logo标签列表

如何在Java中验证Azure AD的JWT令牌?

azureazure-active-directory
6
我有一个使用Msal库获得的Azure AD JWT令牌,但是当我尝试验证此令牌时出现了问题:
客户端:一个Sharepoint Web Part
 const config = {
     auth: {
         clientId: "xxxxx",
         authority: "https://login.microsoftonline.com/yyyyyy"
     }
 };

 const myMSALObj = new UserAgentApplication(config);

 let accessTokenRequest = {
     scopes: ["user.read"],
     loginHint: this.context.pageContext.user.loginName,
     extraQueryParameters: {domain_hint: 'organizations'}
 }

 myMSALObj.acquireTokenSilent(accessTokenRequest).then(
  function(accessTokenResponse) { 
  // Acquire token silent success 
  let accessToken = accessTokenResponse.accessToken;

我正在尝试从以下网址检索公钥: https://login.microsoftonline.com/tenant-id/.well-known/openid-configuration 但是使用此公钥时,我无法重定向到: https://login.microsoftonline.com/common/discovery/keys 在这种情况下,是否有其他方法获取公钥? < p >< em >< strong >服务器:验证

public PublicKey getPublicKeyFromParams(String e, String n){

    byte[] modulusBytes = Base64.getUrlDecoder().decode(n);

    BigInteger modulusInt = new BigInteger(1, modulusBytes);

    byte[] exponentBytes = Base64.getUrlDecoder().decode(e);

    BigInteger exponentInt = new BigInteger(1, exponentBytes);

    KeyFactory keyFactory;

    RSAPublicKeySpec publicSpec = new RSAPublicKeySpec(modulusInt, exponentInt);

        try {

            keyFactory = KeyFactory.getInstance("RSA");

            return keyFactory.generatePublic(publicSpec);

        } catch (NoSuchAlgorithmException | InvalidKeySpecException ex) {

            ex.printStackTrace();

        }

    return null;

}

@Test

public void name() throws Exception {

    String jwt = "xxxxxxx";

    KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.RS256);

    String e = Base64.getUrlEncoder().encodeToString((((RSAPublicKeyImpl) keyPair.getPublic()).getPublicExponent()).toByteArray());

    String n = Base64.getUrlEncoder().encodeToString((((RSAPublicKeyImpl) keyPair.getPublic()).getModulus()).toByteArray());

    System.out.println("Public Key: " + Base64.getUrlEncoder().encodeToString(keyPair.getPublic().getEncoded()));

    System.out.println("Public Key Exponent: " + e);

    System.out.println("Public Key Modulus: " + n);

    String jws = Jwts.builder().setSubject("pepe").signWith(keyPair.getPrivate()).compact();

    System.out.println("Generated JWS:" + jws);

    PublicKey publicKey = getPublicKeyFromParams(e, n);

    Jwt parsedJWs = Jwts.parserBuilder().setSigningKey(publicKey).build().parse(jws);

    System.out.println("Parsed JWS: " + parsedJWs);

    publicKey = getPublicKeyFromParams(eValue, nValue);

    System.out.println("Azure PublicKey fron n-e: " + publicKey);

    CertificateFactory factory = CertificateFactory.getInstance("X.509");

    Certificate cert = factory.generateCertificate(new ByteArrayInputStream(

    DatatypeConverter.parseBase64Binary("cccccccccccccccccc")));

    publicKey = cert.getPublicKey();

    System.out.println("Azure PublicKey from x5c: " + publicKey);

    Jwt jwtParsed = Jwts.parserBuilder().setSigningKey(publicKey).build().parse(jwt);

    System.out.println(jwtParsed);

}

public static PublicKey getPublicKey(String key){

    try{

        byte[] byteKey = Base64.getDecoder().decode(key);

        X509EncodedKeySpec X509publicKey = new X509EncodedKeySpec(byteKey);

        KeyFactory kf = KeyFactory.getInstance("RSA");

        return kf.generatePublic(X509publicKey);

    }

    catch(Exception e){

        e.printStackTrace();

    }

    return null;

}
请提供您的代码,好吗? - Jim Xu
嗨@JimXu。谢谢你的回复。我已经添加了我的代码。 - vcima
3个回答
6

如果您想要验证Azure AD访问令牌,可以尝试使用SDK java-jwtjwks-rsa 来实现它。

例如:

  1. 通过maven安装SDK
 <dependency>
      <groupId>com.microsoft.azure</groupId>
      <artifactId>azure-storage</artifactId>
      <version>8.6.2</version>
    </dependency>

    <dependency>
      <groupId>com.auth0</groupId>
      <artifactId>jwks-rsa</artifactId>
      <version>0.11.0</version>
    </dependency>

  1. Code

    a. validate the signature

     String token="<your AD token>";
  DecodedJWT jwt = JWT.decode(token);
  System.out.println(jwt.getKeyId());

  JwkProvider provider = null;
  Jwk jwk =null;
  Algorithm algorithm=null;

  try {
      provider = new UrlJwkProvider(new URL("https://login.microsoftonline.com/common/discovery/keys"));
      jwk = provider.get(jwt.getKeyId());
      algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);
      algorithm.verify(jwt);// if the token signature is invalid, the method will throw SignatureVerificationException
  } catch (MalformedURLException e) {
      e.printStackTrace();
  } catch (JwkException e) {
      e.printStackTrace();
  }catch(SignatureVerificationException e){

     System.out.println(e.getMessage());

  }
嗨,吉姆!感谢您的回复。使用您的代码后,我遇到了同样的问题:我已经通过以下方式获取了令牌:myMSALObj.acquireTokenSilent(accessTokenRequest).then(function(accessTokenResponse) { // 静默获取令牌成功 // 使用令牌调用API let accessToken = accessTokenResponse.accessToken; - vcima
1
你的示例验证错误是这样的:当使用算法SHA256withRSA进行验证时,令牌的签名无效。你有任何想法吗? - vcima
嗨@Jim XU,是的,我正在Sharepoint WebPart中使用Msal库,并使用此导入:import {UserAgentApplication} from "msal";。这有问题吗? - vcima
const config = { auth: { clientId: "xxxxx", authority: "https://login.microsoftonline.com/yyyyyy" } }; const myMSALObj = new UserAgentApplication(config); let accessTokenRequest = { scopes: ["user.read"], loginHint: this.context.pageContext.user.loginName, extraQueryParameters: {domain_hint: 'organizations'} } myMSALObj.acquireTokenSilent(accessTokenRequest).then( function(accessTokenResponse) { // 静默获取令牌成功 let accessToken = accessTokenResponse.accessToken; - vcima
嗨@Jim Xu,我们不需要使用Microsoft Graph。利用Msal获得的令牌,我们想调用我们自己的API,并且在使用我们的API时需要检查此令牌是否有效。 - vcima
显示剩余6条评论
5

通过这个更改,验证功能正常工作。

let accessTokenRequest = {
    scopes:["clientId/.default"],
    loginHint: this.context.pageContext.user.loginName,
    extraQueryParameters: {domain_hint: 'organizations'}
}
谢谢vcima,你在无数个小时之后拯救了我。看起来从msal生成的access_token实际上是无效的,当使用scopes:['user.read']生成时,而使用['your client id/.default']则是有效的,可以通过jwt.io验证。另请参见此处 - phil294
0

您需要使用微软的新密钥才能使上述代码正常工作。请将以下代码进行更改:

provider = new UrlJwkProvider(new URL("https://login.microsoftonline.com/common/discovery/keys"));

更改为

provider = new UrlJwkProvider(new URL("https://login.microsoftonline.com/common/discovery/v2.0/keys"));

对于上面的示例,有一些依赖项缺失,正确的示例应该是:

<dependency>
        <groupId>com.microsoft.azure</groupId>
        <artifactId>azure-storage</artifactId>
        <version>8.6.2</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/com.auth0/java-jwt -->
    <dependency>
        <groupId>com.auth0</groupId>
        <artifactId>java-jwt</artifactId>
        <version>3.16.0</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/com.auth0/jwks-rsa -->
    <dependency>
        <groupId>com.auth0</groupId>
        <artifactId>jwks-rsa</artifactId>
        <version>0.18.0</version>
    </dependency>

代码如下:

String token="YOUR JWT";
        DecodedJWT jwt = JWT.decode(token);
        System.out.println(jwt.getKeyId());

        JwkProvider provider = null;
        Jwk jwk =null;
        Algorithm algorithm=null;

        try {
            provider = new UrlJwkProvider(new URL("https://login.microsoftonline.com/common/discovery/v2.0/keys"));
            jwk = provider.get(jwt.getKeyId());
            algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);
            algorithm.verify(jwt);// if the token signature is invalid, the method will throw SignatureVerificationException
        } catch (MalformedURLException e) {
            e.printStackTrace();
        } catch (JwkException e) {
            e.printStackTrace();
        }catch(SignatureVerificationException e){

            System.out.println(e.getMessage());

        }
当我尝试运行这段代码时,我在下面这行代码处遇到了sslhand shake异常。 jwk = provider.get(jwt.getKeyId()); 我们需要在JKS中添加任何公共证书吗? - Java Backend Developer
这个验证甚至包括过期的令牌。有没有办法自定义验证选项,包括到期时间、发行人等? - Paramesh Korrakuti
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接