https://www.nuget.org/packages/JWT之类的某些库支持多个对称签名密钥的概念。
如果可能的话,我想使用MS提供的Microsoft.AspNetCore.Authentication.JwtBearer实现。该实现是否支持多个对称签名密钥?
SymmetricSecurityKey类似乎仅支持单个键。
多次调用JwtBearerExtensions.AddJwtBearer会引发异常:InvalidOperationException: Scheme already exists: Bearer
之所以要支持多个签名键,是为了支持滚动键方案。
答案 0 :(得分:2)
JwtBearerOptions TokenValidationParameters属性包含一个IssuerSigningKeys属性,该属性允许您提供多个SecurityKey s
services
.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.TokenValidationParameters = new TokenValidationParameters()
{
IssuerSigningKeys = new[]
{
new RsaSecurityKey(signingKey01),
new RsaSecurityKey(signingKey02),
},
};
});
答案 1 :(得分:1)
IssuerSigningKeyResolver中的自定义TokenValidationParameters可用于提供多个键:
services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(x =>
{
x.RequireHttpsMetadata = false;
x.SaveToken = true;
x.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKeyResolver = (string token, SecurityToken securityToken, string kid, TokenValidationParameters validationParameters) =>
{
List<SecurityKey> keys = new List<SecurityKey>();
var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("yourFirstkey"));
keys.Add(signingKey);
var signingKey1 = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("yourSecondkey"));
keys.Add(signingKey1);
return keys;
},
ValidateIssuer = false,
ValidateAudience = false
};
});