AzureAD 令牌验证

发布于 2025-01-09 00:55:38 字数 2511 浏览 1 评论 0原文

我正在尝试验证 AWS Lambda 函数内的 Azure AD 提供的令牌。目前，我有一个 MVC 网站，您可以使用它向 Azure AD 进行身份验证，该网站返回 JWT 令牌。该 JWT 将被传递到 AWS API 网关，其中 Lambda 授权者将对其进行验证。

起初我认为正确的方法是将 JWT 传回 Azure AD 来验证令牌。但是，在阅读此之后，看来我需要解密令牌，并验证发行者和受众。这导致我这个，这确实成功验证了令牌。但是，如果我将 mySecret 更改为与 Azure AD 中配置的不匹配，它仍然可以成功验证吗？

        var authToken = "JWTToken";
        string key = "I thought this needed to be the client secret in Azure AD but any string will still pass verification";

        string myTenant = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
        var myAudience = "api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
        var myIssuer = string.Format(CultureInfo.InvariantCulture, "https://sts.windows.net/{0}/", myTenant);
        var mySecurityKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(key));
        var stsDiscoveryEndpoint = String.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/{0}/.well-known/openid-configuration", myTenant);
        var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
        var config = await configManager.GetConfigurationAsync();

        var tokenHandler = new JwtSecurityTokenHandler();

        var validationParameters = new TokenValidationParameters
        {
            ValidAudience = myAudience,
            ValidIssuer = myIssuer,
            IssuerSigningKeys = config.SigningKeys,
            ValidateLifetime = false,
            IssuerSigningKey = mySecurityKey,
            ValidateAudience = true,
            ValidateIssuer = true,
        };

        var validatedToken = (SecurityToken)new JwtSecurityToken();

        // Throws an Exception as the token is invalid (expired, invalid-formatted, etc.)  
        tokenHandler.ValidateToken(authToken, validationParameters, out validatedToken);

我已将 Azure AD 配置为 this，其中客户端是 MVC 网站，服务是 Lambda Auhorizer。 TLDR：这基本上是两个客户端注册，其中 Lambda Authoizer 有一个公开的 API，而 MVC 网站有一个客户端密钥。

采取了正确的方法吗？如果是这样，我该如何解决我面临的问题？

任何帮助将不胜感激

原文

I'm trying to validate a token that was provided by Azure AD inside of an AWS Lambda Function. At the moment I have a MVC Website that you can authenticate to Azure AD with, which returns a JWT Token. This JWT will be passed up to an AWS API Gateway where a Lambda Authorizer will verify it.

At first I thought the correct method was to pass the JWT back to Azure AD to verify the token. However after reading this, it appears I need to decrypt the token, and validate the issuer and audience. This lead me to this, which does successfully validate the token. However, if i change mySecret to not match the one configured in Azure AD, it still successfully validates?

        var authToken = "JWTToken";
        string key = "I thought this needed to be the client secret in Azure AD but any string will still pass verification";

        string myTenant = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
        var myAudience = "api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
        var myIssuer = string.Format(CultureInfo.InvariantCulture, "https://sts.windows.net/{0}/", myTenant);
        var mySecurityKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(key));
        var stsDiscoveryEndpoint = String.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/{0}/.well-known/openid-configuration", myTenant);
        var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
        var config = await configManager.GetConfigurationAsync();

        var tokenHandler = new JwtSecurityTokenHandler();

        var validationParameters = new TokenValidationParameters
        {
            ValidAudience = myAudience,
            ValidIssuer = myIssuer,
            IssuerSigningKeys = config.SigningKeys,
            ValidateLifetime = false,
            IssuerSigningKey = mySecurityKey,
            ValidateAudience = true,
            ValidateIssuer = true,
        };

        var validatedToken = (SecurityToken)new JwtSecurityToken();

        // Throws an Exception as the token is invalid (expired, invalid-formatted, etc.)  
        tokenHandler.ValidateToken(authToken, validationParameters, out validatedToken);

I have Azure AD configured to this, where the Client is the MVC website and the Service is the Lambda Auhorizer. TLDR: This is basically two client registrations, where the Lambda Authoizer has an exposed API and the MVC website has a client secret.

Have a taken the right approach? If so, how do I fix the issue i am facing?

Any help would be appreciated

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

很酷不放纵 2025-01-16 00:55:38

我使用过这样的东西：

string authority = "https://login.microsoftonline.com/<your-tenant-id>/";
string clientId = "<your-client-id>";

IConfigurationManager<OpenIdConnectConfiguration> configurationManager =
    new ConfigurationManager<OpenIdConnectConfiguration>($"{authority}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = await configurationManager.GetConfigurationAsync(CancellationToken.None);

var validationParams = new TokenValidationParameters
{
    ValidAudience = clientId,
    IssuerSigningKeys = openIdConfig.SigningKeys
};

它使用权限来下载有效的发行者、签名密钥等。

I've used something like this:

string authority = "https://login.microsoftonline.com/<your-tenant-id>/";
string clientId = "<your-client-id>";

IConfigurationManager<OpenIdConnectConfiguration> configurationManager =
    new ConfigurationManager<OpenIdConnectConfiguration>(quot;{authority}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = await configurationManager.GetConfigurationAsync(CancellationToken.None);

var validationParams = new TokenValidationParameters
{
    ValidAudience = clientId,
    IssuerSigningKeys = openIdConfig.SigningKeys
};

It uses the authority to download the valid issuer, signing keys etc.

回复收藏 0 原文

~没有更多了~