ASP.NET Core RC2 Jwt 令牌 KID 错误
Posted
技术标签:
【中文标题】ASP.NET Core RC2 Jwt 令牌 KID 错误【英文标题】:ASP.NET Core RC2 Jwt Token KID error 【发布时间】:2016-09-24 20:34:30 【问题描述】:我在尝试使用 JwtBearerAuthentication 进行身份验证时遇到此异常:
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Failed to validate the token eyJhbGciOiJSUzI1NiIsImtpZCI6IldYVDdGSUU3SlI5U1A0R09SUlVJSUMxX0pSTDJPVkhNRzkyVjFYVl8iLCJ0eXAiOiJKV1QifQ.eyJNYXN0ZXIiOiIxIiwiY2FzYSI6IjEiLCJ1bmlxdWVfbmFtZSI6InRlc3RlIiwianRpIjoiOWNiYmUzMDEtYjdhYy00MDQ5LTlhZjAtNzQ2MzhhNDZiYjg5IiwidXNhZ2UiOiJhY2Nlc3NfdG9rZW4iLCJjb25maWRlbnRpYWwiOnRydWUsInNjb3BlIjoib2ZmbGluZV9hY2Nlc3MiLCJzdWIiOiI4ZDRmNTdios1kMDk0LTRhYmUtOTcxNi03Y2Y1NTcyYTg0M2EiLCJhenAiOiJkdXgiLCJuYmYiOjE0NjQyODM1ODYsImV4cCI6MTQ2NDI4NzE4NiwiaWF0IjoxNDY0MjgzNTg2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjUwMDAvIn0.nzT0K30EIbhW4OX4sq3w038c6C5U8LzJHMwszMVFvc6J18aaTUMuKx1txTzUnscZvTcHoMTV7Dyvlj9qCoVpJjnQmqhlP8Q2g-gVSPzKmX6TxB9lT4IF1hrneGj-4p1vRr9HRWb1JftMMnLwY1tfxJYcofvRTBzdofSfVtKRB1FR215VRFxUb8x4ipnICexZiSELEEC8GIN2koOVzoUAMZLQIkTVtKXV7gwi-lF0ECZem28FQ4ar2cmZPrQr0z0B8b-YemPhcLzJplIdCpDx8XHhLIIqLWO5ep7cK29HON8_LobvbXDCXrwUqJbNt2m5wtKYJ5qodfL5aWeo9Y09Wg.
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': 'WXT7FIE7JR9SP4GORRUIIC1_JRL2OVHMG92V1XV_',
token: '"alg":"RS256","typ":"JWT","kid":"WXT7FIE7JR9SP4GORRUIIC1_JRL2OVHMG92V1XV_"."Master":"1","casa":"1","unique_name":"teste","jti":"9cbbe301-b7ac-4049-9af0-74638a46bb89","usage":"access_token","confidential":true,"scope":"offline_access","sub":"8d4f57b9-d094-4abe-9716-7cf5572a843a","azp":"dux","nbf":1464283586,"exp":1464287186,"iat":1464283586,"iss":"http://localhost:5000/"'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Error: Exception occurred while processing message.
我正在使用 OpenIdConnectServer 来颁发令牌
// Add a new middleware issuing tokens.
app.UseOpenIdConnectServer(options =>
options.AllowInsecureHttp = true;
options.Provider = new AuthorizationProvider();
options.UseJwtTokens();
);
// Add a new middleware validating access tokens issued by the server.
app.UseJwtBearerAuthentication(new JwtBearerOptions
AutomaticAuthenticate = true,
AutomaticChallenge = true,
RequireHttpsMetadata = false,
TokenValidationParameters = new TokenValidationParameters
ValidateAudience = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = false
);
【问题讨论】:
添加更多细节会很有用:您是否在 IIS 后面运行您的应用程序? IIS 快递?您是否在启动时在输出窗口中看到警告消息? @Pinpoint 我在 Kestrel 上运行,我收到消息“未注册显式签名凭据。” "现有密钥已自动添加到签名凭据列表中" @Pinpoint 它曾经在 RC1 上工作,但我将 TokenValidationParameter.ValidateSignature 设置为 false(它似乎不再存在) 【参考方案1】:由于某些原因,IdentityModel(JWT 不记名中间件背后的库)似乎忽略了您的 ValidateIssuerSigningKey = false 指令(这在实践中非常糟糕,因为每个人都可以伪造 JWT 不记名中间件可以接受的假令牌) .
要解决此问题(并使您的 API 真正安全),请配置 Authority 属性以允许 JWT 不记名中间件从 OpenID Connect 服务器中间件下载签名密钥:
app.UseJwtBearerAuthentication(new JwtBearerOptions
Authority = "http://localhost:5000/", // base address of your OIDC server.
Audience = "http://localhost:5000/", // base address of your API.
RequireHttpsMetadata = false
);
【讨论】:
感谢您的回答和创建 OpenIdConnect 的出色实现 :) 哈哈,谢谢你的好话!在相关说明中,由于您的授权服务器和您的 API 是同一个应用程序的一部分,您可能想尝试新的验证中间件并使用不透明的令牌(新的默认格式)。与 JWT 不记名中间件不同,验证中间件不需要设置权限/受众:***.com/a/33147208/542757 升级到 ASP.NET Core 1.0 RTM 后,我也遇到了同样的错误。起初,这个答案似乎并不能解决问题。不匹配的孩子到底是什么?以上是关于ASP.NET Core RC2 Jwt 令牌 KID 错误的主要内容,如果未能解决你的问题,请参考以下文章