我最近一直在研究Azure AD授权代码流程,突然开始将所有内容转移到Azure AD B2C,发现Azure AD和Azure AD B2C之间存在很多差异。以下是我的问题,请有人能回答吗?
Azure AD中注册本地应用程序时,允许http或https作为重定向URL。但Azure AD B2C不支持此功能(由于两者都遵循OAUTH规范,因此两者应该表现类似)。
Azure AD JWT访问令牌具有“x5c”条目,而B2C没有此条目。这是有特别原因的吗?我尝试从Azure AD中复制公钥,并尝试上传相同的签名密钥到B2C,但无法成功。不确定我缺少了什么,但我的问题是为什么这些访问令牌在其签名方面不同。
e)和模数(n)生成公钥。但是密钥终结点不同,我们需要使用以下链接检索Azure AD B2C的密钥:https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys?p={signInPolicy}
以下是验证Azure AD B2C发行的令牌的代码,供您参考:
static void Main(string[] args)
{
var idtoken = "";
var exponent = "AQAB";
var modulus = "";
var result= VerifyTokenDetails(idtoken, exponent, modulus);
}
private static bool VerifyTokenDetails(string idToken, string exponent, string modulus)
{
try
{
var parts = idToken.Split('.');
var header = parts[0];
var payload = parts[1];
string signedSignature = parts[2];
//Extract user info from payload
string userInfo = Encoding.UTF8.GetString(Base64UrlDecode(payload));
//Which will be Verified
string originalMessage = string.Concat(header, ".", payload);
byte[] keyBytes = Base64UrlDecode(modulus);
string keyBase = Convert.ToBase64String(keyBytes);
string key = @"<RSAKeyValue> <Modulus>" + keyBase + "</Modulus> <Exponent>" + exponent + "</Exponent> </RSAKeyValue>";
bool result = VerifyData(originalMessage, signedSignature, key);
if (result)
return true;
else
return false;
}
catch (Exception ex) { }
return false;
}
/// <summary>
/// Verifies encrypted signed message with public key encrypted original message.
/// </summary>
/// <param name="originalMessage">Original message as string. (Encrypted form)</param>
/// <param name="signedMessage">Signed message as string. (Encrypted form)</param>
/// <param name="publicKey">Public key as XML string.</param>
/// <returns>Boolean True if successful otherwise return false.</returns>
private static bool VerifyData(string originalMessage, string signedMessage, string publicKey)
{
bool success = false;
using (var rsa = new RSACryptoServiceProvider())
{
var encoder = new UTF8Encoding();
byte[] bytesToVerify = encoder.GetBytes(originalMessage);
byte[] signedBytes = Base64UrlDecode(signedMessage);
try
{
rsa.FromXmlString(publicKey);
SHA256Managed Hash = new SHA256Managed();
byte[] hashedData = Hash.ComputeHash(signedBytes);
// Summary:
// Verifies that a digital signature is valid by determining the hash value in the
// signature using the provided public key and comparing it to the hash value of
// the provided data.
success = rsa.VerifyData(bytesToVerify, CryptoConfig.MapNameToOID("SHA256"), signedBytes);
}
catch (CryptographicException e)
{
success = false;
}
finally
{
rsa.PersistKeyInCsp = false;
}
}
return success;
}
private static byte[] Base64UrlDecode(string input)
{
var output = input;
output = output.Replace('-', '+'); // 62nd char of encoding
output = output.Replace('_', '/'); // 63rd char of encoding
switch (output.Length % 4) // Pad with trailing '='s
{
case 0: break; // No pad chars in this case
case 2: output += "=="; break; // Two pad chars
case 3: output += "="; break; // One pad char
default: throw new System.Exception("Illegal base64url string!");
}
var converted = Convert.FromBase64String(output); // Standard base64 decoder
return converted;
}
x5c。我们只需要使用 x5t 声明来从密钥终结点标识公钥。然后,我们可以使用 e 和 n 的值创建密钥以生成公钥以验证令牌。有关从 Azure AD B2C 验证令牌的更多详细信息,请参阅此 链接。 - Fei Xue - MSFT