如何解析Azure Active Directory IDX10500:签名验证失败

时间:2016-04-05 13:46:04

标签: c# asp.net-web-api oauth-2.0 owin azure-active-directory

我们正在使用Azure B2C Active Directory并尝试使用OWIN安全中间件与C#WebApi集成。我有一个本机应用程序,它允许我从AD成功获取一个令牌,然后我将其置于一个Bearer标头中,并在随后的webapi调用中使用它。

我目前正在我的开发计算机上本地运行该服务,并按照以下步骤启用了OAuthBearerAuthentication的在线示例:

var jwtFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(settings.MetadataEndpoint));

        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
        {
            // This SecurityTokenProvider fetches the Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint
            AccessTokenFormat = jwtFormat
        });

我可以看到我的呼叫正在尝试验证(本地运行记住),这给我留下了以下错误:

An exception of type 'System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException' occurred in System.IdentityModel.Tokens.Jwt.dll but was not handled in user code
Additional information: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier

记住我没有自己设置任何证书,并且应该用于验证的令牌可能应该由OpenIdConnectCachingSecurityTokenProvider验证,它从AAD实例获取元数​​据。

如何在本地进行此操作?这是一个在本地运行的问题吗?

编辑:这是使用OpenIdConnectCachingSecurityTokenProvider的Github示例中的代码:

public class OpenIdConnectCachingSecurityTokenProvider : IIssuerSecurityTokenProvider
{
    private readonly ConfigurationManager<OpenIdConnectConfiguration> _configManager;
    private string _issuer;
    private IEnumerable<SecurityToken> _tokens;
    private readonly string _metadataEndpoint;

    private readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();

    public OpenIdConnectCachingSecurityTokenProvider(string metadataEndpoint)
    {
        _metadataEndpoint = metadataEndpoint;
        _configManager = new ConfigurationManager<OpenIdConnectConfiguration>(metadataEndpoint);

        RetrieveMetadata();
    }

    public string Issuer
    {
        get
        {
            RetrieveMetadata();
            _synclock.EnterReadLock();
            try
            {
                return _issuer;
            }
            finally
            {
                _synclock.ExitReadLock();
            }
        }
    }

    public IEnumerable<SecurityToken> SecurityTokens
    {
        get
        {
            RetrieveMetadata();
            _synclock.EnterReadLock();
            try
            {
                return _tokens;
            }
            finally
            {
                _synclock.ExitReadLock();
            }
        }
    }

    private void RetrieveMetadata()
    {
        _synclock.EnterWriteLock();
        try
        {
            var config = _configManager.GetConfigurationAsync().Result;
            _issuer = config.Issuer;
            _tokens = config.SigningTokens;
        }
        finally
        {
            _synclock.ExitWriteLock();
        }
    }
}

这个类负责从Azure B2C中的元数据端点获取令牌。请注意,我们尚未命名这些,它们来自B2C端点。

0 个答案:

没有答案
相关问题
最新问题