Bearer error=“invalid_token”, error_description=“The signature is invalid”

徘徊边缘 提交于 2020-12-30 05:55:10

问题


I have a angular application that request a token from azure. The login went well and I get a token. This token is now send from the angular app to a net core webapi application. Net core should verify this token but failed. I think the webapi should also contact azure to validate the token because it has no knowledge of the private and public key that is needed to verify the token.

At the moment it is not clear why it is failing. Both angular app and the webapi are running local on my computer.

The error is: Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: 'IDX10500: Signature validation failed. No security keys were provided to validate the signature.'

my net core 2 config is:

var tokenValidationParameters = new TokenValidationParameters
            {

                RequireExpirationTime = true,
                RequireSignedTokens = false,
                ValidateIssuerSigningKey = true,
                ValidateIssuer = true,
                ValidIssuer = "8d708afe-2966-40b7-918c-a39551625958",
                ValidateAudience = true,
                ValidAudience = "https://sts.windows.net/a1d50521-9687-4e4d-a76d-ddd53ab0c668/",
                ValidateLifetime = false,
                ClockSkew = TimeSpan.Zero
            };
            services.AddAuthentication(options =>
            {
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;

            }).AddJwtBearer(options =>
            {

                options.Audience = "8d708afe-2966-40b7-918c-a39551625958";
                options.ClaimsIssuer = "https://sts.windows.net/a1d50521-9687-4e4d-a76d-ddd53ab0c668/";
                options.RequireHttpsMetadata=false;
                options.TokenValidationParameters = tokenValidationParameters;
                options.SaveToken = true;
            });

回答1:


That is quite a lot of configuration you have :)

The two mandatory settings are the Audience and Authority:

services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(o =>
    {
        o.Audience = "8d708afe-2966-40b7-918c-a39551625958";
        o.Authority = "https://login.microsoftonline.com/a1d50521-9687-4e4d-a76d-ddd53ab0c668/";
    });

You are missing the Authority so it does not know where to load the signing public keys from.




回答2:


You are missing IssuerSigningKey property in your TokenValidationParameters. Thats why its complaining.

The simplest example would be

IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("yOURsECRETkEY12345"))

I'm not sure how azure comes into play, you probably need it to retrieve security key information, if thats your signing authority

Edit:

Azure specific settings

.AddJwtBearer(options => {
        options.Authority = string.Format("https://login.microsoftonline.com/tfp/{0}/{1}/v2.0/", Configuration["Authentication:AzureAd:Tenant"], Configuration["Authentication:AzureAd:Policy"]);
        options.Audience = Configuration["Authentication:AzureAd:ClientId"];
    });


来源:https://stackoverflow.com/questions/48944697/bearer-error-invalid-token-error-description-the-signature-is-invalid

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!