OAuth承载令牌身份validation未通过签名validation

我在令牌使用者身上收到以下错误。 任何解决这个问题的帮助都将非常受欢迎。 谢谢。

“IDX10503:签名validation失败。

密钥尝试:’System.IdentityModel.Tokens.SymmetricSecurityKey’。 捕获到exception:’System.InvalidOperationException:IDX10636:SignatureProviderFactory.CreateForVerifying为key返回null:’System.IdentityModel.Tokens.SymmetricSecurityKey’,signatureAlgorithm:’ http : //www.w3.org/2001/04/xmldsig-more#hmac -sha256 ‘。 在System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(Byte [] encodedBytes,Byte []签名,SecurityKey密钥,字符串算法)的Microsoft.IdentityModel.Logging.LogHelper.Throw(String message,Type exceptionType,EventLevel logLevel,Exception innerException)在System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token,TokenValidationParameters validationParameters)’。 令牌:’令牌信息在这里’“

OAuth服务器上的令牌生成代码 

using (var ctlr = new EntityController()) { var authRepo = ctlr.GetAuthModelRepository(); string clientId; ticket.Properties.Dictionary.TryGetValue(WebConstants.OwinContextProps.OAuthClientIdPropertyKey, out clientId); if (string.IsNullOrWhiteSpace(clientId)) { throw new InvalidOperationException("AuthenticationTicket.Properties does not include audience"); } //audience record var client = authRepo.FindAuthClientByOAuthClientID(clientId); var issued = ticket.Properties.IssuedUtc; var expires = ticket.Properties.ExpiresUtc; var hmac = new HMACSHA256(Convert.FromBase64String(client.Secret)); var signingCredentials = new SigningCredentials( new InMemorySymmetricSecurityKey(hmac.Key), Algorithms.HmacSha256Signature, Algorithms.Sha256Digest); TokenValidationParameters validationParams = new TokenValidationParameters() { ValidAudience = clientId, ValidIssuer = _issuer, ValidateLifetime = true, ValidateAudience = true, ValidateIssuer = true, RequireSignedTokens = true, RequireExpirationTime = true, ValidateIssuerSigningKey = true, IssuerSigningToken = new BinarySecretSecurityToken(hmac.Key) }; var jwtHandler = new JwtSecurityTokenHandler(); var jwt = new JwtSecurityToken(_issuer, clientId, ticket.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingCredentials); jwtOnTheWire = jwtHandler.WriteToken(jwt); SecurityToken validatedToken = null; jwtHandler.ValidateToken(jwtOnTheWire, validationParams,out validatedToken); if (validatedToken == null) return "token_validation_failed"; } return jwtOnTheWire;

在Owin Startup.cs中的令牌消耗\validationASP.Net 5 vNext站点

public void ConfigureServices(IServiceCollection services) 

 services.ConfigureOAuthBearerAuthentication(config => { //oauth validation var clientSecret = "not the real secret"; var hmac = new HMACSHA256(Convert.FromBase64String(clientSecret)); var signingCredentials = new SigningCredentials( new SymmetricSecurityKey(hmac.Key), Algorithms.HmacSha256Signature, Algorithms.Sha256Digest); config.TokenValidationParameters.ValidAudience = "myappname"; config.TokenValidationParameters.ValidIssuer = "mydomain.com"; config.TokenValidationParameters.RequireSignedTokens = true; config.TokenValidationParameters.RequireExpirationTime = true; config.TokenValidationParameters.ValidateLifetime = true; config.TokenValidationParameters.ValidateIssuerSigningKey = true; config.TokenValidationParameters.ValidateSignature = true; config.TokenValidationParameters.ValidateAudience = true; config.TokenValidationParameters.IssuerSigningKey = signingCredentials.SigningKey; });

public void Configure(IApplicationBuilder app) 

 app.UseOAuthBearerAuthentication(config => { config.AuthenticationScheme = "Bearer"; config.AutomaticAuthentication = true; });

我能够将自己的签名validation添加到TokenValidationParameters然后我将JWT的传入Raw签名与此代码中的编译签名进行比较,如果匹配则签名有效。

为什么使用内置签名validation没有发生这种情况超出了我的想法,也许这是vNext Identity令牌框架beta 6中的一个可能的错误。

public void ConfigureServices(IServiceCollection services) 

 config.TokenValidationParameters.SignatureValidator = delegate (string token, TokenValidationParameters parameters) { var clientSecret = "not the real secret"; var jwt = new JwtSecurityToken(token); var hmac = new HMACSHA256(Convert.FromBase64String(clientSecret)); var signingCredentials = new SigningCredentials( new SymmetricSecurityKey(hmac.Key), SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest); var signKey = signingCredentials.SigningKey as SymmetricSecurityKey; var encodedData = jwt.EncodedHeader + "." + jwt.EncodedPayload; var compiledSignature = Encode(encodedData, signKey.Key); //Validate the incoming jwt signature against the header and payload of the token if (compiledSignature != jwt.RawSignature) { throw new Exception("Token signature validation failed."); } return jwt; };

编码辅助方法 

  public string Encode(string input, byte[] key) { HMACSHA256 myhmacsha = new HMACSHA256(key); byte[] byteArray = Encoding.UTF8.GetBytes(input); MemoryStream stream = new MemoryStream(byteArray); byte[] hashValue = myhmacsha.ComputeHash(stream); return Base64UrlEncoder.Encode(hashValue); }
Interesting Posts

如何从ASP.NET中的请求中获取IP地址?

C# – 将JSON反序列化为匿名对象

为什么我不能将资源用作具有DataAnnotations的ErrorMessage?

在列表框中显示项目有哪些可能性?

我可以在findcontrol中使用数组吗?

如何防止用户生成的Sql查询上的Sql注入

如何在ASP.NET中允许多种身份validation方法?

ASP.NET Autofac Singleton运行两次构造函数注入

垃圾收集如何在对象引用上工作?

使用Itextsharp读取本地化的PDF文件