如何获取JWK并在JWT签名中使用它们? [英] How to obtain JWKs and use them in JWT signing?

问题描述

我正在阅读有关JWT的博客，以及如何使用JWT的签名部分来验证令牌是否确实由受信任方发出.

I am reading this blog about JWTs and how you can use the signature part of it to verify that the token was actually issued by the trusted party.

https://hackernoon.com/json-web-tokens-jwt-demystified-f7e202249640

JSON Web密钥(JWK)是一个JSON对象，其中包含一个众所周知的公共密钥，可用于验证已签名的JWT的签名.

The JSON Web Key (JWK) is a JSON object that contains a well-known public key which can be be used to validate the signature of a signed JWT.

如果您的JWT的发行者使用非对称密钥对JWT进行签名，可能会托管一个名为JSON Web密钥集(JWKS)的文件.JWKS是包含属性键的JSON对象，该属性键又包含一个JWK对象数组.

If the issuer of your JWT used an asymmetric key to sign the JWT, it will likely host a file called a JSON Web Key Set (JWKS). The JWKS is a JSON object that contains the property keys, which in turn holds an array of JWK objects.

这是我的代码库中的Java代码段，可为我生成JWT:

Here is java code snippet from my codebase that generates JWT for me:

new JwtBuilder().setClaims(claims).setExpiration(expiration).signWith(signatureAlgorithm, sharedSecret).compact();

我不太了解如何获得JWK，以及如何使用它们进行签名?我在网上找不到任何示例.

I do not quite understand how I obtain JWKs and how do I use them for signing? I haven't found any examples on the web.

任何帮助将不胜感激.

推荐答案

每个开放式ID服务器都必须向租户提供这样的终结点:

every open id server has to provide the tenant an endpoint like this :

  https://--YOUR DOMAIN----/.well-known/jwks.json

如果您访问此端点，您将以json格式看到它

if you visit this endpoint you will see this in json format

{
  keys: [
    {
      alg: 'RS256',
      kty: 'RSA',
      use: 'sig',
      n: 'tTMpnrc4dYlD8MtmPnW3xZNbLxkaGCUwTqeKB4dfLg11dEpMyQEc4JRxUvRzp9tz00r6lkZ1ixcvIiuB_eMVckU8VyFSFWBSAxp5duBk6lRpYk-QjK3kEdPxYLxyW84gNzwMi-XW8zxJbsOa-cRM9sCb62Qz2yfWoQfimoFXsCnVHq496kizO7gZ972JefvTce1_n9dd_1p0K6c14qcCXtF6hbA_gQ0N7h3IyloBqiusKyTsV-ZrMZDldZkI-4v7s49TdcRZgEOvSapMz5YyoDvAWzuWGEiljkjkCOo0Mr5Sioi2x0dBm6nJ2WVYfZrwEF5J',
      e: 'AQAB',
      kid: 'NTY2MjBCNzQ1RTLPQzk3NzczRRTMQ0E4NzE2MjcwOUFCRkUwRTUxNA',
      x5t: 'NTY2MjBCNzQ1RTJPLzk3NzczRUNPO0E4NzE2MjcwOUFCRkUwRTUxNA',
      x5c: [Array]
    }
  ]
}

什么是x5c?

"x5c"(X.509证书链)标头参数包含X.509公钥证书或证书链[RFC5280]对应于用于对JWS进行数字签名的密钥.这证书或证书链表示为证书值字符串的JSON数组.数组中的每个字符串都是base64编码的(不是base64url编码的)DER [ITU.X690.2008] PKIX证书值.包含与用于对JWS进行数字签名的密钥相对应的公用密钥的证书，必须是第一份证书.这之后可能是其他证书，每个后续证书都是用来证明前一个证书的证书.接收者必须根据RFC 5280 [RFC5280]验证证书链，并考虑证书或证书链无效(如果有任何验证)发生故障.此标头参数的使用是可选的.

The "x5c" (X.509 certificate chain) Header Parameter contains the X.509 public key certificate or certificate chain [RFC5280] corresponding to the key used to digitally sign the JWS. The certificate or certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (not base64url-encoded) DER [ITU.X690.2008] PKIX certificate value. The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The recipient MUST validatethe certificate chain according to RFC 5280 [RFC5280] and consider the certificate or certificate chain to be invalid if any validation failure occurs. Use of this Header Parameter is OPTIONAL.

如果您检查x5c阵列，则会看到很长的字符串.您必须采用此值，并为每个64个值将它们分开.这很简单.这是一个例子:

if you check the x5c array, you will see very long string. You have to take this value and separate them for each 64 values. it is very simple. here is an example:

          -----BEGIN CERTIFICATE-----
MIIDBzCCAe+gAwIBAgIJY5XAn120Mst4MA0GCSqGSIb3DQEBCwUAMCExHzAdBgNV
BAMTFmRl2e11ZGlrdGt5Mi5hdXRoMC5jb20wHhcNMTkwOTI5MjAxNjE4WhcNMzMw
NjA3MjAxNjE4WjAhMR8wHQYDVQQDExZkZXYtdWe3a3RreTIuYXV0aDAuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AeIIBCgKCAQEAtTMpnrc4dYlD8MmPnW3xZNbL
xkaGCUwTqeKB4etLg11dEpMyQEc4JRxUvRzp9t656lkZ1ixcvIiuB/eMVckU8VyF
SFWBSAxp5vrBk6lRpYk+QjK3kEdA9PxYLxyW84gNzwMi+XW8zxJbsOa+cRM9sCb6
2Qz2fWoQfimoFXsCnVHq496kp93izO7gZ972JefvTce1/n9dd/1p0K6c14qcCXtF
6hbA/gQ0N7h3IyloBqiusKyTsV+ZrMZDldZkI+4v7s49TdcRZgEOvSapMz5YyoDv
AWzuWGEilCOo0Mr5Sioi2x0dBm6nJ2WVYfZrwEF5JTz9LlKjYAqJ6ETGYKhjkwID
AQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQme5xBKaloQKQr5oxt
7uRlWthe6jAOBgNVHQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQELBQADopEBABpfpizn
MSJ67HDX358Rav5CYFEeIBeHXrxDQLprKdNzNSxOJ6tRpk6OF0Qs52wCEbrUXYBu
MRjmmmvN3bBHGMmq/g4VPZGDLh/JF5xJjRj13um8Rfua3S2NE4nZUYfPWctk56mN
UUQ9DUkbPRbLEJKCqVSQNagk6TEGe4dfRGdUNvAzDBglMTFOSrY1GAOJdUA1+bPb
3MnSdfyIyxSfPK5oDSQ4puMWKme2ZdGGPj+urSxs1Tuwkv0DxohdV+35WUIJcJPU
ARJecLX7rjyAzqqZE1sJGfsY5ob09380/BTAwHHP/KjiOFhilJ5OoHiU62D+mEKA
DHqlJzoj1VX/3d8=
                -----END CERTIFICATE-----

因此，当您开始验证过程时:

So when you start your verification process:

//you get the token
//you decode the token
//you compare the kid which is in the header of the token

//jwk.kid the one that you get when you visit the /.well-known url above
if (jwk.kid === decodedToken.header.kid){
// in verification process you have to use the decoded code and the certificate 
// to verify the signature

}

此过程特定于'RS256'算法.RS256生成非对称签名，这意味着必须使用私钥对JWT进行签名，并且必须使用其他公钥来验证签名.与对称算法不同，使用RS256可以确保Auth0是JWT的签名者，因为Auth0是唯一拥有私钥的一方.要验证对称算法，您必须使用私钥.

this process is specific to 'RS256' algorithm. RS256 generates an asymmetric signature, which means a private key must be used to sign the JWT and a different public key must be used to verify the signature. Unlike symmetric algorithms, using RS256 offers assurances that Auth0 is the signer of a JWT since Auth0 is the only party with the private key. For verifying the symmetric algorithms, you have to use private key.

这篇关于如何获取JWK并在JWT签名中使用它们?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！