IDX10501:签名验证失败。无法匹配密钥

Posted

技术标签:

【中文标题】IDX10501:签名验证失败。无法匹配密钥【英文标题】:IDX10501: Signature validation failed. Unable to match key 【发布时间】:2020-07-15 07:44:07 【问题描述】:

我的任务是使用来自外部应用程序的 ADFS 令牌对 API 进行身份验证,因此我创建了两个应用程序,一个是 MVC 应用程序,比如说 A,它使用 SSO 凭据进行身份验证,另一个是是 WEB API 应用程序让我们说 B,所以在这里从 A,我正在使用 A 的 ADFS 令牌调用 B 的 API,但是,我得到了错误。有人帮我解决这个问题吗?

下面是应用B

中WEB API中的代码 
           ConfigurationManager<OpenIdConnectConfiguration> configManager =
                new ConfigurationManager<OpenIdConnectConfiguration>(openIdConfig, new 
                                                                     OpenIdConnectConfigurationRetriever());

            OpenIdConnectConfiguration config = 
            configManager.GetConfigurationAsync().GetAwaiter().GetResult();
            result.EmailId = Claims.FirstOrDefault(claim => claim.Type == "upn").Value;
            result.WindowsNTId = Claims.FirstOrDefault(claim => claim.Type == "unique_name").Value;
            var utc0 = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
            result.TokenCreatedOn = utc0.AddSeconds(Convert.ToInt64((Claims.FirstOrDefault(claim => 
            claim.Type == "iat").Value)));
            result.TokenExpiresOn = utc0.AddSeconds(Convert.ToInt64((Claims.FirstOrDefault(claim => 
            claim.Type == "exp").Value)));

            // Use System.IdentityModel.Tokens.Jwt library to validate the token
            JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();

            var tokenValidationParameters = new TokenValidationParameters
            
                ValidateIssuerSigningKey = true,
                ValidateIssuer = true,
                ValidIssuer = config.Issuer,
                IssuerSigningKeys = config.SigningKeys,
                ValidateAudience = true,
                ValidAudience = expectedAudience
            ;

            SecurityToken validatedToken;

            try
            
                var claimsPrincipal = tokenHandler.ValidateToken(RawData, tokenValidationParameters, 
                out validatedToken);

            
            catch (Exception ex)

以下是异常消息。 

    IDX10501: Signature validation failed. Unable to match key: 
    kid: 'System.String'.
    Exceptions caught:System.Text.StringBuilder'. 
    token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.

【问题讨论】:

【参考方案1】:

当解码的密钥 (kid) 不是有效密钥时会发生这种情况(可能是旧密钥,因为证书密钥通常会更改)。

来自https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs

if (kidExists)

     if (kidMatched)
     throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSignatureException(LogHelper.FormatInvariant(TokenLogMessages.IDX10511, keysAttempted, jwtToken.Kid, exceptionStrings, jwtToken)));

     throw LogHelper.LogExceptionMessage(new SecurityTokenSignatureKeyNotFoundException(LogHelper.FormatInvariant(TokenLogMessages.IDX10501, jwtToken.Kid, exceptionStrings, jwtToken)));

在我的情况下,问题的原因是密钥模数中存在空的第一个字节。解决方案是删除第一个空字节。

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1122

var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(configFileUrl, new OpenIdConnectConfigurationRetriever());
var openIdConfig = configManager.GetConfigurationAsync().Result; #region workaround for "Error validating identity token : IDX10511"
//The issue you are facing is caused by the null first byte.
//This is contrary to the JWA (https://tools.ietf.org/html/rfc7518#section-6.3.1.1).
//.NET Core will account for the null byte and .NET framework, apparently, won't.
List<SecurityKey> keys = new List<SecurityKey>();
foreach (var key in openIdConfig.SigningKeys)

     if (key.CryptoProviderFactory.IsSupportedAlgorithm("SHA256"))
     
          var modulus = ((RsaSecurityKey)key).Parameters.Modulus;
          var exponent = ((RsaSecurityKey)key).Parameters.Exponent;

          if (modulus.Length == 257 && modulus[0] == 0)
          
               var newModulus = new byte[256];
               Array.Copy(modulus, 1, newModulus, 0, 256);
               modulus = newModulus;
          
          RSAParameters rsaParams = new RSAParameters();
          rsaParams.Modulus = modulus;
          rsaParams.Exponent = exponent;

          keys.Add(new RsaSecurityKey(rsaParams));
     
     else
     
          keys.Add(key);
     

#endregion

TokenValidationParameters validationParameters =
new TokenValidationParameters

     // Validate the JWT Issuer (iss) claim
     ValidateIssuer = true,
     ValidIssuer = issuer,

     //// Validate the JWT Audience (aud) claim
     ValidateAudience = true,
     ValidAudience = audience,

     ValidateIssuerSigningKey = true,
     IssuerSigningKeys = keys,

     RequireExpirationTime = true,
     ValidateLifetime = true,
     RequireSignedTokens = true,
;

// Now validate the token. If the token is not valid for any reason, an exception will be thrown by the method
SecurityToken validatedToken;
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();

var claimsPrincipal = handler.ValidateToken(idToken, validationParameters, out validatedToken);

【讨论】:

我编辑了我的答案,我猜它不完整,你能删除反对票吗?

以上是关于IDX10501:签名验证失败。无法匹配密钥的主要内容,如果未能解决你的问题,请参考以下文章

IDX10501:签名验证失败。无法匹配键

每日获取 :: SecurityTokenSignatureKeyNotFoundException: IDX10501: 签名验证失败。无法匹配键:

Azure b2c 错误:IDX10501:签名验证失败。无法匹配键:孩子:'gLv****************'

IDX10501:签名验证失败。尝试的密钥:'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'

签名验证失败。无法匹配“孩子”

Azure AD B2C 错误 - IDX10501:签名验证失败