Google OAuth JWT签名验证 [英] Google OAuth JWT signature verification

问题描述

我正在PHP项目中制作自己的google oauth实现.一切正常，除非我试图验证在访问令牌请求( https ://accounts.google.com/o/oauth2/token ).

I'm making my own google oauth implementation in PHP project. Everything works fine unless I'm trying to verify JWT received after the access token request (https://accounts.google.com/o/oauth2/token).

对于JWT解码，我使用的是 firebase/php-jwt 类.

For JWT decoding I'm using firebase/php-jwt class.

它可以完美解码，但是如果我打开$verify选项(decode()方法3rd arg)，则会得到:Signature verification failed引发异常.

It decodes perfectly, but if I switch on $verify option (decode() method 3-rd arg) I get : Signature verification failed exception thrown.

我的猜测是，如果我将错误的密钥传递给decode()方法.签名生成完成后，稍后将其用于hash_hmac()函数.

My guess is that, if I pass a wrong key to the decode() method. It's used later for hash_hmac() function when signature is generating done.

所以我的问题是:我应该确切地将什么密钥传递给Google OAuth JWT上下文进行签名验证?

So my question is: What key exactly should I pass for signature verification to the Google OAuth JWT context?

推荐答案

来自 https://developers.google. com/accounts/docs/OAuth2Login#validatinganidtoken 推荐的方法:

"，我们建议您从 https://www.googleapis.com/oauth2/v1/certs中检索Google的公共密钥并在本地执行验证.

"we recommend that you retrieve Google’s public keys from https://www.googleapis.com/oauth2/v1/certs and perform the validation locally.

由于Google很少更改其公开密钥(每天一次)，因此您可以对其进行缓存，并且在大多数情况下，与使用TokenInfo端点相比，执行本地验证的效率要高得多.这需要检索和解析证书，并进行适当的加密调用以检查签名.幸运的是，这里有经过调试的库，可以使用多种语言来完成此任务."

Since Google changes its public keys only infrequently (on the order of once per day), you can cache them and, in the vast majority of cases, perform local validation much more efficiently than by using the TokenInfo endpoint. This requires retrieving and parsing certificates, and making the appropriate crypto calls to check the signature. Fortunately, there are well-debugged libraries available in a wide variety of languages to accomplish this."

这篇关于Google OAuth JWT签名验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！