问题
In my web application I need to validate the JWT authentication tokens which I get from Live SDK 5.6. A while ago the signature of those tokens was a HMACSHA256 hash of base64 encoded header+payload using signing key which was the app secret (from account.live.com/developers/applications) + "JWTSig". It seems that is not the case now.
Does anyone know how are those tokens signed now?
Sorry for my english.
回答1:
The best way to do this is to get the JWT token returned from Azure Mobile Services and validate it was signed using the same master key from AMS. There is a project on GitHub that shows how to do this:
JWT Validator
This was basically a derivative of another GitHub project that has the original ASP.NET sample here:
AuthenticationTokenSample
The main validation occurs when calling the ValidateSignature() method which takes the bytes of the UTF-8 representation of the JWT Claim segment and calculate an HMAC SHA-256 MAC on them using the shared key from Azure Mobile Services. If the JWT Crypto Segment and the previously calculated value then one has confirmation that the key was used to generate the HMAC on the JWT and that the contents of the JWT Claim Segment have not be tampered with.
The one main thing I found is to remove the appended "JWTSig" string from being appended to the master key in the ValidateSignature() method. It appears the tokens being signed no longer append that string to the master key anymore from AMS. I had all sorts of trouble getting the validation to pass until I removed that segment.
来源:https://stackoverflow.com/questions/25437578/how-are-microsoft-account-jwt-authentication-tokens-signed