4

I would like to validate a JWT access token from Okta in bearer header on my API, but the validation always fails giving the error below:

2016-12-16 10:12:30.451 +00:00 [Information] Failed to validate the token "eyJhbGciOiJSUzI1NiIsImtpZCI6Il95EVnTTc3MkRHSFdtV19ETDNJYUUyNlUifQ.eFULi1ET2htZFhUalFmcmV5bHdaZkI5aFVobFJ5VlRTenRvRTc1cHVSNUYwUlEiLCJpc3MiOLCJjaWQiOiJZTFpSUUZoWEY1RlpTd2xrbDlwVCIsInVpZCI6IjAwdTkxYXdpZmthZzZYcFE5MGg3Iiwic2NwIjpbIm9wZW5pZCIsInByb2ZpbGUiXX0.K50-cdNI1_m1GLglguCvpiinhxKYNwy0ieAABP7lfO2briaT29mzPeQx07a8F_CyJtQbEtOsPkYviCSK309m8n70WoM51B7FxYTebAxIvWZNrdB_Nsid4YrQHoOoM5b54Fzr4FE-7510TJxvKPg8lWViTQG5cfijE6AL-JXuPYlmdikByZbLwg57P4sUBWByF-pTcRqE2l03VOdkyQOJJ4v22jSUSgKFSYdaXH4ufFt2iTv_sbnNTTtXz4tKLLgfzsKZuxo7-N6-QB7Zuhn7g".
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': '_yomDqFziFzjpiI-OZmeDEgM772DGHWmW_DL3IaE26U', 
token: '{"alg":"RS256","typ":"JWT","kid":"_yomDqFziFzjpiI-OZmeDEgM772DGHWmW_DL3IaE26U"}.{"ver":1,"jti":"AT.-DOhmdXTjQfreylwZfB9hUhlRyVTSztoE75puR5F0RQ","iss":"https://dev-606497.oktapreview.com","aud":"https://dev-606497.oktapreview.com","sub":"myemail@email.com","iat":1481883065,"exp":1481886665,"cid":"YLZRQFhXF5FZSwlkl9pT","uid":"00u91awifkag6XpQ90h7","scp":["openid","profile"]}'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()

I'm wondering if the reason could be, that the public key 'kid' in token is different than the public key in Keys endpoint on Okta?

{"keys": [{"alg": "RS256","e": "AQAB","n": "wtkBXocJLBE-ArN56pLzSiR3x2w99R2d_rlCpFN__3k1I6P0vcfE4SKwoafzucaG-kEwy9pn4p49z0O24UHX0NmdxOMhyFmJsfss0tK0AkBhXB-e9kk5r316ePRtb7eo8uAnjNP7w2T6sSqwdppw7I8NQa4KrFIYFVDx4xDcYMfnGrKjKFdghxSpG2dP7vcQsjJHkMyEHYj7nTTyplReX21_Et2F5zHqvqQZ1JRuL_Ol-JrSEeM0Hznpb7kpggnFUA_xnzcR4AhT5P2WNNNenlfurjM_AN1ymV8DT04Tx7tp6G60N1AkDw4t4Q0LfuevQ","kid": "gtUiz-YdlCSRpr0Ue7LRuEtqgVqRmDWpe5ZuvBaWgVk","kty": "RSA","use": "sig"}]}

This is the setup on WebAPI:

app.UseJwtBearerAuthentication(new JwtBearerOptions
{
    AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme,
    Audience = "http://api.azurewebsites.net",
    Authority = "https://dev-606497.oktapreview.com"
});
4

2 回答 2

1

为了通过公钥 url 获取访问令牌的密钥,需要为您的 Okta 组织启用一些功能。请发送电子邮件至developers@okta.com

于 2016-12-20T17:34:22.337 回答
1

你是对的 -孩子与公钥不同 - 它是从 Keys 响应中标识要​​使用哪个公钥的密钥 ID 。如果我们查看v1/keys的响应示例:

"keys": [
  {
    "alg": "RS256",
    "e": "AQAB",
    "n": "iKqiD4cr7FZKm6f05K4r-GQOvjRqjOeFmOho9V7SAXYwCyJluaGBLVvDWO1XlduPLOrsG_Wgs67SOG5qeLPR8T1zDK4bfJAo1Tvbw
          YeTwVSfd_0mzRq8WaVc_2JtEK7J-4Z0MdVm_dJmcMHVfDziCRohSZthN__WM2NwGnbewWnla0wpEsU3QMZ05_OxvbBdQZaDUsNSx4
          6is29eCdYwhkAfFd_cFRq3DixLEYUsRwmOqwABwwDjBTNvgZOomrtD8BRFWSTlwsbrNZtJMYU33wuLO9ynFkZnY6qRKVHr3YToIrq
          NBXw0RWCheTouQ-snfAB6wcE2WDN3N5z760ejqQ",
    "kid": "U5R8cHbGw445Qbq8zVO1PcCpXL8yG6IcovVa3laCoxM",
    "kty": "RSA",
    "use": "sig"
  },
  ... more
]

我们可以看到有一个child属性 - 如果您手动执行此操作,则必须遍历键以在您的 /token 响应中找到与孩子匹配的键,并在您的 JWT 验证中使用它。

在 ASP.net 中有几个示例演示了此验证流程 - 例如,这是授权代码流程示例中的相关代码

查看我们的验证访问令牌文档以更全面地了解流程也可能会有所帮助。

更新:刚刚注意到您尝试查找的孩子不在密钥响应中 - 这是为通过 OIDC 返回的访问令牌设计的(它们是不透明的)。这里有几个选项:

  1. 如果是 OpenId Connect,则必须通过/userinfo 端点验证返回的访问令牌
  2. 或者,如果您正在研究API Access Management,您需要联系 developers@okta.com 为您打开该功能(如 Sohaib 建议的那样)。这将通过密钥端点公开访问令牌的公钥。
于 2016-12-20T21:42:33.683 回答