请帮忙!我在使用Microsoft的System.IdentityModel.Tokens.Jwt库验证使用RS256签名的JWT令牌时遇到了问题 .
此令牌在JWT.io上验证正常 .
这是错误:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException IDX10503:签名验证失败 . 键尝试:'[PII隐藏]' . grab 了例外情况:'[PII隐藏]' . 令牌:'[PII隐藏]' .
这是示例代码(我使用LinqPad,使用System.IdentityModel.Tokens.Jwt v5.2.2 NuGet包):
void Main()
{
var cText =
"-----BEGIN CERTIFICATE-----\n" +
"MIIBljCCAUACCQCIDMpqK7WfWDANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJV\n" +
"UzETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UECgwJTHV4b3R0aWNhMRowGAYD\n" +
"VQQLDBFMdXhvdHRpY2EgZXllY2FyZTAeFw0xODA1MjMxNTE1MjdaFw0yODA1MjAx\n" +
"NTE1MjdaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYD\n" +
"VQQKDAlMdXhvdHRpY2ExGjAYBgNVBAsMEUx1eG90dGljYSBleWVjYXJlMFwwDQYJ\n" +
"KoZIhvcNAQEBBQADSwAwSAJBAKuMYcirPj81WBtMituJJenF0CG/HYLcAUOtWKl1\n" +
"HchC0dM8VRRBI/HV+nZcweXzpjhX8ySa9s7kJneP0cuJiU8CAwEAATANBgkqhkiG\n" +
"9w0BAQsFAANBAKEM8wQwlqKgkfqnNFcbsZM0RUxS+eWR9LvycGuMN7aL9M6GOmfp\n" +
"QmF4MH4uvkaiZenqCkhDkyi4Cy81tz453tQ=\n" +
"-----END CERTIFICATE-----";
var c = new X509Certificate2(Encoding.ASCII.GetBytes(cText));
var p = new TokenValidationParameters();
p.IssuerSigningKeyResolver = (s, securityToken, identifier, parameters)
=> new[] { new X509SecurityKey(c) };
var h = new JwtSecurityTokenHandler();
var token = @"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJuLmNoaWVmZm8iLCJleHAiOjE1MjcyMzg4ODEsImlzcyI6Imx1eCJ9.BAaYzLwokmdKqLi6zKjGIpDXd__dZxi5PUWWHS3PSLPDYAInzPbEK8o4WxunoGD7eA0qtQNaxNpzeOc3BHrd4w";
h.ValidateToken(token, p, out SecurityToken _);
}
最后,我也很高兴知道如何删除[PII隐藏],以便我可以看到有关错误的更多细节 . 在app.config或甚至machine.config文件中将enableLoggingKnownPii和logKnownPII设置为true似乎没有什么区别 .
1 回答
事实证明,X509SecurityKey的KeySize需要至少1024个长度才能进行验证 . 这个例外并不明显,因为它隐藏了[PII is hidden]过滤器 .
添加以下行使异常文本更有用:
新的例外文本:
将不对称键的长度增加到1024解决了这个问题 .