忽略 JWT 中的签名

Ignoring signature in JWT(忽略 JWT 中的签名)
本文介绍了忽略 JWT 中的签名的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

我有一个使用 OpenId Connect 的 Web 应用程序.我创建了一个自签名证书,但它仍未由 CA 签名.如何忽略签名验证?

I have an web application that is using OpenId Connect. I created a self signed certificate but it is still not signed by a CA. How can I ignore the signature validation?

这是我目前所拥有的:

SecurityToken validatedToken = null;

var tokenHandler = new JwtSecurityTokenHandler {
    Configuration = new SecurityTokenHandlerConfiguration {
        CertificateValidator = X509CertificateValidator.None
    },
};

TokenValidationParameters validationParams =
    new TokenValidationParameters()
    {
        ValidAudience = ConfigurationManager.AppSettings["Audience"],
        ValidIssuer = ConfigurationManager.AppSettings["Issuer"],
        AudienceValidator = AudienceValidator,
        ValidateAudience = true,
        ValidateIssuer = true
    };

return tokenHandler.ValidateToken(jwtToken, validationParams, out validatedToken);

它会抛出以下异常:

IDX10500:签名验证失败.无法解决SecurityKeyIdentifier: 'SecurityKeyIdentifier (
IsReadOnly = False, 计数 = 1, 子句[0] =System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
) ', 令牌:'{"typ":"JWT","alg":"RS256","kid":"issuer_rsaKey"}.{"iss":...

IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier (
IsReadOnly = False, Count = 1, Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
) ', token: '{"typ":"JWT","alg":"RS256","kid":"issuer_rsaKey"}.{"iss":...

推荐答案

不要忽略签名,这很危险!

即使您使用自签名证书,您也可以使用公钥进行签名验证.

Even if you use a self-signed certificate, you will be able to use the public key for signature validation.

由于您使用的是 OpenId Connect,因此您应该能够通过前往 /.well-known/jwks 获取签名证书的公钥.

Since you are using OpenId Connect, you should be able to get the public key for your signing certificate by heading over to /.well-known/jwks.

然后您可以像这样设置验证参数:

Then you can setup your validation parameters like this:

var certificate = new X509Certificate2(Convert.FromBase64String(yourPublicKeyGoesHere));

var validationParameters = new TokenValidationParameters { 
    IssuerSigningTokens = new[] { new X509SecurityToken(certificate) }  
};

之后,你可以调用ValidateToken:

SecurityToken token;
var claimsPrincipal = handler.ValidateToken(encodedToken, validationParameters, out token);

您真的要忽略签名吗?

记住,如果你这样做了,你怎么知道有人没有篡改令牌内的数据?您可以轻松解码 base64 url 编码的有效负载并更改主题.如果您在应用程序中依赖它,您将遇到麻烦(提示:有人访问其他人的数据)

Remember, if you do, how do you know someone didn't tamper with the data inside the token? You could easily decode the base64 url encoded payload and change the subject. And if you rely on that in your application, you'll be in trouble (hint: someone accessing someone else data)

你真的,真的想忽略它吗?

您可以使用 ReadToken 并跳过所有验证:

You can use ReadToken and just skip every validation there is:

var badJwt = new JwtSecurityTokenHandler()
                 .ReadToken(encodedMaliciousToken) as JwtSecurityToken;

不要这样做,这是不好的做法.

这篇关于忽略 JWT 中的签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

本站部分内容来源互联网,如果有图片或者内容侵犯了您的权益,请联系我们,我们会在确认后第一时间进行删除!

相关文档推荐

Custom Error Queue Name when using EasyNetQ for RabbitMQ?(使用 EasyNetQ for RabbitMQ 时自定义错误队列名称?)
How to generate password_hash for RabbitMQ Management HTTP API(如何为 RabbitMQ 管理 HTTP API 生成密码哈希)
Rabbitmq Ack or Nack, leaving messages on the queue(Rabbitmq Ack 或 Nack,将消息留在队列中)
Wait for a single RabbitMQ message with a timeout(等待一条带有超时的 RabbitMQ 消息)
Setup RabbitMQ consumer in ASP.NET Core application(在 ASP.NET Core 应用程序中设置 RabbitMQ 消费者)
Specify Publish timeouts in mass transit(指定公共交通中的发布超时)