验证来自Google Chat POST请求的JWT [英] Verify JWT from Google Chat POST request

问题描述

我有一个NodeJS机器人，它使用HTTPs端点连接到Google Chat.我正在使用快递来接收请求.我需要验证所有请求均来自Google，并希望使用Google随请求发送的承载令牌来执行此操作.

I have a bot in NodeJS connected to Google Chat using HTTPs endpoints. I am using express to receive requests. I need to verify that all requests come from Google, and want to do this using the Bearer Token that Google Sends with requests.

我的问题是我正在努力寻找一种方法来验证令牌.

My problem is that I am struggling to find a way to verify the tokens.

我已经捕获了令牌，并尝试对 https://oauth2.googleapis进行GET reuq. com/tokeninfo?id_token = ey ...(其中ey ...是令牌开始).

I have captured the token and tried a GET reuqes to https://oauth2.googleapis.com/tokeninfo?id_token=ey... (where ey... is the token start).

哪个返回:

    "error": "invalid_token",
    "error_description": "Invalid Value"
}

我尝试了Google的建议:

I have tried what Google recommends:

var token = req.headers.authorization.split(/[ ]+/);
client.verifyIdToken({
    idToken: token[1],
    audience: JSON.parse(process.env.valid_client_ids)
}).then((ticket) => {
    gchatHandler.handleGChat(req.body, res);
}).catch(console.error);

并出现以下错误:

错误:找不到信封的pem:{"alg":"RS256"，"kid":"d ... 1"，"typ":"JWT"}

Error: No pem found for envelope: {"alg":"RS256","kid":"d...1","typ":"JWT"}

有什么主意我应该从这里出发吗?

Any idea where I should head from here?

https://www.googleapis .com/service_accounts/v1/metadata/x509/chat @ system.gserviceaccount.com 发现了这一点，并研究了如何使用它.那孩子匹配我得到的那个.

https://www.googleapis.com/service_accounts/v1/metadata/x509/chat@system.gserviceaccount.com found this, investigating how to use it. The kid matches the one I get.

推荐答案

最终解决了该问题.

您需要点击: https://www.googleapis.com/service_accounts/v1/metadata/x509/chat@system.gserviceaccount.com ，以获取一个JSON文件，其中包含链接到其KID的密钥.

You need to hit: https://www.googleapis.com/service_accounts/v1/metadata/x509/chat@system.gserviceaccount.com to get a JSON file containing the keys linked to their KIDs.

然后，当请求到达时，使用jsonwebtoken(NPM)解码令牌并从标头中提取KID.

Then when a request arrives, use jsonwebtoken (NPM) to decode the token and extract the KID from the header.

使用KID在上述网站的响应中找到匹配的公钥，然后使用验证功能确保令牌与公钥匹配.

Use the KID to find the matching public key in the response from the website above, then use the verify function to make sure the token matches the public key.

您还需要传递观众和发行者的选项进行验证，以确认这是您击中机器人的特定服务帐户.

You also need to pass the audience and issuer options to verify, to validate that it is your particular service account hitting the bot.

这篇关于验证来自Google Chat POST请求的JWT的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！