1. 首頁
  2. 問答
  3. 失敗的OAuth2 1563在AspNetCore

失敗的OAuth2 1563在AspNetCore

2016-12-19 68 views
2

令牌驗證我想在承載頭從1563驗證JWT訪問令牌上我的API,但驗證總是失敗給下面的錯誤:失敗的OAuth2 1563在AspNetCore

2016-12-16 10:12:30.451 +00:00 [Information] Failed to validate the token "eyJhbGciOiJSUzI1NiIsImtpZCI6Il95EVnTTc3MkRHSFdtV19ETDNJYUUyNlUifQ.eFULi1ET2htZFhUalFmcmV5bHdaZkI5aFVobFJ5VlRTenRvRTc1cHVSNUYwUlEiLCJpc3MiOLCJjaWQiOiJZTFpSUUZoWEY1RlpTd2xrbDlwVCIsInVpZCI6IjAwdTkxYXdpZmthZzZYcFE5MGg3Iiwic2NwIjpbIm9wZW5pZCIsInByb2ZpbGUiXX0.K50-cdNI1_m1GLglguCvpiinhxKYNwy0ieAABP7lfO2briaT29mzPeQx07a8F_CyJtQbEtOsPkYviCSK309m8n70WoM51B7FxYTebAxIvWZNrdB_Nsid4YrQHoOoM5b54Fzr4FE-7510TJxvKPg8lWViTQG5cfijE6AL-JXuPYlmdikByZbLwg57P4sUBWByF-pTcRqE2l03VOdkyQOJJ4v22jSUSgKFSYdaXH4ufFt2iTv_sbnNTTtXz4tKLLgfzsKZuxo7-N6-QB7Zuhn7g". 
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': '_yomDqFziFzjpiI-OZmeDEgM772DGHWmW_DL3IaE26U', 
token: '{"alg":"RS256","typ":"JWT","kid":"_yomDqFziFzjpiI-OZmeDEgM772DGHWmW_DL3IaE26U"}.{"ver":1,"jti":"AT.-DOhmdXTjQfreylwZfB9hUhlRyVTSztoE75puR5F0RQ","iss":"https://dev-606497.oktapreview.com","aud":"https://dev-606497.oktapreview.com","sub":"[email protected]","iat":1481883065,"exp":1481886665,"cid":"YLZRQFhXF5FZSwlkl9pT","uid":"00u91awifkag6XpQ90h7","scp":["openid","profile"]}'. 
    at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) 
    at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) 
    at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()

我想知道如果原因可能是,令牌中的公鑰'kid'與Okta中的Keys端點中的公鑰不同?

{"keys": [{"alg": "RS256","e": "AQAB","n": "wtkBXocJLBE-ArN56pLzSiR3x2w99R2d_rlCpFN__3k1I6P0vcfE4SKwoafzucaG-kEwy9pn4p49z0O24UHX0NmdxOMhyFmJsfss0tK0AkBhXB-e9kk5r316ePRtb7eo8uAnjNP7w2T6sSqwdppw7I8NQa4KrFIYFVDx4xDcYMfnGrKjKFdghxSpG2dP7vcQsjJHkMyEHYj7nTTyplReX21_Et2F5zHqvqQZ1JRuL_Ol-JrSEeM0Hznpb7kpggnFUA_xnzcR4AhT5P2WNNNenlfurjM_AN1ymV8DT04Tx7tp6G60N1AkDw4t4Q0LfuevQ","kid": "gtUiz-YdlCSRpr0Ue7LRuEtqgVqRmDWpe5ZuvBaWgVk","kty": "RSA","use": "sig"}]}

這是對的WebAPI的設置:

app.UseJwtBearerAuthentication(new JwtBearerOptions 
{ 
    AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme, 
    Audience = "http://api.azurewebsites.net", 
    Authority = "https://dev-606497.oktapreview.com" 
});

來源

2016-12-19 dieselcz

+0

dieselcz,我打電話給OKTA OPENID API,並在用戶登錄後拉回JWT。將該JWT傳遞給我的API。看來簽名是空的。我讀過,我必須同時使用OPENID和OKTA授權服務器才能驗證令牌?這是你的方法,你能提供任何見解嗎? –

回答

1

爲了通過公共密鑰來獲得訪問令牌密鑰URL某些功能需要爲你的1563組織啓用。請發送電子郵件至[email protected]

來源

2016-12-20 17:34:22

+0

謝謝。你是對的。我必須聯繫Okta並啓用此Beta功能。 – dieselcz

0

你是正確的 - 在孩子是從公共密鑰不同 - 它是密鑰ID標識從按鍵響應使用的公鑰。如果我們看一下response example爲V1 /鍵:

"keys": [ 
    { 
    "alg": "RS256", 
    "e": "AQAB", 
    "n": "iKqiD4cr7FZKm6f05K4r-GQOvjRqjOeFmOho9V7SAXYwCyJluaGBLVvDWO1XlduPLOrsG_Wgs67SOG5qeLPR8T1zDK4bfJAo1Tvbw 
      YeTwVSfd_0mzRq8WaVc_2JtEK7J-4Z0MdVm_dJmcMHVfDziCRohSZthN__WM2NwGnbewWnla0wpEsU3QMZ05_OxvbBdQZaDUsNSx4 
      6is29eCdYwhkAfFd_cFRq3DixLEYUsRwmOqwABwwDjBTNvgZOomrtD8BRFWSTlwsbrNZtJMYU33wuLO9ynFkZnY6qRKVHr3YToIrq 
      NBXw0RWCheTouQ-snfAB6wcE2WDN3N5z760ejqQ", 
    "kid": "U5R8cHbGw445Qbq8zVO1PcCpXL8yG6IcovVa3laCoxM", 
    "kty": "RSA", 
    "use": "sig" 
    }, 
    ... more 
]

我們可以看到有一個孩子財產 - 如果你正在做手工,你必須遍歷鍵來找到問題的關鍵是在您的/令牌響應中匹配孩子,並在您的JWT驗證中使用。

在ASP.net中有幾個示例演示驗證流程 - 例如,here's the relevant codeAuthorization Code flow sample中。

查看我們的Validating Access Tokens文檔以更全面地瞭解流程也可能有幫助。

更新:只是注意到,你試圖查找的孩子不在鍵盤響應中 - 這是爲通過OIDC返回的訪問令牌設計的(它們是不透明的)。有一對夫婦選擇這裏:

  1. 如果ID連接,你必須通過/userinfo endpoint
  2. 驗證返回的訪問令牌或者,如果你正在尋找進入API Access Management,您需要聯繫開發商@ 1563 .com爲您啓用該功能(如Sohaib建議)。這將通過關鍵端點爲您的訪問令牌公開密鑰。

來源

2016-12-20 21:42:33 remanc

相關問題

 相關問題