ASP.NET Core RC2 Jwt 令牌 KID 错误

Posted

技术标签:

【中文标题】ASP.NET Core RC2 Jwt 令牌 KID 错误【英文标题】:ASP.NET Core RC2 Jwt Token KID error 【发布时间】:2016-09-24 20:34:30 【问题描述】:

我在尝试使用 JwtBearerAuthentication 进行身份验证时遇到此异常:

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Failed to validate the token eyJhbGciOiJSUzI1NiIsImtpZCI6IldYVDdGSUU3SlI5U1A0R09SUlVJSUMxX0pSTDJPVkhNRzkyVjFYVl8iLCJ0eXAiOiJKV1QifQ.eyJNYXN0ZXIiOiIxIiwiY2FzYSI6IjEiLCJ1bmlxdWVfbmFtZSI6InRlc3RlIiwianRpIjoiOWNiYmUzMDEtYjdhYy00MDQ5LTlhZjAtNzQ2MzhhNDZiYjg5IiwidXNhZ2UiOiJhY2Nlc3NfdG9rZW4iLCJjb25maWRlbnRpYWwiOnRydWUsInNjb3BlIjoib2ZmbGluZV9hY2Nlc3MiLCJzdWIiOiI4ZDRmNTdios1kMDk0LTRhYmUtOTcxNi03Y2Y1NTcyYTg0M2EiLCJhenAiOiJkdXgiLCJuYmYiOjE0NjQyODM1ODYsImV4cCI6MTQ2NDI4NzE4NiwiaWF0IjoxNDY0MjgzNTg2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjUwMDAvIn0.nzT0K30EIbhW4OX4sq3w038c6C5U8LzJHMwszMVFvc6J18aaTUMuKx1txTzUnscZvTcHoMTV7Dyvlj9qCoVpJjnQmqhlP8Q2g-gVSPzKmX6TxB9lT4IF1hrneGj-4p1vRr9HRWb1JftMMnLwY1tfxJYcofvRTBzdofSfVtKRB1FR215VRFxUb8x4ipnICexZiSELEEC8GIN2koOVzoUAMZLQIkTVtKXV7gwi-lF0ECZem28FQ4ar2cmZPrQr0z0B8b-YemPhcLzJplIdCpDx8XHhLIIqLWO5ep7cK29HON8_LobvbXDCXrwUqJbNt2m5wtKYJ5qodfL5aWeo9Y09Wg.

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': 'WXT7FIE7JR9SP4GORRUIIC1_JRL2OVHMG92V1XV_', 
token: '"alg":"RS256","typ":"JWT","kid":"WXT7FIE7JR9SP4GORRUIIC1_JRL2OVHMG92V1XV_"."Master":"1","casa":"1","unique_name":"teste","jti":"9cbbe301-b7ac-4049-9af0-74638a46bb89","usage":"access_token","confidential":true,"scope":"offline_access","sub":"8d4f57b9-d094-4abe-9716-7cf5572a843a","azp":"dux","nbf":1464283586,"exp":1464287186,"iat":1464283586,"iss":"http://localhost:5000/"'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Error: Exception occurred while processing message.

我正在使用 OpenIdConnectServer 来颁发令牌

        // Add a new middleware issuing tokens.
        app.UseOpenIdConnectServer(options =>
        
            options.AllowInsecureHttp = true;
            options.Provider = new AuthorizationProvider();
            options.UseJwtTokens();                
        );

        // Add a new middleware validating access tokens issued by the server.
        app.UseJwtBearerAuthentication(new JwtBearerOptions
        
            AutomaticAuthenticate = true,
            AutomaticChallenge = true,
            RequireHttpsMetadata = false,                                
            TokenValidationParameters = new TokenValidationParameters
            
                ValidateAudience = false,
                ValidateIssuer = false,
                ValidateIssuerSigningKey = false
            
        );

【问题讨论】:

添加更多细节会很有用:您是否在 IIS 后面运行您的应用程序? IIS 快递?您是否在启动时在输出窗口中看到警告消息? @Pinpoint 我在 Kestrel 上运行,我收到消息“未注册显式签名凭据。” "现有密钥已自动添加到签名凭据列表中" @Pinpoint 它曾经在 RC1 上工作,但我将 TokenValidationParameter.ValidateSignature 设置为 false(它似乎不再存在) 【参考方案1】:

由于某些原因,IdentityModel(JWT 不记名中间件背后的库)似乎忽略了您的 ValidateIssuerSigningKey = false 指令(这在实践中非常糟糕,因为每个人都可以伪造 JWT 不记名中间件可以接受的假令牌) .

要解决此问题(并使您的 API 真正安全),请配置 Authority 属性以允许 JWT 不记名中间件从 OpenID Connect 服务器中间件下载签名密钥:

app.UseJwtBearerAuthentication(new JwtBearerOptions 
    Authority = "http://localhost:5000/", // base address of your OIDC server.
    Audience = "http://localhost:5000/", // base address of your API.
    RequireHttpsMetadata = false
);

【讨论】:

感谢您的回答和创建 OpenIdConnect 的出色实现 :) 哈哈,谢谢你的好话!在相关说明中,由于您的授权服务器和您的 API 是同一个应用程序的一部分,您可能想尝试新的验证中间件并使用不透明的令牌(新的默认格式)。与 JWT 不记名中间件不同,验证中间件不需要设置权限/受众:***.com/a/33147208/542757 升级到 ASP.NET Core 1.0 RTM 后,我也遇到了同样的错误。起初,这个答案似乎并不能解决问题。不匹配的孩子到底是什么?

以上是关于ASP.NET Core RC2 Jwt 令牌 KID 错误的主要内容,如果未能解决你的问题,请参考以下文章

ASP.NET Core 中的 Jwt 令牌身份验证

ASP.net Core 2.0 JWT 令牌刷新

使用外部 JWT 令牌 ASP.NET CORE

ASP.NET Core 和 JWT 令牌生命周期

我们可以在 Asp.NET Core 中销毁/无效 JWT 令牌吗?

ASP.NET Core AWS Cognito JWT