如何从WSO2 API管理器验证JWT [英] How to validate a JWT from WSO2 API Manager

问题描述

在后端Web服务位于单独的服务器上并且需要确定给定请求通过APIM网关身份验证传递的情况下，验证JWT是由特定的API Manager实例发出的推荐方式是什么?授权机制?

What is the recommended way for validating that a JWT was issued by a specific API Manager instance in a case where the backend web service lives on a separate server and needs to be certain that a given request passed through the APIM Gateway authentication and authorization mechanisms?

我知道JWT中的标头字段包含一个'x5t'字段，该字段是对租户密钥存储区中证书的编码参考，

I know that the header fields in the JWT include an 'x5t' field which is an encoded reference to a certificate in the tenant key store, as detailed here:

https://asankastechtalks .wordpress.com/2013/12/05/获取证书用于签名-a-jwt/

由于后端Web服务位于单独的服务器上，我们是否需要以某种方式向其分发公钥?另外，由于现在JWT使用默认值，我们如何更新用于签署JWT的证书?

Since the backend web service is on a separate server, do we need to distribute the public key to it somehow? Also, how can we update the certificate that is used to sign the JWT since right now it is using the default?

推荐答案

这是使用WSO2令牌中的x5t哈希作为查询从本地存储中获取证书的方法:

This is how you can get the certificate from the local store using the x5t hash in the WSO2 token as a lookup:

// Use JwtSecurityTokenHandler to validate the JWT token
var tokenHandler = new JwtSecurityTokenHandler();

// Read the JWT
var parsedJwt = tokenHandler.ReadToken(token);

// Get X509 public certificate
var signerAlgorithm = ((JwtSecurityToken)parsedJwt).SignatureAlgorithm;
var signerHash = ((JwtSecurityToken)parsedJwt).Header["x5t"];
var thumbprint = Encoding.UTF8.GetString(Convert.FromBase64String(signerHash.ToString()));

X509Store store = new X509Store(StoreName.TrustedPublisher);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false)[0];

这篇关于如何从WSO2 API管理器验证JWT的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！