我有用于id_token和access_token的JsonWebKeys(JWK)。然后我从/token url 获得了我的id_token。如何在 C# 中使用 JWK 验证此 JWT id_token。
不用说,我已经尝试了几乎所有方法,但是(IdenityModels.Jwt等)但是JwtSecurityTokenHandler不接受JsonWebKey。我正在使用RS512作为签名算法。
我只是自己为Google IdToken验证实现了这个:
var parameters = new TokenValidationParameters
{
...
IssuerSigningKeyResolver = await keyProvider.GetIssuerSigningKeyResolverAsync(cancellationToken),
};
SecurityToken token;
var handler = new JwtSecurityTokenHandler();
var principal = handler.ValidateToken(source, parameters, out token);
其中keyProvider是:
public class GoogleOAuth2KeyProvider
{
private readonly IGoogleAuthConfiguration configuration;
private Jwk lastCertResponse;
private DateTimeOffset lastCertExpires;
public GoogleOAuth2KeyProvider(IGoogleAuthConfiguration configuration)
{
this.configuration = configuration;
}
public async Task<IssuerSigningKeyResolver> GetIssuerSigningKeyResolverAsync(CancellationToken cancellationToken)
{
await UpdateCert(cancellationToken);
var keys = lastCertResponse.Keys
.Where(key => key.Kty == "RSA" && key.Use == "sig")
.ToDictionary(key => key.Kid, StringComparer.InvariantCultureIgnoreCase);
return new IssuerSigningKeyResolver((token, securityToken, keyIdentifier, tokenValidationParameters) =>
{
foreach (var keyIdentifierClause in keyIdentifier)
{
Jwk.KeysData key;
if (!keys.TryGetValue(keyIdentifierClause.Id, out key))
{
continue;
}
var rsa = RSA.Create();
rsa.ImportParameters(new RSAParameters
{
Exponent = Base64UrlEncoder.DecodeBytes(key.E),
Modulus = Base64UrlEncoder.DecodeBytes(key.N),
});
return new RsaSecurityKey(rsa);
}
return null;
});
}
private async Task UpdateCert(CancellationToken cancellationToken)
{
if (lastCertResponse != null && DateTimeOffset.UtcNow < lastCertExpires)
{
return;
}
var initializer = new BaseClientService.Initializer
{
ApiKey = configuration.ServerApiKey,
};
using (var service = new Oauth2Service(initializer))
{
lastCertResponse = await service.GetCertForOpenIdConnect().ExecuteAsync(cancellationToken);
lastCertExpires = DateTimeOffset.UtcNow.AddHours(12);
}
}
}
RSA等只是System.Security.Cryptography,而Base64UrlEncoder来自System.IdentityModel(但很容易自己做)
不幸的是,看起来其他kty/alg值并不容易支持,例如没有ECDsa.ImportParameters(),它想要来自byte[]的泛型CngKey,所以做一个通用.NET JWK库的人将不得不打包x,y参数本身,大概。