問題描述
我在令牌使用者上收到以下錯誤.任何解決此問題的幫助將不勝感激.謝謝.
I get the following error on the token consumer. Any help resolving this will be most appreciated. Thanks.
IDX10503:簽名驗證失敗.
"IDX10503: Signature validation failed.
嘗試的鍵:'System.IdentityModel.Tokens.SymmetricSecurityKey'.例外捕獲:'System.InvalidOperationException:IDX10636:SignatureProviderFactory.CreateForVerifying 為鍵返回 null:'System.IdentityModel.Tokens.SymmetricSecurityKey',簽名算法:'http://www.w3.org/2001/04/xmldsig-更多#hmac-sha256'.在Microsoft.IdentityModel.Logging.LogHelper.Throw(字符串消息,類型exceptionType,EventLevel logLevel,異常 innerException)在System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(字節[]encodedBytes、Byte[] 簽名、SecurityKey 密鑰、字符串算法)在System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(字符串令牌,令牌驗證參數驗證參數)'.令牌:'令牌信息在這里'"
Keys tried: 'System.IdentityModel.Tokens.SymmetricSecurityKey '. Exceptions caught: 'System.InvalidOperationException: IDX10636: SignatureProviderFactory.CreateForVerifying returned null for key: 'System.IdentityModel.Tokens.SymmetricSecurityKey', signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256'. at Microsoft.IdentityModel.Logging.LogHelper.Throw(String message, Type exceptionType, EventLevel logLevel, Exception innerException) at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm) at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) '. token: 'token info was here'"
OAuth 服務器上的令牌生成代碼
using (var ctlr = new EntityController())
{
var authRepo = ctlr.GetAuthModelRepository();
string clientId;
ticket.Properties.Dictionary.TryGetValue(WebConstants.OwinContextProps.OAuthClientIdPropertyKey, out clientId);
if (string.IsNullOrWhiteSpace(clientId))
{
throw new InvalidOperationException("AuthenticationTicket.Properties does not include audience");
}
//audience record
var client = authRepo.FindAuthClientByOAuthClientID(clientId);
var issued = ticket.Properties.IssuedUtc;
var expires = ticket.Properties.ExpiresUtc;
var hmac = new HMACSHA256(Convert.FromBase64String(client.Secret));
var signingCredentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(hmac.Key),
Algorithms.HmacSha256Signature, Algorithms.Sha256Digest);
TokenValidationParameters validationParams =
new TokenValidationParameters()
{
ValidAudience = clientId,
ValidIssuer = _issuer,
ValidateLifetime = true,
ValidateAudience = true,
ValidateIssuer = true,
RequireSignedTokens = true,
RequireExpirationTime = true,
ValidateIssuerSigningKey = true,
IssuerSigningToken = new BinarySecretSecurityToken(hmac.Key)
};
var jwtHandler = new JwtSecurityTokenHandler();
var jwt = new JwtSecurityToken(_issuer, clientId, ticket.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingCredentials);
jwtOnTheWire = jwtHandler.WriteToken(jwt);
SecurityToken validatedToken = null;
jwtHandler.ValidateToken(jwtOnTheWire, validationParams,out validatedToken);
if (validatedToken == null)
return "token_validation_failed";
}
return jwtOnTheWire;
Owin Startup.cs 中的令牌消耗驗證 ASP.Net 5 vNext 站點
public void ConfigureServices(IServiceCollection services)
services.ConfigureOAuthBearerAuthentication(config =>
{
//oauth validation
var clientSecret = "not the real secret";
var hmac = new HMACSHA256(Convert.FromBase64String(clientSecret));
var signingCredentials = new SigningCredentials(
new SymmetricSecurityKey(hmac.Key), Algorithms.HmacSha256Signature, Algorithms.Sha256Digest);
config.TokenValidationParameters.ValidAudience = "myappname";
config.TokenValidationParameters.ValidIssuer = "mydomain.com";
config.TokenValidationParameters.RequireSignedTokens = true;
config.TokenValidationParameters.RequireExpirationTime = true;
config.TokenValidationParameters.ValidateLifetime = true;
config.TokenValidationParameters.ValidateIssuerSigningKey = true;
config.TokenValidationParameters.ValidateSignature = true;
config.TokenValidationParameters.ValidateAudience = true;
config.TokenValidationParameters.IssuerSigningKey = signingCredentials.SigningKey;
});
public void Configure(IApplicationBuilder 應用程序)
app.UseOAuthBearerAuthentication(config =>
{
config.AuthenticationScheme = "Bearer";
config.AutomaticAuthentication = true;
});
推薦答案
我能夠將自己的簽名驗證添加到 TokenValidationParameters 然后我將 JWT 的傳入 Raw 簽名與編譯的簽名進行比較在此代碼中,如果它匹配簽名是有效的.
I was able to add my own signature validation to the TokenValidationParameters Then I compared the incoming Raw signature of the JWT to the compiled signature in this code and if it matches the signature is valid.
為什么使用內置簽名驗證沒有發生這種情況我無法理解,也許這可能是 vNext Identity 令牌框架 beta 6 中的一個錯誤.
Why this didn't happen using the builtin signature validation is beyond me, maybe it's a possible bug in beta 6 of the vNext Identity token framework.
public void ConfigureServices(IServiceCollection services)
config.TokenValidationParameters.SignatureValidator =
delegate (string token, TokenValidationParameters parameters)
{
var clientSecret = "not the real secret";
var jwt = new JwtSecurityToken(token);
var hmac = new HMACSHA256(Convert.FromBase64String(clientSecret));
var signingCredentials = new SigningCredentials(
new SymmetricSecurityKey(hmac.Key), SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest);
var signKey = signingCredentials.SigningKey as SymmetricSecurityKey;
var encodedData = jwt.EncodedHeader + "." + jwt.EncodedPayload;
var compiledSignature = Encode(encodedData, signKey.Key);
//Validate the incoming jwt signature against the header and payload of the token
if (compiledSignature != jwt.RawSignature)
{
throw new Exception("Token signature validation failed.");
}
return jwt;
};
編碼輔助方法
public string Encode(string input, byte[] key)
{
HMACSHA256 myhmacsha = new HMACSHA256(key);
byte[] byteArray = Encoding.UTF8.GetBytes(input);
MemoryStream stream = new MemoryStream(byteArray);
byte[] hashValue = myhmacsha.ComputeHash(stream);
return Base64UrlEncoder.Encode(hashValue);
}
這篇關于OAuth Bearer 令牌身份驗證未通過簽名驗證的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!