所以,我一直在阅读这些文档,并实施了它们,但由于Microsoft一直在讨论无效的签名,所以以某种方式无法通过
验证凭据时出错。 AADSTS50012:客户端断言包含 无效的签名。 [原因-找不到密钥。 客户使用的密钥:“ 7380XXXXXXXXXXXXXXXXXXXXXXXXX”,请访问 “ https://developer.microsoft.com/en-us/graph/graph-explorer”并查询 对于 'https://graph.microsoft.com/beta/applications/9a7exxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' 查看已配置的密钥]
我的代码:
function GUID()
{
return sprintf('%04X%04X-%04X-%04X-%04X-%04X%04X%04X', mt_rand(0, 65535), mt_rand(0, 65535), mt_rand(0, 65535), mt_rand(16384, 20479), mt_rand(32768, 49151), mt_rand(0, 65535), mt_rand(0, 65535), mt_rand(0, 65535));
}
$url = 'https://login.microsoftonline.com/sub.xxxx.com/oauth2/token';
$apiId = '649952a2-xxxx-xxxx-xxxx-xxxxxxxxxx'; // test
$identifierUrl = 'www.xxxx.com/test/OurClientName'; // test
$pvk = 'certificate.pvk';
$pub = file_get_contents('certificate.crt');
$fingerprint = base64_encode(pack('H*', openssl_x509_fingerprint($pub)));
$time = time();
$guid = GUID();
$signer = new \Lcobucci\JWT\Signer\Rsa\Sha256();
$keychain = new \Lcobucci\JWT\Signer\Keychain();
$token = (new \Lcobucci\JWT\Builder())
->setIssuer($apiId )
->setAudience($url)
->setHeader('x5t', $fingerprint)
->setId($guid, false)
->setIssuedAt($time)
->setNotBefore($time - 60)
->setExpiration($time + 60 * 60 * 12)
->set('sub', $apiId )
->sign($signer, $keychain->getPrivateKey('file://'.$pvk))
->getToken();
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'grant_type' => 'client_credentials',
'client_id' => $apiId,
'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
'client_assertion' => $token,
'resource' => $identifierUrl
]);
$output = curl_exec($ch);
var_dump(json_decode($output));
curl_close($ch);
文档: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials https://github.com/lcobucci/jwt/blob/3.2/README.md
我们的服务提供商向我保证,带有指纹7380XXXXXXXXXXXXXXXXXXXXXXXXX的证书已在测试和生产中安装,并且必须可以正常工作。
调试JWT并在jwt.io上对其进行验证,告诉我签名已验证。
有什么我想念的吗?