JWT 根据 JWT.io 有效,但对于 Graph API 无效或格式错误

【问题标题】:JWT valid according to JWT.io but invalid or malformed for Graph APIJWT 根据 JWT.io 有效,但对于 Graph API 无效或格式错误
【发布时间】:2021-05-16 09:31:55
【问题描述】:

我一直在编写一个脚本,该脚本正在创建一个 JWT,以便使用本地安装的证书访问 Microsoft Graph。

使用证书中的属性PrivateKey 似乎有一个更简单的解决方案,但在某些情况下(取决于密钥提供程序 CNG 或其他)它不会显示。我必须使用 OpenSSL 手动提取私钥,然后将其转换为 RSACryptoServiceProvider 才能对标头+有效负载进行签名。

现在我正在努力使用 JWT 令牌,根据 jwt.io,该令牌似乎是有效的,但对于 Microsoft 来说是无效或格式错误的。

这是错误代码:

Invoke-RestMethod : 
{
  "error": "invalid_request",
  "error_description": "AADSTS50027: JWT token is invalid or malformed.\r\nTrace ID:ed98bb58-8545-4667-acdd-8ce863303b00\r\nCorrelation ID: 722422ce-48d0-47ae-876d-3fb60a588e75\r\nTimestamp: 2021-02-12 13:53:47Z",
  "error_codes": [50027],
  "timestamp": "2021-02-12 13:53:47Z",
  "trace_id": "ed98bb58-8545-4667-acdd-8ce863303b00",
  "correlation_id": "722422ce-48d0-47ae-876d-3fb60a588e75",
  "error_uri": "https://login.microsoftonline.com/error?code=50027"
}

At D:\Scripts_Teams\QUAL\ReportingGraphAPI\Get-AuthTokenMSALDelegate.ps1:223 char:20
 + $accessToken = Invoke-RestMethod @PostSplat
 + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
 + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null.
 + 
At D:\Scripts_Teams\QUAL\ReportingGraphAPI\Get-AuthTokenMSALDelegate.ps1:225 char:41
 + $accessToken=$accessToken.content | ConvertFrom-Json
 + CategoryInfo          : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException
 + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand

这是我从 jwt.io 得到的结果: JWT.IO

这里是代码:

function Generate-JWT (
  [Parameter(Mandatory = $True)]
  [string]$Issuer = $null,
  [Parameter(Mandatory = $True)]
  [int]$ValidforMinutes = $null,
  [Parameter(Mandatory = $true)]
  $CertificateThumbprint,
  [Parameter(Mandatory = $true)]
  $TenantName
) {

  $Certificate = Get-Item "Cert:\LocalMachine\My\$CertificateThumbprint"
  # Create base64 hash of certificate
  $CertificateBase64Hash = [System.Convert]::ToBase64String($Certificate.GetCertHash())
  $tempfile = "C:\Temp\tempCert.pfx"
  Export-PfxCertificate -FilePath $tempfile -Cert $Certificate -Password (ConvertTo-SecureString -AsPlainText "MyP@ssw0rd!" -Force)
  D:\Tools\OpenSSL\Bin\openssl.exe pkcs12 -in $tempfile -nocerts -out "C:\Temp\key.pem" -nodes -password pass:MyP@ssw0rd!
  D:\Tools\OpenSSL\Bin\openssl.exe rsa -in "C:\Temp\key.pem" -out "C:\Temp\key.key"

  $Algorithm = 'RS256'
  $type = 'JWT'
  $x5t = $CertificateBase64Hash -replace '\+', '-' -replace '/', '_' -replace '='
  $aud = "https://login.microsoftonline.com/$TenantName/oauth2/token"
  $jti = [guid]::NewGuid()

  # Create JWT timestamp for expiration
  $StartDate = (Get-Date "1970-01-01T00:00:00Z" ).ToUniversalTime()
  $JWTExpirationTimeSpan = (New-TimeSpan -Start $StartDate -End (Get-Date).ToUniversalTime().AddMinutes($ValidforMinutes)).TotalSeconds
  $JWTExpiration = [math]::Round($JWTExpirationTimeSpan, 0)
  # Create JWT validity start timestamp
  $NotBeforeExpirationTimeSpan = (New-TimeSpan -Start $StartDate -End ((Get-Date).ToUniversalTime())).TotalSeconds
  $NotBefore = [math]::Round($NotBeforeExpirationTimeSpan, 0)


  [hashtable]$JWTHeader = @{
    alg = $Algorithm
    typ = $type
    x5t = $x5t
  }
  [hashtable]$JWTPayLoad = @{
    aud = $aud
    exp = $JWTExpiration
    iss = $Issuer
    jti = $jti
    nbf = $NotBefore
    sub = $Issuer
  }

  $headerjson = $JWTHeader | ConvertTo-Json -Compress
  $payloadjson = $JWTPayLoad | ConvertTo-Json -Compress
    
  # Convert header and payload to base64
  $EncodedHeader = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($headerjson)).Split('=')[0].Replace('+', '-').Replace('/', '_')
  $EncodedPayload = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($payloadjson)).Split('=')[0].Replace('+', '-').Replace('/', '_')

  $ToSign = $EncodedHeader + "." + $EncodedPayload


  # Define RSA signature and hashing algorithm
  $RSAPadding = [Security.Cryptography.RSASignaturePadding]::Pkcs1
  $HashAlgorithm = [Security.Cryptography.HashAlgorithmName]::SHA256
    
  $opensslkeysource = Get-Content "D:\Scripts_Teams\QUAL\ReportingGraphAPI\opensslkey.cs" -Raw
  try {
    Add-Type -TypeDefinition $opensslkeysource
  }
  catch {
    if ($_.Exception -match "already exists") {
      Write-Verbose "The JavaScience.Win32 assembly (i.e. opensslkey.cs) is already loaded. Continuing..."
    }
  }
    
  $PemText = [System.IO.File]::ReadAllText("C:\Temp\key.key")
  $PemPrivateKey = [javascience.opensslkey]::DecodeOpenSSLPrivateKey($PemText)
  [System.Security.Cryptography.RSACryptoServiceProvider]$RSA = [javascience.opensslkey]::DecodeRSAPrivateKey($PemPrivateKey)
    

  # Create a signature of the JWT
  $Signature = [Convert]::ToBase64String(
    $RSA.SignData([System.Text.Encoding]::UTF8.GetBytes($ToSign), $HashAlgorithm, $RSAPadding)
  ) -replace '\+', '-' -replace '/', '_' -replace '='


  $JWT = $ToSign + "." + $Signature
  return $JWT
}

这就是它的名称:

$JWT = Generate-JWT  -Issuer $clientID -ValidforMinutes 60  -CertificateThumbprint $Thumbprint -TenantName $TenantName
  
$authBody = @{
  client_id             = $clientID
  client_assertion      = $JWT
  client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
  scope                 = "https://graph.microsoft.com/.default"
  grant_type            = "client_credentials"
    
}

# Use the self-generated JWT as Authorization
$Header = @{
  Authorization = "Bearer $JWT"
}


$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
# Splat the parameters for Invoke-Restmethod for cleaner code
$PostSplat = @{
  ContentType = 'application/x-www-form-urlencoded'
  Method      = 'POST'
  Body        = $authBody
  Uri         = $Uri
  Headers     = $Header
}

$accessToken = Invoke-RestMethod @PostSplat

你知道为什么这个 JWT 会被拒绝吗?

【问题讨论】:

    标签: powershell azure-active-directory jwt microsoft-graph-api


    【解决方案1】:

    关于问题,请参考以下脚本

    1. 从您的商店将证书导出为 PFX 文件
    $mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText
 $Certificate = Get-Item "Cert:\LocalMachine\My\$CertificateThumbprint"
 $Certificate | Export-PfxCertificate -FilePath C:\mypfx.pfx -Password $mypwd
    1. 将证书上传到 Azure AD
    $password= ConvertTo-SecureString "Password0123!" -AsPlainText -Force
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$Cert.Import("E:\cert\my.pfx", $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

Connect-AzureAD

 $certKeyId = [Guid]::NewGuid()
   $certBase64Value = [System.Convert]::ToBase64String($Cert.GetRawCertData())
   $certBase64Thumbprint = [System.Convert]::ToBase64String($Cert.GetCertHash())

   # Add a Azure Key Credentials from the certificate for the daemon application
   $clientKeyCredentials = New-AzureADApplicationKeyCredential -ObjectId <> `
                                                                    -CustomKeyIdentifier "" `
                                                                    -Type AsymmetricX509Cert `
                                                                    -Usage Verify `
                                                                    -Value $certBase64Value `
                                                                    -StartDate $Cert.NotBefore `
                                                                    -EndDate $Cert.NotAfter
    1. 创建客户端断言
    $password= ConvertTo-SecureString "!" -AsPlainText -Force
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$Cert.Import("E:\cert\my.pfx", $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

$appEndPoint = "https://login.microsoftonline.com/<tenantId>/v2.0"
$appClientID = "
<clientid>"
$jwtStartTimeUnix = ([DateTimeOffset](Get-Date).ToUniversalTime()).ToUnixTimeSeconds()
$jwtEndTimeUnix = ([DateTimeOffset](Get-Date).AddHours(1).ToUniversalTime()).ToUnixTimeSeconds()
$jwtID = [guid]::NewGuid().Guid

$headerjson = @{
    alg="RS256";
    typ="JWT";
    x5t=[System.Convert]::ToBase64String($Cert.GetCertHash())
} | ConvertTo-Json -Compress

$payloadjson = @{
    aud = $appEndPoint;
    exp = $jwtEndTimeUnix;
    iss = $appClientID;
    jti = $jwtID;
    nbf = $jwtStartTimeUnix;
    sub = $appClientID
} | ConvertTo-Json -Compress

$EncodedHeader = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($headerjson)).Split('=')[0].Replace('+', '-').Replace('/', '_')
$EncodedPayload = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($payloadjson)).Split('=')[0].Replace('+', '-').Replace('/', '_')

$ToSign = $EncodedHeader + "." + $EncodedPayload
$RSAPadding = [Security.Cryptography.RSASignaturePadding]::Pkcs1
$HashAlgorithm = [Security.Cryptography.HashAlgorithmName]::SHA256

$rsa=[System.Security.Cryptography.RSACryptoServiceProvider]::new()
$rsa.FromXmlString($Cert.PrivateKey.ToXmlString($true))
$Signature=$rsa.SignData([System.Text.Encoding]::UTF8.GetBytes($ToSign), $HashAlgorithm, $RSAPadding)
$Signature = [Convert]::ToBase64String($Signature).Split('=')[0].Replace('+', '-').Replace('/', '_')

$JWT = $ToSign + "." + $Signature
    1. 获取令牌
    $authBody = @{
  client_id             = $appClientID 
  client_assertion      = $JWT
  client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
  scope                 = "https://graph.microsoft.com/.default"
  grant_type            = "client_credentials"
    
}



$uri = "https://login.microsoftonline.com/<>/oauth2/v2.0/token"
# Splat the parameters for Invoke-Restmethod for cleaner code
$PostSplat = @{
  ContentType = 'application/x-www-form-urlencoded'
  Method      = 'POST'
  Body        = $authBody
  Uri         = $Uri

}

$accessToken = Invoke-RestMethod @PostSplat
$accessToken

    更多详情请参考

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials

    https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-client-assertions#signed-assertions

    更新

    根据我的测试,C#代码是对的。可能你的脚本有问题。 这是我的脚本

    $cert = Get-Item "Cert:\LocalMachine\My\<>"
Export-PfxCertificate -FilePath $tempfile -Cert $Certificate -Password (ConvertTo-SecureString -AsPlainText "MyP@ssw0rd!" -Force)
$tempfile=""
D:\Tools\OpenSSL\Bin\openssl.exe pkcs12 -in $tempfile -nocerts -out "E:\cert\key.pem" -nodes -password pass:MyP@ssw0rd!
D:\Tools\OpenSSL\Bin\openssl.exe rsa -in "E:\cert\key.pem" -out "E:\cert\key.key"



$code= Get-Content -Path "D:\opensslkey.cs" -Raw

Add-Type -TypeDefinition $code -Language CSharp 

$pemString =Get-Content -Path E:\cert\key.key -Raw
$key=[JavaScience.opensslkey]::DecodeOpenSSLPrivateKey($pemString)

$rsa=[JavaScience.opensslkey]::DecodeRSAPrivateKey($key)


$appEndPoint = "https://login.microsoftonline.com/<tenantId>/oauth2/token"
$appClientID = "232a1406-b27b-4667-b8c2-3a865c42b79c"
$jwtStartTimeUnix = ([DateTimeOffset](Get-Date).ToUniversalTime()).ToUnixTimeSeconds()
$jwtEndTimeUnix = ([DateTimeOffset](Get-Date).AddHours(1).ToUniversalTime()).ToUnixTimeSeconds()
$jwtID = [guid]::NewGuid().Guid

$headerjson = @{
    alg="RS256";
    typ="JWT";
    x5t=[System.Convert]::ToBase64String($Cert.GetCertHash()) -replace '\+', '-' -replace '/', '_' -replace '='
} | ConvertTo-Json -Compress

$payloadjson = @{
    aud = $appEndPoint;
    exp = $jwtEndTimeUnix;
    iss = $appClientID;
    jti = $jwtID;
    nbf = $jwtStartTimeUnix;
    sub = $appClientID
} | ConvertTo-Json -Compress

$EncodedHeader = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($headerjson)).Split('=')[0].Replace('+', '-').Replace('/', '_')
$EncodedPayload = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($payloadjson)).Split('=')[0].Replace('+', '-').Replace('/', '_')

$ToSign = $EncodedHeader + "." + $EncodedPayload
$RSAPadding = [Security.Cryptography.RSASignaturePadding]::Pkcs1
$HashAlgorithm = [Security.Cryptography.HashAlgorithmName]::SHA256

$Signature=$rsa.SignData([System.Text.Encoding]::UTF8.GetBytes($ToSign), $HashAlgorithm, $RSAPadding)
$Signature = [Convert]::ToBase64String($Signature).Split('=')[0].Replace('+', '-').Replace('/', '_')

$JWT = $ToSign + "." + $Signature

$authBody = @{
  client_id             = $appClientID 
  client_assertion      = $JWT
  client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
  scope                 = "https://graph.microsoft.com/.default"
  grant_type            = "client_credentials"
    
}



$uri = "https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/token"
# Splat the parameters for Invoke-Restmethod for cleaner code
$PostSplat = @{
  ContentType = 'application/x-www-form-urlencoded'
  Method      = 'POST'
  Body        = $authBody
  Uri         = $Uri

}

$accessToken = Invoke-RestMethod @PostSplat
$accessToken.access_token

    【讨论】:

    • 徐吉姆你好!谢谢,我看到这个版本使用属性PrivateKey。问题是我无法创建另一个证书,因为我必须使用客户的内部 PKI。但是您的样本看起来非常相似。您知道可能导致问题的原因吗?
    • @StéphenWolf 当您从密钥文件中读取内容时,请尝试删除 pemprivheader 和 pemprivfooter。
    • @StéphenWolf 既然您已经使用Export-PfxCertificate 将证书导出为pfx,为什么不直接使用X509Certificate2 读取pfx 文件以获取私钥。
    • 我刚刚尝试过,但是 JWT 在 jwt.io 上显示为无效,并且 Graph API 返回了相同的错误。
    • 我也试过了,PS D:\ReportingGraphAPI&gt; $Cert | fl * EnhancedKeyUsageList : {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)} DnsNameList : {serverXXX} [...] HasPrivateKey : True **PrivateKey : ** PublicKey : System.Security.Cryptography.X509Certificates.PublicKey [...] 私钥是空的
    猜你喜欢
    • 2022-10-25
    • 1970-01-01
    • 1970-01-01
    • 2021-04-12
    • 1970-01-01
    • 2021-03-16
    • 2014-08-15
    • 2014-03-03
    • 2018-08-20
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode