我尝试使用Certificate credentials for application authentication从Microsoft Azure Active Directory获取JWT令牌。
我很想弄清楚“x5t”的价值。
我试过
但是,当我向MSA登录端点发送请求时,我一直收到以下错误
{
"error": "invalid_client",
"error_description": "AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: '6F67F76B96F6FBBDF9D3EE1DDF7F9A7B877EE9C75DEDBD3DE9C7FB', Configured keys: [Key0:Start=06/01/2018, End=12/31/2099, Thumbprint=6WGktXA64QmA9TPv;Key1:Start=06/01/2018, End=12/31/2099, Thumbprint=rD9Q10sR6Q6ZkDVw;]]\r\nTrace ID: d9e3e276-e878-4b8a-b08b-10c82a0b0600\r\nCorrelation ID: 48ec889d-2376-45a6-9bf0-01b22b0e0c17\r\nTimestamp: 2018-06-01 09:38:24Z",
"error_codes": [
70002,
50012
],
"timestamp": "2018-06-01 09:38:24Z",
"trace_id": "d9e3e276-e878-4b8a-b08b-10c82a0b0600",
"correlation_id": "48ec889d-2376-45a6-9bf0-01b22b0e0c17"
}
如何获取“x5t”的值?
答案 0 :(得分:3)
我发现这个site和这个one对于解决x5t问题非常宝贵。最简单的方法是手动获取指纹:
echo $(openssl x509 -in your.cert.pem -fingerprint -noout) | sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64
以上命令的值是您在JWT的x5t字段中输入的值。在此之前,我从天青获得无效的指纹错误。
如果您使用的是Ruby,则可以按照以下answer进行操作:
p12 = OpenSSL::PKCS12.new(File.read(CERT_FILE), '')
x509_sha1_thumbprint = Base64.encode64(OpenSSL::Digest::SHA1.new(p12.certificate.to_der).to_s.upcase.scan(/../).map(&:hex).pack("c*")).strip
jwt_token = JWT.encode payload, p12.key, 'RS256', { typ: 'JWT', x5t: x509_sha1_thumbprint }
答案 1 :(得分:1)
x5t应该是X509证书的SHA-1指纹,base64url编码:
<强> 4.1.7。 “x5t”(X.509证书SHA-1指纹)标题参数
“x5t”(X.509证书SHA-1指纹)标题参数是a DER的base64url编码的SHA-1指纹(a.k.a.摘要) 与密钥对应的X.509证书[RFC5280]的编码 用于对JWS进行数字签名。请注意证书指纹 有时也称为证书指纹。使用此 标题参数是可选的。
来源:RFC7515 - https://tools.ietf.org/html/rfc7515#section-4.1.7