我有一个发送JWT令牌端点谷歌的发布/订阅推送订阅。 端点需要验证此令牌。 从谷歌文档,我需要检查发行人,观众和签名。 这工作得很好,除了不管我添加到IssuerSigningKey(S),令牌是有效的。 我预计今年突破每当我如取出关键的一部分。
我试过各种用于IssuerSigningKey和IssuerSigningKeys不同的值。 不管是什么,我得到一个有效的响应。 例如更改域或观众参数并返回一个401未授权。
public void ConfigureServices(IServiceCollection services)
{
string domain = "https://accounts.google.com";
string audience = "theaudience";
// Just to debug/test
string signingKey = "---- - BEGIN PRIVATE KEY-----\nMIIfujHGitJ\n---- - END PRIVATE KEY-----\n";
var certificates =
this.FetchGoogleCertificates().GetAwaiter().GetResult();
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.Authority = domain;
options.Audience = audience;
options.TokenValidationParameters = new TokenValidationParameters
{
ClockSkew = TimeSpan.FromHours(48), // This is just for debugging. Maybe we do need a little clock skew if the clock in Google is not aligned with the VD system
ValidateAudience = true, // Validate the audience, this will change in production to the endpoint URL
ValidateIssuer = true, // Validate the issuer (Google). If this is wrong, we get a 500 error instead of 40x
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(signingKey)),
/* Stuff I also tried:
IssuerSigningKey = new RsaSecurityKey(new RSACryptoServiceProvider(2048))
IssuerSigningKeys = certificates.Values.Select(x => new X509SecurityKey(x)),
IssuerSigningKeyResolver = (token, securityToken, kid, validationParameters) =>
{
return certificates
.Where(x => x.Key.ToUpper() == kid.ToUpper())
.Select(x => new X509SecurityKey(x.Value));
}
*/
};
});
services.AddAuthorization();
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}
这是怎么回事吗?
