我认为您正在寻找这个:
I think you're looking for this:
https://zhiliaxu.github.io/how-do-aspnet-core-services-validate-jwt-signature-signed-by-aad.html
这里zhiliaxu详细解释了使用.AddJwtBearer()
时实际验证的方式和内容,他的结论是:
Here zhiliaxu explains in details how and what is actually validated when using .AddJwtBearer()
and his conclusions are:
现在很明显
- JWT signature is validated without providing any key or certification
in our service’s source code.
- JWT signing key is retrieved from the well-known URL https://login.microsoftonline.com/common/discovery/keys, based on
JwtBearerOptions.Authority property.
- The signing key is cached in the JwtBearerHandler singleton instance, and so our ASP.NET Core service only needs to retrieve it
once throughout its lifecycle.
同样基于这篇文章,我们可以查看 MSDN 上的 ValidateToken()
文档:https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=azure-dotnet 在哪里可以找到该方法抛出的不同异常:
Also based on this article we can take a look at the ValidateToken()
documentation on MSDN: https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=azure-dotnet Where you can find the different exceptions the method throws:
- SecurityTokenDecryptionFailedException:令牌是无法解密的 JWE.
- SecurityTokenEncryptionKeyNotFoundException:令牌kid"标头声明不为空且解密失败.
- SecurityTokenException:令牌enc"标头声明为 null 或为空.
-
SecurityTokenExpiredException:令牌exp"声明为 <日期时间.UtcNow.
- SecurityTokenInvalidAudienceException:令牌aud"声明与 ValidAudience 或 ValidAudience 之一不匹配.
- SecurityTokenInvalidLifetimeException:令牌nbf"声明是 >'exp' 声明.
- SecurityTokenInvalidSignatureException:token.signature 的格式不正确.
- SecurityTokenNoExpirationException:TokenReplayCache 不为 null,且 expireTime.HasValue 为 false.设置 TokenReplayCache 后,令牌需要一个过期时间.
-
SecurityTokenNotYetValidException:令牌nbf"声明是 >日期时间.UtcNow.
- SecurityTokenReplayAddFailedException:无法将令牌添加到 TokenReplayCache.
- SecurityTokenReplayDetectedException:在缓存中找到令牌.
- SecurityTokenDecryptionFailedException: token was a JWE was not able to be decrypted.
- SecurityTokenEncryptionKeyNotFoundException: token 'kid' header claim is not null AND decryption fails.
- SecurityTokenException: token 'enc' header claim is null or empty.
-
SecurityTokenExpiredException: token 'exp' claim is < DateTime.UtcNow.
- SecurityTokenInvalidAudienceException: token 'aud' claim did not match either ValidAudience or one of ValidAudiences.
- SecurityTokenInvalidLifetimeException: token 'nbf' claim is > 'exp' claim.
- SecurityTokenInvalidSignatureException: token.signature is not properly formatted.
- SecurityTokenNoExpirationException: TokenReplayCache is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time.
-
SecurityTokenNotYetValidException: token 'nbf' claim is > DateTime.UtcNow.
- SecurityTokenReplayAddFailedException: token could not be added to the TokenReplayCache.
- SecurityTokenReplayDetectedException: token is found in the cache.