验证Azure广告访问令牌时签名无效,但id令牌有效
使用jwt.io验证我的Azure广告访问令牌时,我得到了无效签名。但是,我的id令牌可以很好地验证!
I am getting invalid signature while using jwt.io to validate my azure ad access token. My id token, however, validates just fine!
我已经看到并尝试了
在验证Azure广告访问令牌时无效的签名
和
https:// nicksnettravels.builttoroam.com/post/2017/01/24/Verifying-Azure-Active-Directory-JWT-Tokens.aspx
,但都不适用于我的访问令牌。
I have seen and tried the solutions suggested in
Invalid signature while validating Azure ad access token
and
https://nicksnettravels.builttoroam.com/post/2017/01/24/Verifying-Azure-Active-Directory-JWT-Tokens.aspx
but neither works for my access token.
访问权限和ID令牌是通过Adal.js生成的:
The access and Id token is generated via Adal.js:
var endpoints = {
"https://graph.windows.net": "https://graph.windows.net"
};
var configOptions = {
tenant: "<ad>.onmicrosoft.com", // Optional by default, it sends common
clientId: "<app ID from azure portal>",
postLogoutRedirectUri: window.location.origin,
endpoints: endpoints,
}
window.authContext = new AuthenticationContext(configOptions);
为什么我可以验证我的ID令牌,但不能验证我的访问令牌?
Why can I validate my ID token, but not my access token?
请参考线程: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609
但是如果查看Jwt.Header,您将看到一个 nonce。这意味着您需要特殊处理。正常处理将失败。
but if look at the Jwt.Header you will see a 'nonce'. This means you need special processing. Normal processing will fail.
因此,如果随机数包含在访问令牌中,请使用JWT.io验证签名或JwtSecurityToken将不会成功。
So if nonce includes in access token , validate signature with JWT.io or JwtSecurityToken won't success .