我有一个使用Msal库获取的Azure AD JWT令牌,但是当我尝试验证此令牌时,出现了问题:
客户端:Sharepoint Web部件
None另一方面,我有一个用于验证访问令牌的服务器应用(Java)
验证者:
const config = {
auth: {
clientId: "xxxxx",
authority: "https://login.microsoftonline.com/yyyyyy"
}
};
const myMSALObj = new UserAgentApplication(config);
let accessTokenRequest = {
scopes: ["user.read"],
loginHint: this.context.pageContext.user.loginName,
extraQueryParameters: {domain_hint: 'organizations'}
}
myMSALObj.acquireTokenSilent(accessTokenRequest).then(
function(accessTokenResponse) {
// Acquire token silent success
let accessToken = accessTokenResponse.accessToken;
代码
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure-storage</artifactId>
<version>8.6.2</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>jwks-rsa</artifactId>
<version>0.11.0</version>
</dependency>
我的问题是,当我尝试验证此令牌时,出现了以下错误:使用算法SHA256withRSA进行验证时,令牌的签名无效。
我对此感到困惑,如果令牌正确,为什么会有这个错误?
致谢
答案 0 :(得分:1)
我注意到范围是user.read,这意味着令牌是针对Microsoft Graph API的。
请注意:
如果您是获得Graph令牌的客户,请假设它是一个 永远不要看的加密字符串-有时会这样。 我们为Graph使用一种特殊的令牌格式,他们知道如何验证 -如果访问令牌不适合您,则不应查看。
您可以使用此访问令牌直接调用Microsoft Graph API,如果令牌错误,则会从Microsoft API服务器获得响应。
参考:
答案 1 :(得分:1)
最后,它可以像这样工作。
要获取令牌(在Web部件中使用adal):
// Obtaining token provider
let tp = await this.context.aadTokenProviderFactory.getTokenProvider();
let config = tp["_defaultConfiguration"];
let aadInstanceUrl = config.aadInstanceUrl[length - 1] === "/" ? config.aadInstanceUrl : config.aadInstanceUrl + "/";
// Config context
let ctx = new AuthenticationContext({
tenant: tenantId,
clientId: clientId,
instance: aadInstanceUrl,
redirectUri: config.redirectUri,
extraQueryParameter: "login_hint=" + encodeURIComponent(loginName),
loadFrameTimeout: 60000
});
// Check user
let cu = ctx.getCachedUser();
console.log("USER", cu, loginName, ctx);
if (cu && cu.userName.toLowerCase() !== loginName.toLowerCase()) {
console.log("Clean user cache");
ctx.clearCache();
}
// Login process
console.log("Login process");
// Obtaining Azure AD Token
let azureADToken = this.acquireToken(ctx, clientId);
要验证令牌:
String token = "XXXXXX";
DecodedJWT jwt = JWT.decode(token);
System.out.println(jwt.getKeyId());
JwkProvider provider = null;
Jwk jwk = null;
Algorithm algorithm = null;
try {
provider = new UrlJwkProvider(new URL("https://login.microsoftonline.com/common/discovery/keys"));
jwk = provider.get(jwt.getKeyId());
algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);
algorithm.verify(jwt);// if the token signature is invalid, the method will throw
// SignatureVerificationException
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (JwkException e) {
e.printStackTrace();
} catch (SignatureVerificationException e) {
System.out.println(e.getMessage());
}
System.out.println("works!");
具有这种依赖性:
<dependencies>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.11.1</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.11.1</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId> <!-- or jjwt-gson if Gson is preferred -->
<version>0.11.1</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.9.10</version>
<type>bundle</type>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.8</version>
<type>bundle</type>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
<version>2.9.10</version>
<type>bundle</type>
</dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.3</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.media</groupId>
<artifactId>jersey-media-json-jackson</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.containers</groupId>
<artifactId>jersey-container-servlet</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
</dependency>
<!-- JUNIT -->
<!-- https://mvnrepository.com/artifact/junit/junit -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
</dependency>
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure-storage</artifactId>
<version>8.6.2</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>jwks-rsa</artifactId>
<version>0.11.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.auth0/java-jwt -->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.10.2</version>
</dependency>
</dependencies>