AAD服务以证书JWT

时间:2018-10-25 07:01:58

标签: php azure jwt azure-active-directory

所以,我一直在阅读这些文档,并实施了它们,但由于Microsoft一直在讨论无效的签名,所以以某种方式无法通过

  

验证凭据时出错。 AADSTS50012:客户端断言包含   无效的签名。 [原因-找不到密钥。   客户使用的密钥:“ 7380XXXXXXXXXXXXXXXXXXXXXXXXX”,请访问   “ https://developer.microsoft.com/en-us/graph/graph-explorer”并查询   对于   'https://graph.microsoft.com/beta/applications/9a7exxxx-xxxx-xxxx-xxxx-xxxxxxxxxx'   查看已配置的密钥]

我的代码:

function GUID()
{
    return sprintf('%04X%04X-%04X-%04X-%04X-%04X%04X%04X', mt_rand(0, 65535), mt_rand(0, 65535), mt_rand(0, 65535), mt_rand(16384, 20479), mt_rand(32768, 49151), mt_rand(0, 65535), mt_rand(0, 65535), mt_rand(0, 65535));
}

$url = 'https://login.microsoftonline.com/sub.xxxx.com/oauth2/token';
$apiId = '649952a2-xxxx-xxxx-xxxx-xxxxxxxxxx'; // test
$identifierUrl = 'www.xxxx.com/test/OurClientName'; // test


$pvk = 'certificate.pvk';
$pub = file_get_contents('certificate.crt');

$fingerprint = base64_encode(pack('H*', openssl_x509_fingerprint($pub)));

$time = time();
$guid = GUID();

$signer = new \Lcobucci\JWT\Signer\Rsa\Sha256();
$keychain = new \Lcobucci\JWT\Signer\Keychain();
$token = (new \Lcobucci\JWT\Builder())
    ->setIssuer($apiId )
    ->setAudience($url)
    ->setHeader('x5t', $fingerprint)
    ->setId($guid, false)
    ->setIssuedAt($time)
    ->setNotBefore($time - 60)
    ->setExpiration($time + 60 * 60 * 12)
    ->set('sub', $apiId )
    ->sign($signer,  $keychain->getPrivateKey('file://'.$pvk))
    ->getToken();

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POSTFIELDS,  [
    'grant_type' => 'client_credentials',
    'client_id' => $apiId,
    'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
    'client_assertion' => $token,
    'resource' => $identifierUrl
]);


$output = curl_exec($ch);

var_dump(json_decode($output));

curl_close($ch);

文档: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials https://github.com/lcobucci/jwt/blob/3.2/README.md

我们的服务提供商向我保证,带有指纹7380XXXXXXXXXXXXXXXXXXXXXXXXX的证书已在测试和生产中安装,并且必须可以正常工作。

调试JWT并在jwt.io上对其进行验证,告诉我签名已验证。

有什么我想念的吗?

0 个答案:

没有答案
相关问题
最新问题