AspNetCore 中的 Okta OAuth2 令牌验证失败
Failing Okta OAuth2 token validation in AspNetCore
我想在 API 的 bearer header 中验证来自 Okta 的 JWT 访问令牌,但验证总是失败并给出以下错误:
2016-12-16 10:12:30.451 +00:00 [Information] Failed to validate the token "eyJhbGciOiJSUzI1NiIsImtpZCI6Il95EVnTTc3MkRHSFdtV19ETDNJYUUyNlUifQ.eFULi1ET2htZFhUalFmcmV5bHdaZkI5aFVobFJ5VlRTenRvRTc1cHVSNUYwUlEiLCJpc3MiOLCJjaWQiOiJZTFpSUUZoWEY1RlpTd2xrbDlwVCIsInVpZCI6IjAwdTkxYXdpZmthZzZYcFE5MGg3Iiwic2NwIjpbIm9wZW5pZCIsInByb2ZpbGUiXX0.K50-cdNI1_m1GLglguCvpiinhxKYNwy0ieAABP7lfO2briaT29mzPeQx07a8F_CyJtQbEtOsPkYviCSK309m8n70WoM51B7FxYTebAxIvWZNrdB_Nsid4YrQHoOoM5b54Fzr4FE-7510TJxvKPg8lWViTQG5cfijE6AL-JXuPYlmdikByZbLwg57P4sUBWByF-pTcRqE2l03VOdkyQOJJ4v22jSUSgKFSYdaXH4ufFt2iTv_sbnNTTtXz4tKLLgfzsKZuxo7-N6-QB7Zuhn7g".
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': '_yomDqFziFzjpiI-OZmeDEgM772DGHWmW_DL3IaE26U',
token: '{"alg":"RS256","typ":"JWT","kid":"_yomDqFziFzjpiI-OZmeDEgM772DGHWmW_DL3IaE26U"}.{"ver":1,"jti":"AT.-DOhmdXTjQfreylwZfB9hUhlRyVTSztoE75puR5F0RQ","iss":"https://dev-606497.oktapreview.com","aud":"https://dev-606497.oktapreview.com","sub":"myemail@email.com","iat":1481883065,"exp":1481886665,"cid":"YLZRQFhXF5FZSwlkl9pT","uid":"00u91awifkag6XpQ90h7","scp":["openid","profile"]}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()
我想知道原因是否可能是令牌中的 public 密钥 'kid' 与 Okta 上的密钥端点中的 public 密钥不同?
{"keys": [{"alg": "RS256","e": "AQAB","n": "wtkBXocJLBE-ArN56pLzSiR3x2w99R2d_rlCpFN__3k1I6P0vcfE4SKwoafzucaG-kEwy9pn4p49z0O24UHX0NmdxOMhyFmJsfss0tK0AkBhXB-e9kk5r316ePRtb7eo8uAnjNP7w2T6sSqwdppw7I8NQa4KrFIYFVDx4xDcYMfnGrKjKFdghxSpG2dP7vcQsjJHkMyEHYj7nTTyplReX21_Et2F5zHqvqQZ1JRuL_Ol-JrSEeM0Hznpb7kpggnFUA_xnzcR4AhT5P2WNNNenlfurjM_AN1ymV8DT04Tx7tp6G60N1AkDw4t4Q0LfuevQ","kid": "gtUiz-YdlCSRpr0Ue7LRuEtqgVqRmDWpe5ZuvBaWgVk","kty": "RSA","use": "sig"}]}
这是 Web 上的设置API:
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme,
Audience = "http://api.azurewebsites.net",
Authority = "https://dev-606497.oktapreview.com"
});
为了通过 public 密钥获取访问令牌的密钥 url 需要为您的 Okta 组织启用一些功能。请发邮件给开发者@okta.com
你是对的 - kid 与 public 键不同 - key id 标识哪个 public 按键响应中使用的按键。如果我们查看 response example for v1/keys:
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"n": "iKqiD4cr7FZKm6f05K4r-GQOvjRqjOeFmOho9V7SAXYwCyJluaGBLVvDWO1XlduPLOrsG_Wgs67SOG5qeLPR8T1zDK4bfJAo1Tvbw
YeTwVSfd_0mzRq8WaVc_2JtEK7J-4Z0MdVm_dJmcMHVfDziCRohSZthN__WM2NwGnbewWnla0wpEsU3QMZ05_OxvbBdQZaDUsNSx4
6is29eCdYwhkAfFd_cFRq3DixLEYUsRwmOqwABwwDjBTNvgZOomrtD8BRFWSTlwsbrNZtJMYU33wuLO9ynFkZnY6qRKVHr3YToIrq
NBXw0RWCheTouQ-snfAB6wcE2WDN3N5z760ejqQ",
"kid": "U5R8cHbGw445Qbq8zVO1PcCpXL8yG6IcovVa3laCoxM",
"kty": "RSA",
"use": "sig"
},
... more
]
我们可以看到有一个 kid 属性 - 如果您手动执行此操作,则必须遍历键以找到匹配的键/token 响应中的 kid,并在 JWT 验证中使用它。
ASP.net 中有几个示例演示了此验证流程 - 例如,here's the relevant code in an Authorization Code flow sample。
查看我们的 Validating Access Tokens 文档也可能有助于更全面地了解流程。
更新: 刚刚注意到您要查找的孩子不在密钥响应中 - 这是为通过 OIDC 返回的访问令牌设计的(它们是不透明的) .这里有几个选项:
- 如果是 OpenId Connect,您必须通过 /userinfo endpoint
验证返回的访问令牌
- 或者,如果您正在研究 API Access Management,您需要联系开发人员@okta.com 为您启用该功能(如 Sohaib 所建议的)。这将通过密钥端点为您的访问令牌公开 public 密钥。
我想在 API 的 bearer header 中验证来自 Okta 的 JWT 访问令牌,但验证总是失败并给出以下错误:
2016-12-16 10:12:30.451 +00:00 [Information] Failed to validate the token "eyJhbGciOiJSUzI1NiIsImtpZCI6Il95EVnTTc3MkRHSFdtV19ETDNJYUUyNlUifQ.eFULi1ET2htZFhUalFmcmV5bHdaZkI5aFVobFJ5VlRTenRvRTc1cHVSNUYwUlEiLCJpc3MiOLCJjaWQiOiJZTFpSUUZoWEY1RlpTd2xrbDlwVCIsInVpZCI6IjAwdTkxYXdpZmthZzZYcFE5MGg3Iiwic2NwIjpbIm9wZW5pZCIsInByb2ZpbGUiXX0.K50-cdNI1_m1GLglguCvpiinhxKYNwy0ieAABP7lfO2briaT29mzPeQx07a8F_CyJtQbEtOsPkYviCSK309m8n70WoM51B7FxYTebAxIvWZNrdB_Nsid4YrQHoOoM5b54Fzr4FE-7510TJxvKPg8lWViTQG5cfijE6AL-JXuPYlmdikByZbLwg57P4sUBWByF-pTcRqE2l03VOdkyQOJJ4v22jSUSgKFSYdaXH4ufFt2iTv_sbnNTTtXz4tKLLgfzsKZuxo7-N6-QB7Zuhn7g".
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': '_yomDqFziFzjpiI-OZmeDEgM772DGHWmW_DL3IaE26U',
token: '{"alg":"RS256","typ":"JWT","kid":"_yomDqFziFzjpiI-OZmeDEgM772DGHWmW_DL3IaE26U"}.{"ver":1,"jti":"AT.-DOhmdXTjQfreylwZfB9hUhlRyVTSztoE75puR5F0RQ","iss":"https://dev-606497.oktapreview.com","aud":"https://dev-606497.oktapreview.com","sub":"myemail@email.com","iat":1481883065,"exp":1481886665,"cid":"YLZRQFhXF5FZSwlkl9pT","uid":"00u91awifkag6XpQ90h7","scp":["openid","profile"]}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()
我想知道原因是否可能是令牌中的 public 密钥 'kid' 与 Okta 上的密钥端点中的 public 密钥不同?
{"keys": [{"alg": "RS256","e": "AQAB","n": "wtkBXocJLBE-ArN56pLzSiR3x2w99R2d_rlCpFN__3k1I6P0vcfE4SKwoafzucaG-kEwy9pn4p49z0O24UHX0NmdxOMhyFmJsfss0tK0AkBhXB-e9kk5r316ePRtb7eo8uAnjNP7w2T6sSqwdppw7I8NQa4KrFIYFVDx4xDcYMfnGrKjKFdghxSpG2dP7vcQsjJHkMyEHYj7nTTyplReX21_Et2F5zHqvqQZ1JRuL_Ol-JrSEeM0Hznpb7kpggnFUA_xnzcR4AhT5P2WNNNenlfurjM_AN1ymV8DT04Tx7tp6G60N1AkDw4t4Q0LfuevQ","kid": "gtUiz-YdlCSRpr0Ue7LRuEtqgVqRmDWpe5ZuvBaWgVk","kty": "RSA","use": "sig"}]}
这是 Web 上的设置API:
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme,
Audience = "http://api.azurewebsites.net",
Authority = "https://dev-606497.oktapreview.com"
});
为了通过 public 密钥获取访问令牌的密钥 url 需要为您的 Okta 组织启用一些功能。请发邮件给开发者@okta.com
你是对的 - kid 与 public 键不同 - key id 标识哪个 public 按键响应中使用的按键。如果我们查看 response example for v1/keys:
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"n": "iKqiD4cr7FZKm6f05K4r-GQOvjRqjOeFmOho9V7SAXYwCyJluaGBLVvDWO1XlduPLOrsG_Wgs67SOG5qeLPR8T1zDK4bfJAo1Tvbw
YeTwVSfd_0mzRq8WaVc_2JtEK7J-4Z0MdVm_dJmcMHVfDziCRohSZthN__WM2NwGnbewWnla0wpEsU3QMZ05_OxvbBdQZaDUsNSx4
6is29eCdYwhkAfFd_cFRq3DixLEYUsRwmOqwABwwDjBTNvgZOomrtD8BRFWSTlwsbrNZtJMYU33wuLO9ynFkZnY6qRKVHr3YToIrq
NBXw0RWCheTouQ-snfAB6wcE2WDN3N5z760ejqQ",
"kid": "U5R8cHbGw445Qbq8zVO1PcCpXL8yG6IcovVa3laCoxM",
"kty": "RSA",
"use": "sig"
},
... more
]
我们可以看到有一个 kid 属性 - 如果您手动执行此操作,则必须遍历键以找到匹配的键/token 响应中的 kid,并在 JWT 验证中使用它。
ASP.net 中有几个示例演示了此验证流程 - 例如,here's the relevant code in an Authorization Code flow sample。
查看我们的 Validating Access Tokens 文档也可能有助于更全面地了解流程。
更新: 刚刚注意到您要查找的孩子不在密钥响应中 - 这是为通过 OIDC 返回的访问令牌设计的(它们是不透明的) .这里有几个选项:
- 如果是 OpenId Connect,您必须通过 /userinfo endpoint 验证返回的访问令牌
- 或者,如果您正在研究 API Access Management,您需要联系开发人员@okta.com 为您启用该功能(如 Sohaib 所建议的)。这将通过密钥端点为您的访问令牌公开 public 密钥。