如何在授权服务器之外验证JWT [英] How can JWT be verified outside the authorization server

问题描述

最近，我正在尝试使用JSON Web令牌(JWT)作为访问令牌来实现OAuth2.0服务器.我对JWT的独立功能感到非常困惑.我注意到JWT可以在任何地方进行验证，而不是必须在授权服务器中进行验证，因为它是独立的.此功能如何工作?为了实现独立功能，JWT应该包含哪些主张?

Recently, I'm trying to implement an OAuth2.0 server using JSON Web Token (JWT) as access token. I'm very confused about the self-contained feature of JWT. I notice that JWT can be verified anywhere, not mandatorily in authorization server because it is self-contained. How does this feature work? What claims should be included in JWT in order to realize self-contained feature?

另一个问题是，如果JWT是无状态的，则意味着服务器不应存储JWT.那么，JWT如何进行验证?难道不容易伪造吗?

Another question is that, if JWT is stateless, it means the server should not store the JWT. Then how is the JWT verified? Can't it be easily forged?

我是该领域的新秀，希望有人能帮助我:)

I'm the rookie in this field, I wish someone could help me out:)

推荐答案

JWT包含可以签名，加密或二者兼有的声明. 这些操作是使用加密密钥执行的.密钥可以是对称的(例如oct et密钥)，也可以是非对称的(例如私钥/公钥对，例如RSA或EC密钥).

JWT contains claims that can be signed, encrypted or both. These operations are performed using cryptographic keys. Keys can be symmetric (e.g. octet keys) are Asymmetric (e.g. private/public key pairs such as RSA or EC keys).

要验证JWT(即JWS)时，必须执行以下步骤:

When you want to verify a JWT (i.e. a JWS), you have to perform the following steps:

• 检查标头(支持算法，有效声明中包含关键声明，并且可以理解其值).
• 检查声明(尤其是exp，iat，nbf，aud).
• 检查签名.

• Check the header (algorithm is supported, critical claims are in the payload and their value are understood).
• Check the claims (especially exp, iat, nbf, aud).
• Check the signature.

要检查签名，您需要密钥，并且根据算法的不同，该密钥可以是

To check the signature, you need the key and, depending on the algorithm, this key can be

• 对称密钥
• 公钥(如果不对称)

当您要允许第三方应用程序验证您的JWT时，您将使用非对称密钥并与第三方共享公共密钥. 由于无法使用公钥进行签名，因此第三方无法伪造带有自定义声明的有效令牌.

When you want to allow third party applications to verify your JWT, you will use asymmetric keys and share the public key with the third parties. As public keys cannot be used to sign, third parties cannot forge a valid token with custom claims.

共享密钥的方式取决于您.常用的方法是提供一个URL，以便应用程序可以检索它们(例如，位于 https://www的Google密钥) .googleapis.com/oauth2/v3/certs ).

The way you share the keys is up to you. The common way is to provide an URL where applications will retrieve them (e.g. Google keys at https://www.googleapis.com/oauth2/v3/certs).

这篇关于如何在授权服务器之外验证JWT的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！