问题
I have an web application that is using OpenId Connect. I created a self signed certificate but it is still not signed by a CA. How can I ignore the signature validation?
This is what I have so far:
SecurityToken validatedToken = null;
var tokenHandler = new JwtSecurityTokenHandler {
Configuration = new SecurityTokenHandlerConfiguration {
CertificateValidator = X509CertificateValidator.None
},
};
TokenValidationParameters validationParams =
new TokenValidationParameters()
{
ValidAudience = ConfigurationManager.AppSettings["Audience"],
ValidIssuer = ConfigurationManager.AppSettings["Issuer"],
AudienceValidator = AudienceValidator,
ValidateAudience = true,
ValidateIssuer = true
};
return tokenHandler.ValidateToken(jwtToken, validationParams, out validatedToken);
It throws the following exception:
IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier\r\n (\r\n
IsReadOnly = False,\r\n Count = 1,\r\n Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause\r\n
)\r\n', \ntoken: '{\"typ\":\"JWT\",\"alg\":\"RS256\",\"kid\":\"issuer_rsaKey\"}.{\"iss\":...
回答1:
Don't ignore the signature, this is dangerous!
Even if you use a self-signed certificate, you will be able to use the public key for signature validation.
Since you are using OpenId Connect, you should be able to get the public key for your signing certificate by heading over to /.well-known/jwks.
Then you can setup your validation parameters like this:
var certificate = new X509Certificate2(Convert.FromBase64String(yourPublicKeyGoesHere));
var validationParameters = new TokenValidationParameters {
IssuerSigningTokens = new[] { new X509SecurityToken(certificate) }
};
After that, you can call ValidateToken:
SecurityToken token;
var claimsPrincipal = handler.ValidateToken(encodedToken, validationParameters, out token);
You really want to ignore the signature?
Remember, if you do, how do you know someone didn't tamper with the data inside the token? You could easily decode the base64 url encoded payload and change the subject. And if you rely on that in your application, you'll be in trouble (hint: someone accessing someone else data)
You REALLY, REALLY want to ignore it?
You can use ReadToken and just skip every validation there is:
var badJwt = new JwtSecurityTokenHandler()
.ReadToken(encodedMaliciousToken) as JwtSecurityToken;
DON'T do that though, it's bad practice.
来源:https://stackoverflow.com/questions/26892788/ignoring-signature-in-jwt