问题
I am working on a project to use the Katana OpenID Connect middleware to authenticate with a third party (OpenAM) provider. The provider is signing the JWT with hmac-sh256. When the OpenID middleware is validating the JWT via a call to ValidateToken it is throwing the following exception:
{"IDX10503: Signature validation failed. Keys tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey\r\n'.\nExceptions caught:\n 'System.InvalidOperationException: IDX10618: AsymmetricSecurityKey.GetHashAlgorithmForSignature( ... ) threw an exception.\nAsymmetricSecurityKey: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'\nSignatureAlgorithm: ...hmac-sha256', check to make sure the SignatureAlgorithm is supported.\nException: 'System.NotSupportedException: Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' not supported in this context.\r\n at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetHashAlgorithmForSignature(String algorithm)\r\n at ......
What am I missing or does the default SecurityTokenHandler really not support that algorithm?
Thanks,
Gordon
回答1:
I'm not familiar with Katana but to me it looks like the wrong code path is triggered: the exception complains about an assymetric security key but the hmac-sha256 algorithm is based on a symmetric key (i.e. the client secret)
also note that you need a relatively recent version of OpenAM because it contained an HMAC related bug before: https://bugster.forgerock.org/jira/browse/CAF-112; something at least more recent than OpenAM-12.0.0-SNAPSHOT_20140417
来源:https://stackoverflow.com/questions/26808362/validating-jwt-signed-with-hmac-sh256