c# – UseJwtBearerAuthentication签名密钥

WWW-Authenticate: Bearer error="invalid_token",error_description="The signature key was not found"

app.UseJwtBearerAuthentication(new JwtBearerOptions
{
    Authority = "https://example.okta.com",Audience = "myClientId"
});

在遵循引用并深入研究 AspNet Security repo(特别是JwtBearerHandler和JwtBearerMiddleware类)之后,这导致了我在 Azure Extensions repo中的Microsoft.IdentityModel命名空间(首先是ConfigurationManager< T>类,然后是OpenIdConnectConfigurationRetriever类(GetAsync方法),然后到JsonWebKeySet.GetSigningKeys()方法),我终于发现JwtBearerMiddleware确实从元数据中的jwks_uri获取了密钥.唷.

那为什么不工作呢？我之前应该检查的是,持票人JWT标题中的孩子实际上并不匹配jwks_uri中的任何一个孩子,因此没有找到.这是我作为持票人令牌发送的access_code.另一方面,id_token确实有一个匹配的孩子,所以使用它而不是它的工作！

我读过：

The OIDC Access Token is applicable only for the Okta
/oauth2/v1/userinfo endpoint and thus should be treated as opaque by
the application. The application does not need to validate it since it
should not be used against other resource servers. The format of it
and the key used to sign it are subject to change without prior
notice.
07002

…所以我不能使用访问令牌.