如何使用id令牌的at_hash声明来验证访问令牌? [英] How do I validate an access token using the at_hash claim of an id token?

问题描述

说在交换从/auth端点(

如何对访问令牌进行哈希处理，以将其与ID令牌的at_hash声明进行比较?

How do I hash the access token in order to compare it to the at_hash claim of the ID Token?

我可以在服务器上本地验证ID令牌，以防止客户端修改，并希望验证访问令牌是使用ID令牌发行的(这意味着受众和主题与ID令牌的匹配).

I can verify ID Tokens locally on the server to protect against client modification, and want to verify the Access Token was the one that was issued with the id token (implying that audience and subject match the ID token's).

推荐答案

at_hash ID令牌声明为

访问令牌哈希值.它的值是base64url编码 ASCII八位位组的哈希值的最左半部分 access_token值的表示形式，其中哈希算法 使用的是ID的alg标头参数中使用的哈希算法 令牌的JOSE标头.例如，如果alg是RS256，则将 使用SHA-256的access_token值，然后采用最左边的128位， base64url对其进行编码. at_hash值是区分大小写的字符串.

Access Token hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, hash the access_token value with SHA-256, then take the left-most 128 bits and base64url encode them. The at_hash value is a case sensitive string.

针对混合流的c_hash ID令牌声明是类似地定义的，可以使用相同的步骤进行验证.

The c_hash ID Token claim for the hybrid flow is defined similarly, the same steps can be used to verify either.

根据令牌生成at_hash或c_hash的步骤:

Steps to generate an at_hash or c_hash from the token:

1. 使用与ID令牌本身相同的alg散列令牌的ASCII表示形式，在Google的情况下为SHA-256.
2. 将哈希值截断为原始哈希值的前半部分 (重要:不是哈希的字符串十六进制表示形式.)
3. Base64url编码(不填充)被截断的哈希字节.

1. Hash the ASCII representation of the token using the same alg as the ID Token itself, SHA-256 in Google's case.
2. Truncate the hash to the first half of the raw hash value (importantly: not the string hex representation of the hash).
3. Base64url encode (without padding) the truncated hash bytes.

以下是python中创建该哈希的一些示例代码，您将需要两个库pycrypto和google-api-python-client(对于base64编码和ID令牌比较，可以用替代方法代替).您可以像这样通过pip安装它们:

Here's some sample code in python to create that hash, you'll need two libraries, pycrypto and the google-api-python-client (for the base64 encoding & id token comparison, you could potentially substitute with an alternative). You can install them with pip like so:

pip install pycrypto
pip install --upgrade google-api-python-client

然后，交互运行python，然后尝试以下操作:

Then, run python interactively, and try the following:

# Config: app's client id & tokens (in this case OAuth Playground's client id, and the tokens were extracted from the Token Endpoint response).
client_id = "407408718192.apps.googleusercontent.com"
id_token_string = "eyJhbGciOiJSUzI1NiIsImtpZCI6IjcwZjZjNDI2NzkyNWIzMzEzNmExZDFjZmVlNGViYzU3YjI0OWU1Y2IifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiYXRfaGFzaCI6Iml5VkFfTnNtY2JJMDFHcFJDQVJaOEEiLCJhdWQiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMTAxNjk0ODQ0NzQzODYyNzYzMzQiLCJhenAiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJpYXQiOjE0NjcyMTg1NzMsImV4cCI6MTQ2NzIyMjE3M30.e4hJJYeUaFVwJ9OC8LBnmOjwZln_E2-isEUJtb-Um7vt3GDZnBZkHdCokAPBL4OW3DXBNPk9iY0QL2P5Gpb-nX_s-PZKOIES8CE0i2DmGahCZgJY_Y3V2qwiP1fTEQjcUmHEG2e7OdCn6siSZveFQ0W7SiSbbSeJVLws9aoHROo_UXy8CVjaU5KinROG6m6igqCxFoskIWRzAynfx70xMadY4UdS8kbKK_v5id0_Rdg_gYlF1ND0lsPM9vdm3jOifQEAAkjHr-RuSDWlX4Bs4cQtEkeQkN6--MWhoqAshJITuGSazVIiDkVUNNBIXmB_dp9TO6ZjeQEEfeGCs6axKA"
access_token = "ya29.Ci8QA5eGBdBglK59FXdqXIR5KnbMJs-swx6Alk6_AV_6YPkjhxdO1e0Hqxi-8NB3Ww"

# Verifies & parses id token.
idtoken = oauth2client.client.verify_id_token(id_token_string, client_id)

# Token to hash & expected hash value (replace with code & c_hash to verify code).
token_to_hash = access_token
token_hash_expected = idtoken["at_hash"]

# Step 1. hashes the access token using SHA-256 (Google uses `RS256` as the ID Token `alg`).
hash = hashlib.sha256()
hash.update(token_to_hash)
digest = hash.digest()   # this returns the hash digest bytes (not a hex string)

# Step 2. truncates the hash digest to the first half.
digest_truncated = digest[:(len(digest)/2)]

# Step 3. base64url encodes the truncated hash digest bytes.
token_hash_computed = oauth2client.crypt._urlsafe_b64encode(digest_truncated)

# Compares computed to expected, outputs result.
str("Computed at_hash: %s" % token_hash_computed)
str(token_hash_computed == token_hash_expected)

要使用您自己帐户中的新ID令牌尝试该示例，请使用 OAuth Playground 此)，交换代码以进行刷新和访问令牌，并将响应复制到上面示例的token_response_http_body中(删除换行符).

To try this sample with a fresh ID Token from your own account, create a request using the OAuth Playground with the profile scope (or use this one), exchange the code for refresh and access tokens, and copy the response into token_response_http_body in the sample above (remove the linebreaks).

这篇关于如何使用id令牌的at_hash声明来验证访问令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！