如何使用id令牌的at_hash声明来验证访问令牌? [英] How do I validate an access token using the at_hash claim of an id token?
问题描述
说在交换从 如何对访问令牌进行哈希处理,以将其与ID令牌的 How do I hash the access token in order to compare it to the 我可以在服务器上本地验证ID令牌,以防止客户端修改,并希望验证访问令牌是使用ID令牌发行的(这意味着受众和主题与ID令牌的匹配). I can verify ID Tokens locally on the server to protect against client modification, and want to verify the Access Token was the one that was issued with the id token (implying that audience and subject match the ID token's). 访问令牌哈希值.它的值是base64url编码
ASCII八位位组的哈希值的最左半部分
access_token值的表示形式,其中哈希算法
使用的是ID的alg标头参数中使用的哈希算法
令牌的JOSE标头.例如,如果alg是RS256,则将
使用SHA-256的access_token值,然后采用最左边的128位,
base64url对其进行编码. at_hash值是区分大小写的字符串.
Access Token hash value. Its value is the base64url encoding
of the left-most half of the hash of the octets of the ASCII
representation of the access_token value, where the hash algorithm
used is the hash algorithm used in the alg Header Parameter of the ID
Token's JOSE Header. For instance, if the alg is RS256, hash the
access_token value with SHA-256, then take the left-most 128 bits and
base64url encode them. The at_hash value is a case sensitive string. 针对混合流的 The 根据令牌生成 Steps to generate an 以下是python中创建该哈希的一些示例代码,您将需要两个库 Here's some sample code in python to create that hash, you'll need two libraries, 然后,交互运行 Then, run 要使用您自己帐户中的新ID令牌尝试该示例,请使用 OAuth Playground profile范围(或使用 To try this sample with a fresh ID Token from your own account, create a request using the OAuth Playground with the 这篇关于如何使用id令牌的at_hash声明来验证访问令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!/auth
端点(
at_hash
声明进行比较?at_hash
claim of the ID Token?推荐答案
at_hash
ID令牌声明为
c_hash
ID令牌声明是类似地定义的,可以使用相同的步骤进行验证. c_hash
ID Token claim for the hybrid flow is defined similarly, the same steps can be used to verify either. at_hash
或c_hash
的步骤:at_hash
or c_hash
from the token:
alg
散列令牌的ASCII表示形式,在Google的情况下为SHA-256.
alg
as the ID Token itself, SHA-256 in Google's case. pycrypto
和google-api-python-client
(对于base64编码和ID令牌比较,可以用替代方法代替).您可以像这样通过pip安装它们:pycrypto
and the google-api-python-client
(for the base64 encoding & id token comparison, you could potentially substitute with an alternative). You can install them with pip like so:pip install pycrypto
pip install --upgrade google-api-python-client
python
,然后尝试以下操作:python
interactively, and try the following:# Config: app's client id & tokens (in this case OAuth Playground's client id, and the tokens were extracted from the Token Endpoint response).
client_id = "407408718192.apps.googleusercontent.com"
id_token_string = "eyJhbGciOiJSUzI1NiIsImtpZCI6IjcwZjZjNDI2NzkyNWIzMzEzNmExZDFjZmVlNGViYzU3YjI0OWU1Y2IifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiYXRfaGFzaCI6Iml5VkFfTnNtY2JJMDFHcFJDQVJaOEEiLCJhdWQiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMTAxNjk0ODQ0NzQzODYyNzYzMzQiLCJhenAiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJpYXQiOjE0NjcyMTg1NzMsImV4cCI6MTQ2NzIyMjE3M30.e4hJJYeUaFVwJ9OC8LBnmOjwZln_E2-isEUJtb-Um7vt3GDZnBZkHdCokAPBL4OW3DXBNPk9iY0QL2P5Gpb-nX_s-PZKOIES8CE0i2DmGahCZgJY_Y3V2qwiP1fTEQjcUmHEG2e7OdCn6siSZveFQ0W7SiSbbSeJVLws9aoHROo_UXy8CVjaU5KinROG6m6igqCxFoskIWRzAynfx70xMadY4UdS8kbKK_v5id0_Rdg_gYlF1ND0lsPM9vdm3jOifQEAAkjHr-RuSDWlX4Bs4cQtEkeQkN6--MWhoqAshJITuGSazVIiDkVUNNBIXmB_dp9TO6ZjeQEEfeGCs6axKA"
access_token = "ya29.Ci8QA5eGBdBglK59FXdqXIR5KnbMJs-swx6Alk6_AV_6YPkjhxdO1e0Hqxi-8NB3Ww"
# Verifies & parses id token.
idtoken = oauth2client.client.verify_id_token(id_token_string, client_id)
# Token to hash & expected hash value (replace with code & c_hash to verify code).
token_to_hash = access_token
token_hash_expected = idtoken["at_hash"]
# Step 1. hashes the access token using SHA-256 (Google uses `RS256` as the ID Token `alg`).
hash = hashlib.sha256()
hash.update(token_to_hash)
digest = hash.digest() # this returns the hash digest bytes (not a hex string)
# Step 2. truncates the hash digest to the first half.
digest_truncated = digest[:(len(digest)/2)]
# Step 3. base64url encodes the truncated hash digest bytes.
token_hash_computed = oauth2client.crypt._urlsafe_b64encode(digest_truncated)
# Compares computed to expected, outputs result.
str("Computed at_hash: %s" % token_hash_computed)
str(token_hash_computed == token_hash_expected)
profile
scope (or use this one), exchange the code for refresh and access tokens, and copy the response into token_response_http_body
in the sample above (remove the linebreaks).