Android JWT在签名时解析有效负载/声明 [英] Android JWT parsing payload/claims when signed

问题描述

我有一个从服务器获取的带签名的JWT字符串.我不知道密钥，或者我不想将密钥放在客户端/设备上.

I have a signed JWT String that i get from the server. I do not know the key or rather I don't want to put the key on the client/device.

在使用带有我的令牌的网站时: https://jwt.io/我得到了预期的结果我的标头和有效载荷信息.

When using this site with my token: https://jwt.io/ I get the desired result it tells me the Header and payload information.

我无法在android上找到可以执行本网站功能的库，并且我已经尝试了所有可以找到的库.最公认的使用方法是: https://github.com/jwtk/jjwt

I cannot find a library on android that does what this website does and i have tried all of them that i could find. The most recognized one to use is: https://github.com/jwtk/jjwt

但是，这给了我一个例外，即我无法解析已签名的令牌，正如上面其他网站所证明的那样，该令牌是错误的.我使用的另一个资源是: https://bitbucket.org/b_c/jose4j/wiki/Home

But this gives me an exception that i cannot parse a signed token which as proven by the other website above is false. another resource i have used is: https://bitbucket.org/b_c/jose4j/wiki/Home

这至少给了我一个头信息，这是我所能获得的最大信息.

This one at least gave me the header information which is the furthest i have been able to get.

要说明上下文，有效负载包含一个到期时间，并且在令牌即将到期时在设备上，我应该提示用户重新输入其凭据以获取新令牌.现在这似乎是一种安全威胁，因为黑客可以操纵设备上的令牌，但是服务器会检查令牌以确保它是真实的，这就是为什么我不希望设备上的密钥，因为这可以通过黑客，并使整个应用程序容易受到攻击.

To give context why it is the way it is, the payload contains an expiration time and on the device when the token is about to expire i should prompt the user to re enter their credentials to get a new token. Now this might seem like a security threat because a hacker could manipulate the token on the device, but the server checks the token to make sure it is authentic which is why i do not want the key on the device because this can be mined by a hacker, and make the entire application vulnerable.

推荐答案

虽然我认为应该在框架中，但是答案很简单.但是，一个简单的未签名的JWT仍然有2个必需的期间，但是最后一个之后没有任何内容，因此我将我的JWT拆分为各个期间，将第一个和第二个JWT与各个期间合并，并在末尾放置一个期间.

Well the answer was pretty simple although in my opinion should be in the framework. But a simple non signed JWT still has the 2 required periods in it but there is nothing after the last one, so i split my JWT on the periods and combined the first and second one with periods and put a period at the end.

String[] splitToken = result.Value.Content.AuthorizationJWTToken.split("\\.");
Jwt parsedToken = Jwts.parser().parse(splitToken[0] + "." + splitToken[1] + ".");

这使用了 https://github.com/jwtk/jjwt 库.

这篇关于Android JWT在签名时解析有效负载/声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！