JWT/KONG:无法创建具有共享机密的JWT [英] JWT/KONG: Cannot create JWTs with a shared secret

问题描述

我最近在KONG API网关附近玩耍.

I'm playing around KONG API gateway recently.

我想用所有micro共享的秘密对每个JWT进行签名.我需要这样做是因为我希望其他微控制器能够解码给定的JWT并提取有效载荷数据并对其进行处理(例如，有效载荷中的_user_id_字段).

I want to sign each JWT with a secret that is shared in all micros. I need this because I want other micros to be able to decode given JWT and extract payload data and work upon it (e.g. _user_id_ field in the payload).

当我尝试为第一个使用者创建JWT时，它工作正常.但是，当我尝试为第二个使用者创建它时，出现以下错误:

When I try to create a JWT for the first consumer, it works just fine. But when I try to create it for the second consumer I'm getting the following error:

{u'secret': u"already exists with value 'secret'}

我不确定，但是我认为KONG/JWT需要每个消费者创建JWT的唯一秘密.是否可以正确配置JWT插件，以便能够使用共享密钥对JWT进行签名?

I'm not exactly sure but I think KONG/JWT requires unique secret for each consumer to create a JWT. Is it possible to configure JWT plugin properly to be able to use shared secret to sign JWTs?

PS:我并不完全确定使用共享机密是一种好习惯.如果有更好的方法可以进行此操作，请告诉我.谢谢！

PS: I'm not entirely sure that using a shared secret is a good practice. If there is a better way to do this please let me know. Thanks!

• Kong版本v0.10.2

推荐答案

您可以使用私有-公钥签名方法.
使用私有密钥创建您的JWT令牌，并与所有其他微服务共享公共密钥.其他微服务可以使用共享的公共密钥来验证令牌的签名.

You can use private-public key signing method.
Create your JWT token with a private key and share the public key with all other microservices. Other microservices can verify the signature of the token by using the shared public key.

您可以使用RSA算法生成密钥和密钥.签署令牌.私钥应仅与生成令牌的服务一起使用.

You can use RSA algorithm for generating the keys & signing the tokens. The private key should be only with the service which is generating the token.

生成密钥的片段:

    KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
    kpg.initialize(2048);
    KeyPair kp = kpg.genKeyPair();
    Key publicKey = kp.getPublic();
    Key privateKey = kp.getPrivate(); 

用于生成JWT令牌的代码段.我正在使用JJwt API生成令牌:

Snippet to generate JWT token. I am using JJwt API for generating the token:

Jwts.builder()
            .setClaims(payload)
            .setExpiration(expiryDate)
            .signWith(SignatureAlgorithm.RS256, privateKey )
            .compact();

使用公钥验证令牌的代码段:

Snippet to verify the token with public key:

Jwts.parser() 
       .setSigningKey(publicKey )
       .parseClaimsJws(jwtToken)

希望这会有所帮助.

这篇关于JWT/KONG:无法创建具有共享机密的JWT的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！