asp.net-mvc - 与 JWT 身份验证相关的 AsymmetricSignatureProvider 的 TypeLoadException

Question

我有一个 ASP.NET 5 / Core RC1 MVC(WebApi) 应用程序，它与 auth0 交互，以使用 JWT 令牌进行承载身份验证。应用程序dnx451用作框架（不是 CoreCLR，因为依赖项不受支持）。

在 Windows 上运行该应用程序时，它运行良好。但是我想在 Ubuntu 上使用 Mono 作为运行时来运行它dnx451。在那里，应用程序运行，但只要我向它发出请求，它就会返回Internal Server Error 500.

日志输出：

info: Microsoft.AspNet.Hosting.Internal.HostingEngine[3]
      Request finished in 0.0006ms 500
fail: Microsoft.AspNet.Server.Kestrel[13]
      An unhandled exception was thrown by the application.
      System.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'System.IdentityModel.Tokens.X509SecurityKey , KeyId: MTZBREFEQ0M5NUQ2RDY3RDkzM0E0RDYwMDdCM0I4QUY1MDc3RUNDNA
      '.
      Exceptions caught:
       'System.TypeLoadException: Could not load type 'System.IdentityModel.Tokens.AsymmetricSignatureProvider' from assembly 'System.IdentityModel.Tokens, Version=5.0.0.112, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.
        at System.IdentityModel.Tokens.SignatureProviderFactory.CreateForVerifying (System.IdentityModel.Tokens.SecurityKey key, System.String algorithm) <0x4067def0 + 0x0001b> in <filename unknown>:0
        at System.IdentityModel.Tokens.X509SecurityKey.GetSignatureProvider (System.String algorithm, Boolean verifyOnly) <0x4067de30 + 0x00057> in <filename unknown>:0
        at System.IdentityModel.Tokens.SecurityKey.GetSignatureProviderForValidating (System.String algorithm) <0x4067de00 + 0x0001a> in <filename unknown>:0
        at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature (System.Byte[] encodedBytes, System.Byte[] signature, System.IdentityModel.Tokens.SecurityKey key, System.String algorithm) <0x4067dcb0 + 0x0003f> in <filename unknown>:0
        at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature (System.String token, System.IdentityModel.Tokens.TokenValidationParameters validationParameters) <0x40679070 + 0x004b3> in <filename unknown>:0
      '.
      token: '{"alg":"RS256","typ":"JWT","kid":"MTZBREFEQ0M5NUQ2RDY3RDkzM0E0RDYwMDdCM0I4QUY1MDc3RUNDNA"}.{"iss":"**********","sub":"*****************","aud":"****************","exp":1464737848,"iat":1464701848}'
        at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature (System.String token, System.IdentityModel.Tokens.TokenValidationParameters validationParameters) <0x40679070 + 0x0096b> in <filename unknown>:0
        at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken (System.String token, System.IdentityModel.Tokens.TokenValidationParameters validationParameters, System.IdentityModel.Tokens.SecurityToken& validatedToken) <0x406782f0 + 0x0021d> in <filename unknown>:0
        at Microsoft.AspNet.Authentication.JwtBearer.JwtBearerHandler+<HandleAuthenticateAsync>d__1.MoveNext () <0x41f5bcf0 + 0x011c4> in <filename unknown>:0

这是与 Mono/ASP.NET 5 普遍不兼容还是有什么可做的？

Answer 1

问题的发生只是因为AsymmetricSignatureProvider有 Windows 编组并且即使您使用的是SymmetricSecurityKey. 如果您乐于使用，SymmetricSecurityKey这里有一个解决方法：

signingKey.CryptoProviderFactory = new MonoFriendlyCryptoProviderFactory(_LoggerFactory.CreateLogger<MonoFriendlyCryptoProviderFactory>());


public class MonoFriendlyCryptoProviderFactory : CryptoProviderFactory
{
    private readonly ILogger _Logger;

    public MonoFriendlyCryptoProviderFactory(ILogger logger)
    {
        _Logger = logger;
    }

    public override SignatureProvider CreateForSigning(SecurityKey key, string algorithm)
    {
        return CreateProvider(key, algorithm, true);
    }

    public override SignatureProvider CreateForVerifying(SecurityKey key, string algorithm)
    {
        return CreateProvider(key, algorithm, false);
    }

    private SignatureProvider CreateProvider(SecurityKey key, string algorithm, bool willCreateSignatures)
    {
        _Logger?.LogDebug($"Creating {algorithm} provider for {key.KeyId} for {(willCreateSignatures ? "signing" : "verifying")}");
        if (key == null)
            throw new ArgumentNullException(nameof(key));
        if (string.IsNullOrWhiteSpace(algorithm))
            throw new ArgumentNullException(nameof(algorithm));

        //AsymmetricSecurityKey asymmetricSecurityKey = key as AsymmetricSecurityKey;
        //if (asymmetricSecurityKey != null)
        //    return new AsymmetricSignatureProvider(asymmetricSecurityKey, algorithm, willCreateSignatures, this.AsymmetricAlgorithmResolver);
        SymmetricSecurityKey symmetricSecurityKey = key as SymmetricSecurityKey;
        if (symmetricSecurityKey != null)
            return new SymmetricSignatureProvider(symmetricSecurityKey, algorithm);
        JsonWebKey jsonWebKey = key as JsonWebKey;
        if (jsonWebKey != null && jsonWebKey.Kty != null)
        {
            //if (jsonWebKey.Kty == "RSA" || jsonWebKey.Kty == "EC")
            //    return new AsymmetricSignatureProvider(key, algorithm, willCreateSignatures, this.AsymmetricAlgorithmResolver);
            if (jsonWebKey.Kty == "oct")
                return new SymmetricSignatureProvider(key, algorithm);
        }
        throw new ArgumentException($"{typeof(SignatureProvider)} supports: '{typeof(SecurityKey)}' of types: '{typeof(AsymmetricSecurityKey)}' or '{typeof(AsymmetricSecurityKey)}'. SecurityKey received was of type: '{key.GetType()}'.");
    }
}

这与 rc2 构建相同，Microsoft.IdentityModel.Tokens除了注释掉的部分，如果您不使用AsymmetricSecurityKey.

net45x是唯一的选择，因为 dnx 已被删除，并且各种驱动程序在好几个月内都不会以 coreclr 为目标。