忽略 JWT 中的签名

Ignoring signature in JWT(忽略 JWT 中的签名)
本文介绍了忽略 JWT 中的签名的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个使用 OpenId Connect 的 Web 应用程序.我创建了一个自签名证书,但它仍未由 CA 签名.如何忽略签名验证?

I have an web application that is using OpenId Connect. I created a self signed certificate but it is still not signed by a CA. How can I ignore the signature validation?

这是我目前所拥有的:

SecurityToken validatedToken = null;

var tokenHandler = new JwtSecurityTokenHandler {
    Configuration = new SecurityTokenHandlerConfiguration {
        CertificateValidator = X509CertificateValidator.None
    },
};

TokenValidationParameters validationParams =
    new TokenValidationParameters()
    {
        ValidAudience = ConfigurationManager.AppSettings["Audience"],
        ValidIssuer = ConfigurationManager.AppSettings["Issuer"],
        AudienceValidator = AudienceValidator,
        ValidateAudience = true,
        ValidateIssuer = true
    };

return tokenHandler.ValidateToken(jwtToken, validationParams, out validatedToken);

它会抛出以下异常:

IDX10500:签名验证失败.无法解决SecurityKeyIdentifier: 'SecurityKeyIdentifier (
IsReadOnly = False, 计数 = 1, 子句[0] =System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
) ', 令牌:'{"typ":"JWT","alg":"RS256","kid":"issuer_rsaKey"}.{"iss":...

IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier (
IsReadOnly = False, Count = 1, Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
) ', token: '{"typ":"JWT","alg":"RS256","kid":"issuer_rsaKey"}.{"iss":...

推荐答案

不要忽略签名,这很危险!

即使您使用自签名证书,您也可以使用公钥进行签名验证.

Even if you use a self-signed certificate, you will be able to use the public key for signature validation.

由于您使用的是 OpenId Connect,因此您应该能够通过前往 /.well-known/jwks 获取签名证书的公钥.

Since you are using OpenId Connect, you should be able to get the public key for your signing certificate by heading over to /.well-known/jwks.

然后您可以像这样设置验证参数:

Then you can setup your validation parameters like this:

var certificate = new X509Certificate2(Convert.FromBase64String(yourPublicKeyGoesHere));

var validationParameters = new TokenValidationParameters { 
    IssuerSigningTokens = new[] { new X509SecurityToken(certificate) }  
};

之后,你可以调用ValidateToken:

SecurityToken token;
var claimsPrincipal = handler.ValidateToken(encodedToken, validationParameters, out token);

您真的要忽略签名吗?

记住,如果你这样做了,你怎么知道有人没有篡改令牌内的数据?您可以轻松解码 base64 url​​ 编码的有效负载并更改主题.如果您在应用程序中依赖它,您将遇到麻烦(提示:有人访问其他人的数据)

Remember, if you do, how do you know someone didn't tamper with the data inside the token? You could easily decode the base64 url encoded payload and change the subject. And if you rely on that in your application, you'll be in trouble (hint: someone accessing someone else data)

你真的,真的想忽略它吗?

您可以使用 ReadToken 并跳过所有验证:

You can use ReadToken and just skip every validation there is:

var badJwt = new JwtSecurityTokenHandler()
                 .ReadToken(encodedMaliciousToken) as JwtSecurityToken;

不要这样做,这是不好的做法.

这篇关于忽略 JWT 中的签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

DispatcherQueue null when trying to update Ui property in ViewModel(尝试更新ViewModel中的Ui属性时DispatcherQueue为空)
Drawing over all windows on multiple monitors(在多个监视器上绘制所有窗口)
Programmatically show the desktop(以编程方式显示桌面)
c# Generic Setlt;Tgt; implementation to access objects by type(按类型访问对象的C#泛型集实现)
InvalidOperationException When using Context Injection in ASP.Net Core(在ASP.NET核心中使用上下文注入时发生InvalidOperationException)
LINQ many-to-many relationship, how to write a correct WHERE clause?(LINQ多对多关系,如何写一个正确的WHERE子句?)