如何在Go中从AWS Cognito验证JWT令牌? [英] How to verify a JWT Token from AWS Cognito in Go?

问题描述

如何验证从Amazon Cognito收到的JWT并从中获取信息?

How can I validate and get info from a JWT received from Amazon Cognito?

我已经在Cognito中设置了Google身份验证，并将重定向uri设置为打API网关，然后收到了我发布到此端点的代码:

I have setup Google authentication in Cognito, and set the redirect uri to to hit API Gateway, I then receive a code which I POST to this endpoint:

https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html

以RS256格式接收JWT令牌.我现在正在努力验证和解析Golang中的令牌.我尝试使用jwt-go解析它，但默认情况下它似乎支持HMAC并阅读他们建议使用前端验证的地方.我尝试了其他一些软件包，并遇到了类似的问题.

To receive the JWT token, in a RS256 format. I am now struggling to validate, and parse the token in Golang. I’ve tried to parse it using jwt-go, but it appears to support HMAC instead by default and read somewhere that they recommend using frontend validation instead. I tried a few other packages and had similar problems.

我在这里遇到了这个答案:使用语言并验证JWT ，但假设只是说panic: unable to find key.

I came across this answer here: Go Language and Verify JWT but assume the code is outdated as that just says panic: unable to find key.

jwt.io可以轻松解码密钥，并且可能也进行验证.我不确定公钥/密钥在Amazon生成令牌时的位置，但是据我了解，我还需要使用JWK URL进行验证吗?我找到了一些特定于AWS的解决方案，但它们似乎都长达数百行.当然，在Golang中不是那么复杂吗?

jwt.io can easily decode the key, and probably verify too. I’m not sure where the public/secret keys are as Amazon generated the token, but from what I understand I need to use a JWK URL to validate too? I’ve found a few AWS specific solutions, but they all seem to be hundreds of lines long. Surely it isn’t that complicated in Golang is it?

推荐答案

Amazon Cognito的公钥

您已经猜到了，您需要公共密钥才能验证JWT令牌.

As you already guessed, you'll need the public key in order to verify the JWT token.

为您的用户池下载并存储相应的公共JSON Web密钥(JWK).它可作为JSON Web密钥集(JWKS)的一部分使用. 您可以在以下位置找到它 https://cognito-idp .{region} .amazonaws.com/{userPoolId}/.well-known/jwks. json

Download and store the corresponding public JSON Web Key (JWK) for your user pool. It is available as part of a JSON Web Key Set (JWKS). You can locate it at https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json

解析密钥并验证令牌

该JSON文件结构已记录在Web中，因此您可以潜在地手动解析，生成公钥等.

That JSON file structure is documented in the web, so you could potentially parse that manually, generate the public keys, etc.

但是仅使用一个库可能会更容易，例如，下面的一个库: https://github.com/lestrrat-go/jwx

But it'd probably be easier to just use a library, for example this one: https://github.com/lestrrat-go/jwx

然后jwt-go处理JWT部分: https://github.com/dgrijalva/jwt-go

And then jwt-go to deal with the JWT part: https://github.com/dgrijalva/jwt-go

然后，您可以:

1)使用第一个库下载并解析公钥JSON

1) Download and parse the public keys JSON using the first library

keySet, err := jwk.Fetch(THE_COGNITO_URL_DESCRIBED_ABOVE)

2)在使用jwt-go解析令牌时，请使用JWT标头中的"kid"字段来找到要使用的正确键

2) When parsing the token with jwt-go, use the "kid" field from the JWT header to find the right key to use

token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
    if _, ok := token.Method.(*jwt.SigningMethodRS256); !ok {
        return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
    }
    kid, ok := token.Header["kid"].(string)
    if !ok {
        return nil, errors.New("kid header not found")
    }
    keys := keySet.LookupKeyID(kid);
    if len(keys) == 0 {
         return nil, fmt.Errorf("key %v not found", kid)
    }
    return keys[0].Materialize()        
})

这篇关于如何在Go中从AWS Cognito验证JWT令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！