IDX10501:签名验证失败。尝试过的密钥:'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'
IDX10501: Signature validation failed. Key tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'
我正在尝试验证来自 Azure 的令牌。我使用 Adal.js 来获取令牌。
当我尝试验证令牌时,每次总是收到相同的错误消息:
IDX10501: Signature validation failed. Key tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'.
token: '{"typ":"JWT",...
消息中省略的标记看起来像我在客户端上看到的,来自以下 3 个 url 的信息似乎已正确添加到数据结构中,即我可以看到字段填充的地方是我期待查看下面的链接和我在客户端上的令牌。
https://login.windows.net/{id}.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml
https://login.microsoftonline.com/{id}.onmicrosoft.com/.well-known/openid-configuration
https://login.microsoftonline.com/common/discovery/keys
但是每当我到达最后一行时ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(...我总是得到同样的错误。
关于如何使令牌有效的任何想法?
// Get the jwt bearer token from the authorization header
string jwtToken = null;
AuthenticationHeaderValue authHeader = request.Headers.Authorization;
if (authHeader != null)
{
jwtToken = authHeader.Parameter;
}
string issuer;
List<SecurityToken> signingTokens;
// The issuer and signingTokens are cached for 24 hours. They are updated if any of the conditions in the if condition is true.
if (DateTime.UtcNow.Subtract(_stsMetadataRetrievalTime).TotalHours > 24 || string.IsNullOrEmpty(_issuer) || _signingTokens == null)
{
// Get tenant information that's used to validate incoming jwt tokens
string stsDiscoveryEndpoint = string.Format("{0}/.well-known/openid-configuration", authority);
ConfigurationManager<OpenIdConnectConfiguration> configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint);
OpenIdConnectConfiguration config = await configManager.GetConfigurationAsync();
_issuer = config.Issuer;
_signingTokens = config.SigningTokens.ToList();
_stsMetadataRetrievalTime = DateTime.UtcNow;
}
issuer = _issuer;
signingTokens = _signingTokens;
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidAudience = audience,
ValidIssuer = issuer,
IssuerSigningTokens = signingTokens,
CertificateValidator = X509CertificateValidator.None
};
try {
// Validate token.
SecurityToken validatedToken = new JwtSecurityToken();
ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(jwtToken, validationParameters, out validatedToken);
}
更新
以防万一初始化客户端和服务器时我遗漏了什么。
Adal.js 初始选项是:
var endpoints = {
"https://graph.windows.net": "https://graph.windows.net"
};
var configOptions = {
tenant: "<ad>.onmicrosoft.com", // Optional by default, it sends common
clientId: "<app ID from azure portal>",
postLogoutRedirectUri: window.location.origin,
endpoints: endpoints,
}
window.authContext = new AuthenticationContext(configOptions);
服务器初始化选项是:
static string aadInstance = "https://login.microsoftonline.com/{0}";
static string tenant = "<ad>.onmicrosoft.com";
static string audience = "<app ID from azure portal>";
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
static string scopeClaimType = "http://schemas.microsoft.com/identity/claims/scope";
您要实现什么场景?您拥有的令牌用于 AAD Graph API,您无需对其进行验证。使用该令牌执行 api 调用时,Microsoft 图形服务器端将验证访问令牌。
此外,在您的服务器端初始化选项中,您将受众设置为来自 Azure 门户的应用 ID,这意味着在验证访问令牌时,访问令牌的受众应与来自 Azure 门户的应用 ID 匹配,但受众访问令牌的数量是 https://graph.windows.net,因为您正在为 Azure AD Graph api.
获取令牌
如果访问令牌是您自己的 api,您需要在您的 api 中验证访问令牌,您可以使用 OWIN 中间件来处理令牌:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
});
或手动验证 JWT 令牌,例如 this code sample。
我正在尝试验证来自 Azure 的令牌。我使用 Adal.js 来获取令牌。 当我尝试验证令牌时,每次总是收到相同的错误消息:
IDX10501: Signature validation failed. Key tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'. token: '{"typ":"JWT",...
消息中省略的标记看起来像我在客户端上看到的,来自以下 3 个 url 的信息似乎已正确添加到数据结构中,即我可以看到字段填充的地方是我期待查看下面的链接和我在客户端上的令牌。
https://login.windows.net/{id}.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml
https://login.microsoftonline.com/{id}.onmicrosoft.com/.well-known/openid-configuration
https://login.microsoftonline.com/common/discovery/keys
但是每当我到达最后一行时ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(...我总是得到同样的错误。
关于如何使令牌有效的任何想法?
// Get the jwt bearer token from the authorization header
string jwtToken = null;
AuthenticationHeaderValue authHeader = request.Headers.Authorization;
if (authHeader != null)
{
jwtToken = authHeader.Parameter;
}
string issuer;
List<SecurityToken> signingTokens;
// The issuer and signingTokens are cached for 24 hours. They are updated if any of the conditions in the if condition is true.
if (DateTime.UtcNow.Subtract(_stsMetadataRetrievalTime).TotalHours > 24 || string.IsNullOrEmpty(_issuer) || _signingTokens == null)
{
// Get tenant information that's used to validate incoming jwt tokens
string stsDiscoveryEndpoint = string.Format("{0}/.well-known/openid-configuration", authority);
ConfigurationManager<OpenIdConnectConfiguration> configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint);
OpenIdConnectConfiguration config = await configManager.GetConfigurationAsync();
_issuer = config.Issuer;
_signingTokens = config.SigningTokens.ToList();
_stsMetadataRetrievalTime = DateTime.UtcNow;
}
issuer = _issuer;
signingTokens = _signingTokens;
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidAudience = audience,
ValidIssuer = issuer,
IssuerSigningTokens = signingTokens,
CertificateValidator = X509CertificateValidator.None
};
try {
// Validate token.
SecurityToken validatedToken = new JwtSecurityToken();
ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(jwtToken, validationParameters, out validatedToken);
}
更新
以防万一初始化客户端和服务器时我遗漏了什么。
Adal.js 初始选项是:
var endpoints = {
"https://graph.windows.net": "https://graph.windows.net"
};
var configOptions = {
tenant: "<ad>.onmicrosoft.com", // Optional by default, it sends common
clientId: "<app ID from azure portal>",
postLogoutRedirectUri: window.location.origin,
endpoints: endpoints,
}
window.authContext = new AuthenticationContext(configOptions);
服务器初始化选项是:
static string aadInstance = "https://login.microsoftonline.com/{0}";
static string tenant = "<ad>.onmicrosoft.com";
static string audience = "<app ID from azure portal>";
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
static string scopeClaimType = "http://schemas.microsoft.com/identity/claims/scope";
您要实现什么场景?您拥有的令牌用于 AAD Graph API,您无需对其进行验证。使用该令牌执行 api 调用时,Microsoft 图形服务器端将验证访问令牌。
此外,在您的服务器端初始化选项中,您将受众设置为来自 Azure 门户的应用 ID,这意味着在验证访问令牌时,访问令牌的受众应与来自 Azure 门户的应用 ID 匹配,但受众访问令牌的数量是 https://graph.windows.net,因为您正在为 Azure AD Graph api.
如果访问令牌是您自己的 api,您需要在您的 api 中验证访问令牌,您可以使用 OWIN 中间件来处理令牌:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
});
或手动验证 JWT 令牌,例如 this code sample。