JWT令牌无效签名 [英] JWT Token Invalid Signature

问题描述

我在我的应用程序中使用JWT进行登录身份验证过程. 要生成我正在使用的令牌:

I am using JWT in my application for login authentication process. To generate the token I am using:

Jwts.builder().setSubject(username).signWith(SignatureAlgorithm.HS512, MacProvider.generateKey()).compact();

生成的令牌:

eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJlaG91c2VAZGV2ZXJldXgub3JnIn0.5SX-aU-p_RlfC3CZa-YXnQu_YR7RsG2Xfim3LOmlqxjjrrZyZZH4Z

eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJlaG91c2VAZGV2ZXJldXgub3JnIn0.5SX-aU-p_RlfC3CZa-YXnQu_YR7RsG2Xfim3LOmlqxjAZrIyZiz0fYZwViHr113ms8TNvngcJcV07U4hK-RBZQ

当我在jwt.io调试器中解码此令牌时，它告诉我无效的签名.我无法找到此失败的原因，因为我可以在要验证的有效负载中看到用户名.有人可以指出我的问题吗?我需要更改代码中的任何内容吗?

When I decode this token in jwt.io debugger it tells me an invalid Signature. I am not able to find the reason of this failure as I can see the username in the payload which i am using to authenticate. Could anybody point me the issue? Do I need to change anything in the code?

推荐答案

MacProvider.generateKey()每次使用时都会生成一个新的随机签名.您需要生成一次并存储它.该密钥用于签名和验证令牌.

MacProvider.generateKey() is generating a new random signing you key each time you use it. You need to generate it once and store it. The key is used to sign and verify the token.

如果不存储密钥，则将无法验证令牌，这正是jwt.io的问题. 您必须提供签名密钥.在您的情况下，使用可以包含无法表示的字符的随机密钥(也可以使用密码短语，但不建议使用)，将其编码为base64.然后在jwt.io中标记检查以验证令牌

If you do not store the key you wil not be able to verify the token, which is exactly the problem with jwt.io. You must provide the signing key. In your case, using a random key that can contain non representble characters (it is possible to use a passphrase too, but not recommended), encode it to base64. Then mark the check in jwt.io to verify the token

Key key =MacProvider.generateKey();
String keyB64 = javax.xml.DataTypeConverter.printBase64Binary(key.getEncoded());

这篇关于JWT令牌无效签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！