验证jwt令牌[rsa] [英] Verifying jwt tokens [rsa]
问题描述
一个同事和我自己一直在尝试了解jwt令牌如何验证令牌,但是从我们的阅读中,我们似乎使自己感到困惑.
A collegue and myself have been trying to understand how jwt tokens verify tokens, but from our reading we seem to be confusing ourselves.
请有人帮忙确认我的想法是否正确
Please can someone help confirm whether my thinking is correct
- 使用私钥对令牌进行签名.签名是使用私钥加密的报头和有效负载的组合,并作为签名的最后一部分添加到jwt中.
- 为了验证令牌,接收者可以使用公钥复制此过程.他们对标头和有效负载进行加密,以查看其是否与签名相同.请注意,这不是解密.接收者没有解密令牌(这是我们不确定的主要事情). -接收者无法发行新令牌,因为它们没有用于加密新令牌的私钥.
- Tokens are signed using the private key. The signature is a combination of the header and payload encrypted using the private key and added to the jwt as the last part, the signature.
- In order to verify the token the receiver can replicate this process using the public key. They encrypt the header and payload to see if it the same as the signature. Note this is not decryption. The receiver is not decrypting the token (this is the main thing we are unsure of). -The receiver cannot issue new tokens as they do not have the private key to encrypt a new token with.
我已经阅读了关于RS256和HS256的jwt文档,但仍在努力确认我的想法,因此发布了这篇文章.
I have read the jwt documentation on both RS256 and HS256 and still struggling to confirm my thinking, hence the post.
推荐答案
可以使用私钥和公钥对对令牌进行数字签名,也可以使用私钥对令牌进行散列:
Tokens can be digitally signed using a key pair, private and public, or hashed using a secret key:
-
RS256:具有SHA256的RSA KeyPair.令牌使用私钥签名,并使用公共
RS256:RSA KeyPair with SHA256. Token is signed with private key and verified using the public
HS256:带有SHA256的HMAC密钥.密钥与签名和验证相同
HS256: HMAC key with SHA256. The key is the same to sign and verify
紧凑的JWT看起来像这样hhhhh.ppppp.sssss
A compact JWT looks like this hhhhh.ppppp.sssss
-
hhhhh:JWT的头,包括用于对令牌进行签名的算法.例如{"alg":"RS256","typ":"JWT"}.编码为base64url
hhhhh: Header of JWT, includes the algorithm used to sign the token. e.g{"alg":"RS256","typ":"JWT"}. Encoded in base64url
ppppp:JWT的有效负载包括一些有用的声明,例如sub,iss或exp.编码为base64url
ppppp: Payload of JWT, include some useful claims like sub, iss or exp. Encoded in base64url
sssss:JWT的签名,使用指定算法对标头和有效载荷的base64 url编码的连接执行,并以base64编码.例如b64(signature(hhhhhh.pppppp))
sssss: Signature of JWT , performed on the concatenation of the base64 url encoding of header and payload using the specified algorithm and encoded in base64. E.g b64(signature(hhhhhh.pppppp))
回答您的问题,您正在使用密钥对来引用RS256,其中客户端使用公钥来验证令牌(使用HMAC密钥进行验证将意味着客户端和服务器共享密钥)
Answering your question, you are refering to RS256 using a key pair where the client verifies the token using the public key (a verification with HMAC key would mean client and server share the key)
使用我上面编写的算法对令牌进行签名(未加密).为了进行验证,客户端使用提供的公钥验证该签名是否与令牌hhhhhh.pppppp的第一部分匹配.数字签名验证是所有现代语言都支持的标准操作.请注意,这与加密/解密不同
The token is signed (not encrypted) with the algorithm I wrote above. To verify, the client verifies that signature match with the first part of the token hhhhhh.pppppp using the provided public key. Digital signature verification is a standard operation supported in all modern languages. Note that is not the same as encryption/decryption
这篇关于验证jwt令牌[rsa]的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
