我这些天一直在研究Azure AD授权代码流,并突然开始将所有内容移动到Azure AD B2C,我发现Azure AD和Azure AD B2C之间存在很多差异。有人可以在下面回答我的问题。
在Azure AD中,当我们注册Native App时,它允许http或https作为重定向URL。 Azure AD B2C不支持此功能(因为两者都遵循OAUTH规范,两者的行为应该相似)
Azure AD JWT访问令牌具有x5c条目,其中B2C没有此条目。这有什么特别的原因。我尝试从Azure AD复制公钥,并尝试将相同的签名密钥上传到B2C但这没有用。不知道我错过了什么,但我的问题是为什么这些访问令牌的签名不同。
答案 0 :(得分:1)
对于第一期,如果您需要此功能,我建议您在此处提出反馈from。
对于第二个问题,验证Azure AD B2C和普通Azure AD中的令牌是相同的。我们可以使用指数(e)和模数(n)生成公钥。 但是密钥端点不同,我们需要使用下面的链接来检索Azure AD B2C的密钥:
https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys?p={signInPolicy}
以下是验证Azure AD B2C发布的令牌供您参考的代码:
static void Main(string[] args)
{
var idtoken = "";
var exponent = "AQAB";
var modulus = "";
var result= VerifyTokenDetails(idtoken, exponent, modulus);
}
private static bool VerifyTokenDetails(string idToken, string exponent, string modulus)
{
try
{
var parts = idToken.Split('.');
var header = parts[0];
var payload = parts[1];
string signedSignature = parts[2];
//Extract user info from payload
string userInfo = Encoding.UTF8.GetString(Base64UrlDecode(payload));
//Which will be Verified
string originalMessage = string.Concat(header, ".", payload);
byte[] keyBytes = Base64UrlDecode(modulus);
string keyBase = Convert.ToBase64String(keyBytes);
string key = @"<RSAKeyValue> <Modulus>" + keyBase + "</Modulus> <Exponent>" + exponent + "</Exponent> </RSAKeyValue>";
bool result = VerifyData(originalMessage, signedSignature, key);
if (result)
return true;
else
return false;
}
catch (Exception ex) { }
return false;
}
/// <summary>
/// Verifies encrypted signed message with public key encrypted original message.
/// </summary>
/// <param name="originalMessage">Original message as string. (Encrypted form)</param>
/// <param name="signedMessage">Signed message as string. (Encrypted form)</param>
/// <param name="publicKey">Public key as XML string.</param>
/// <returns>Boolean True if successful otherwise return false.</returns>
private static bool VerifyData(string originalMessage, string signedMessage, string publicKey)
{
bool success = false;
using (var rsa = new RSACryptoServiceProvider())
{
var encoder = new UTF8Encoding();
byte[] bytesToVerify = encoder.GetBytes(originalMessage);
byte[] signedBytes = Base64UrlDecode(signedMessage);
try
{
rsa.FromXmlString(publicKey);
SHA256Managed Hash = new SHA256Managed();
byte[] hashedData = Hash.ComputeHash(signedBytes);
// Summary:
// Verifies that a digital signature is valid by determining the hash value in the
// signature using the provided public key and comparing it to the hash value of
// the provided data.
success = rsa.VerifyData(bytesToVerify, CryptoConfig.MapNameToOID("SHA256"), signedBytes);
}
catch (CryptographicException e)
{
success = false;
}
finally
{
rsa.PersistKeyInCsp = false;
}
}
return success;
}
private static byte[] Base64UrlDecode(string input)
{
var output = input;
output = output.Replace('-', '+'); // 62nd char of encoding
output = output.Replace('_', '/'); // 63rd char of encoding
switch (output.Length % 4) // Pad with trailing '='s
{
case 0: break; // No pad chars in this case
case 2: output += "=="; break; // Two pad chars
case 3: output += "="; break; // One pad char
default: throw new System.Exception("Illegal base64url string!");
}
var converted = Convert.FromBase64String(output); // Standard base64 decoder
return converted;
}