我正在创建一个身份提供者,并将其纳入B2C自定义策略中。
发现很好,并且用户被发送到我的idp很好。
但是,当我使用户返回B2C时,使用id_token响应类型(此刻我支持的唯一响应类型)是B2C给我标题中的错误。完整的错误是:
error_description=AADB2C90239: The provided id_token failed signature validation. Please provide another token and try again.
我要针对令牌(jwt.io,各种节点jwt / jwk验证方法)验证令牌的其他事情似乎都对我返回的内容感到满意,只有B2C并非如此。
Here is an example of my id_token response
我只是在本地计算机上运行它,因此发行者为ngrok,但是我的openid配置看起来像这样:
{
"issuer": "https://28b5fe46.ngrok.io",
"authorization_endpoint": "http://localhost:3000/authentication/auth",
"jwks_uri": "https://28b5fe46.ngrok.io/.well-known/openid-configuration/keys",
"response_modes_supported": [
"query"
],
"response_types_supported": [
"id_token"
],
"scopes_supported": [
"openid"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"claims_supported": [
"sub"
]
}
我的键如下所示:
{
"keys": [
{
"kid": "kiddy123",
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"n": "ALdnY_dWrQgjaqWuqUFpr-__p62xsWSWGiVH9CEWlxOTGrR8jhfG_C_xxGkkptWrVWwJgpmJ7zOMFXjqc9HqGCitl9Czl-X68Ld2xnZ_HdmikRTv-Witn8V-5QiQhSEGwvA2Xek8OVWKWOZ7Z4L9_SjNar33E8zGGFtz77_pmzJ6_zompGQSkLwAMTU3buI8TUKFIOBLGtc_eFCfgcbHFjJuYYp_200A4Xz2a0lNvvHSZ8PLKmwoRIBbFhkhe0zFd0mwq97SavTUXrltZnq3ghTbc6QzJC4T3_4J1LMTEQIFpaK3jK9VPFrLVESy8Ovz4CdxsfY3_bv2QX2HfPOxJziDIOsoztXUvfPPH-tu5nZ2JpKuE5ftAL3W7LbR5SCe2fHqV8aSsJbyDP2fHKbjy1pBhx_MQ2ty17YJRcqHER0l2GEhRf7AhdewIdv2_LdMIUr1tYuYWLuiZVN682fgYZZGl_TAxhBSyi65uzXbziG4STpENkX8KvBPjkMJc-EfwRcegJzS2kJVd-fnE5fCF2lHuo0hC93piViUhtzo6_1R5AXKk2JKxs_kWRd30E7DE8LZPRw-2hM3zrEQ6X5VL7q-UvHLR6SUKdjHXPYUX2FJAuj8EhQlqhovf26_pwO26wHhBl8mkJo9T8c8MQSVz3y12AJbP99-lo0We5umk4uP",
"e": "AQAB"
}
]
}
B2C旅行记录器没有给我任何额外的信息,只有上述错误。
有人知道我该如何进一步调试吗?
这是我创建id_token的方式。您可以在底部附近看到我正在对照用于创建jwks的pem验证令牌。
const { session } = common.getServices(request)
const sessionValues = session.get(request)
const pem = fs.readFileSync(path.join(__dirname, '..', '..', '..', '..', '..', 'jwtRS256.key'))
const {
nonce,
redirectUri,
state,
databucketItems: { sub },
clientId
} = sessionValues
const jwk = njwk.JWK.fromJSON(JSON.stringify({
'kid': 'kiddy123',
'alg': 'RS256',
'kty': 'RSA',
'use': 'sig',
'n': 'ALdnY_dWrQgjaqWuqUFpr-__p62xsWSWGiVH9CEWlxOTGrR8jhfG_C_xxGkkptWrVWwJgpmJ7zOMFXjqc9HqGCitl9Czl-X68Ld2xnZ_HdmikRTv-Witn8V-5QiQhSEGwvA2Xek8OVWKWOZ7Z4L9_SjNar33E8zGGFtz77_pmzJ6_zompGQSkLwAMTU3buI8TUKFIOBLGtc_eFCfgcbHFjJuYYp_200A4Xz2a0lNvvHSZ8PLKmwoRIBbFhkhe0zFd0mwq97SavTUXrltZnq3ghTbc6QzJC4T3_4J1LMTEQIFpaK3jK9VPFrLVESy8Ovz4CdxsfY3_bv2QX2HfPOxJziDIOsoztXUvfPPH-tu5nZ2JpKuE5ftAL3W7LbR5SCe2fHqV8aSsJbyDP2fHKbjy1pBhx_MQ2ty17YJRcqHER0l2GEhRf7AhdewIdv2_LdMIUr1tYuYWLuiZVN682fgYZZGl_TAxhBSyi65uzXbziG4STpENkX8KvBPjkMJc-EfwRcegJzS2kJVd-fnE5fCF2lHuo0hC93piViUhtzo6_1R5AXKk2JKxs_kWRd30E7DE8LZPRw-2hM3zrEQ6X5VL7q-UvHLR6SUKdjHXPYUX2FJAuj8EhQlqhovf26_pwO26wHhBl8mkJo9T8c8MQSVz3y12AJbP99-lo0We5umk4uP',
'e': 'AQAB'
}))
const time = new Date().getTime()
const jwt = njwt.create({
iss: 'https://28b5fe46.ngrok.io',
name: 'Cheese man',
aud: clientId,
nonce,
redirectUri,
state,
sub
}, pem, jwk.alg)
jwt.setHeader('kid', 'kiddy123')
jwt.setExpiration(time + (12 * 60 * 60 * 1000))
jwt.setNotBefore(time - (2 * 60 * 60 * 1000))
const compacted = jwt.compact()
const returnUrl = `${sessionValues.redirectUri}?${qs.stringify({
id_token: compacted,
state
})}`
/** Just for verifying the id_token**/
const verifier = njwt.createVerifier().withKeyResolver((kid, next) => {
return pem.toString()
})
const parsedJwt = verifier.verify(compacted)
console.log(parsedJwt) // This prints the token correctly - meaning it is valid
return h.redirect(returnUrl)