Azure B2C:“提供的id_token签名验证失败”

时间:2018-11-14 01:14:07

标签: openid-connect azure-ad-b2c oidc

我正在创建一个身份提供者,并将其纳入B2C自定义策略中。

发现很好,并且用户被发送到我的idp很好。 但是,当我使用户返回B2C时,使用id_token响应类型(此刻我支持的唯一响应类型)是B2C给我标题中的错误。完整的错误是:

error_description=AADB2C90239: The provided id_token failed signature validation. Please provide another token and try again.

我要针对令牌(jwt.io,各种节点jwt / jwk验证方法)验证令牌的其他事情似乎都对我返回的内容感到满意,只有B2C并非如此。

Here is an example of my id_token response

我只是在本地计算机上运行它,因此发行者为ngrok,但是我的openid配置看起来像这样:

{
"issuer": "https://28b5fe46.ngrok.io",
"authorization_endpoint": "http://localhost:3000/authentication/auth",
"jwks_uri": "https://28b5fe46.ngrok.io/.well-known/openid-configuration/keys",
"response_modes_supported": [
    "query"
],
"response_types_supported": [
    "id_token"
],
"scopes_supported": [
    "openid"
],
"subject_types_supported": [
    "public"
],
"id_token_signing_alg_values_supported": [
    "RS256"
],
"claims_supported": [
    "sub"
]
}

我的键如下所示:

{
"keys": [
{
"kid": "kiddy123",
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"n": "ALdnY_dWrQgjaqWuqUFpr-__p62xsWSWGiVH9CEWlxOTGrR8jhfG_C_xxGkkptWrVWwJgpmJ7zOMFXjqc9HqGCitl9Czl-X68Ld2xnZ_HdmikRTv-Witn8V-5QiQhSEGwvA2Xek8OVWKWOZ7Z4L9_SjNar33E8zGGFtz77_pmzJ6_zompGQSkLwAMTU3buI8TUKFIOBLGtc_eFCfgcbHFjJuYYp_200A4Xz2a0lNvvHSZ8PLKmwoRIBbFhkhe0zFd0mwq97SavTUXrltZnq3ghTbc6QzJC4T3_4J1LMTEQIFpaK3jK9VPFrLVESy8Ovz4CdxsfY3_bv2QX2HfPOxJziDIOsoztXUvfPPH-tu5nZ2JpKuE5ftAL3W7LbR5SCe2fHqV8aSsJbyDP2fHKbjy1pBhx_MQ2ty17YJRcqHER0l2GEhRf7AhdewIdv2_LdMIUr1tYuYWLuiZVN682fgYZZGl_TAxhBSyi65uzXbziG4STpENkX8KvBPjkMJc-EfwRcegJzS2kJVd-fnE5fCF2lHuo0hC93piViUhtzo6_1R5AXKk2JKxs_kWRd30E7DE8LZPRw-2hM3zrEQ6X5VL7q-UvHLR6SUKdjHXPYUX2FJAuj8EhQlqhovf26_pwO26wHhBl8mkJo9T8c8MQSVz3y12AJbP99-lo0We5umk4uP",
"e": "AQAB"
}
]
}

B2C旅行记录器没有给我任何额外的信息,只有上述错误。

有人知道我该如何进一步调试吗?

这是我创建id_token的方式。您可以在底部附近看到我正在对照用于创建jwks的pem验证令牌。

const { session } = common.getServices(request)
const sessionValues = session.get(request)
const pem = fs.readFileSync(path.join(__dirname, '..', '..', '..', '..', '..', 'jwtRS256.key'))

const {
  nonce,
  redirectUri,
  state,
  databucketItems: { sub },
  clientId
} = sessionValues

const jwk = njwk.JWK.fromJSON(JSON.stringify({
  'kid': 'kiddy123',
  'alg': 'RS256',
  'kty': 'RSA',
  'use': 'sig',
  'n': 'ALdnY_dWrQgjaqWuqUFpr-__p62xsWSWGiVH9CEWlxOTGrR8jhfG_C_xxGkkptWrVWwJgpmJ7zOMFXjqc9HqGCitl9Czl-X68Ld2xnZ_HdmikRTv-Witn8V-5QiQhSEGwvA2Xek8OVWKWOZ7Z4L9_SjNar33E8zGGFtz77_pmzJ6_zompGQSkLwAMTU3buI8TUKFIOBLGtc_eFCfgcbHFjJuYYp_200A4Xz2a0lNvvHSZ8PLKmwoRIBbFhkhe0zFd0mwq97SavTUXrltZnq3ghTbc6QzJC4T3_4J1LMTEQIFpaK3jK9VPFrLVESy8Ovz4CdxsfY3_bv2QX2HfPOxJziDIOsoztXUvfPPH-tu5nZ2JpKuE5ftAL3W7LbR5SCe2fHqV8aSsJbyDP2fHKbjy1pBhx_MQ2ty17YJRcqHER0l2GEhRf7AhdewIdv2_LdMIUr1tYuYWLuiZVN682fgYZZGl_TAxhBSyi65uzXbziG4STpENkX8KvBPjkMJc-EfwRcegJzS2kJVd-fnE5fCF2lHuo0hC93piViUhtzo6_1R5AXKk2JKxs_kWRd30E7DE8LZPRw-2hM3zrEQ6X5VL7q-UvHLR6SUKdjHXPYUX2FJAuj8EhQlqhovf26_pwO26wHhBl8mkJo9T8c8MQSVz3y12AJbP99-lo0We5umk4uP',
  'e': 'AQAB'
}))

const time = new Date().getTime()

const jwt = njwt.create({
  iss: 'https://28b5fe46.ngrok.io',
  name: 'Cheese man',
  aud: clientId,
  nonce,
  redirectUri,
  state,
  sub
}, pem, jwk.alg)

jwt.setHeader('kid', 'kiddy123')
jwt.setExpiration(time + (12 * 60 * 60 * 1000))
jwt.setNotBefore(time - (2 * 60 * 60 * 1000))

const compacted = jwt.compact()

const returnUrl = `${sessionValues.redirectUri}?${qs.stringify({
  id_token: compacted,
  state
})}`

/** Just for verifying the id_token**/
const verifier = njwt.createVerifier().withKeyResolver((kid, next) => {
  return pem.toString()
})

const parsedJwt = verifier.verify(compacted)
console.log(parsedJwt) // This prints the token correctly - meaning it is valid

return h.redirect(returnUrl)

0 个答案:

没有答案