWT Issuer (iss) claim
     ValidateIssuer = true,
     ValidIssuer = issuer,

     //// Validate the JWT Audience (aud) claim
     ValidateAudience = true,
     ValidAudience = audience,

     ValidateIssuerSigningKey = true,
     IssuerSigningKeys = keys,

     RequireExpirationTime = true,
     ValidateLifetime = true,
     RequireSignedTokens = true,
};

// Now validate the token. If the token is not valid for any reason, an exception will be thrown by the method
SecurityToken validatedToken;
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();

var claimsPrincipal = handler.ValidateToken(idToken, validationParameters, out validatedToken);

关于oauth-2.0 - IDX10501 : Signature validation failed. 无法匹配 key ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61006792/

25 4 0
文章推荐: reactjs - 创建 React 应用程序 - npm run 构建问题
文章推荐: ruby-on-rails - 如何将 gem 卡住到 Rails 3 应用程序中?
文章推荐: reactjs - 在react js中的组件的return语句中循环
文章推荐: c# - 没有外键的EF Core关系
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com