如何在 Go 中从 AWS Cognito 验证 JWT 令牌? [英] How to verify a JWT Token from AWS Cognito in Go?
问题描述
如何验证从 Amazon Cognito 收到的 JWT 并从中获取信息?
How can I validate and get info from a JWT received from Amazon Cognito?
我在 Cognito 中设置了 Google 身份验证,并将重定向 uri 设置为点击 API 网关,然后我收到一个代码,我将其 POST 到此端点:
I have setup Google authentication in Cognito, and set the redirect uri to to hit API Gateway, I then receive a code which I POST to this endpoint:
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
以 RS256 格式接收 JWT 令牌.我现在正在努力验证和解析 Golang 中的令牌.我尝试使用 jwt-go 解析它,但它似乎默认支持 HMAC,并阅读了他们推荐使用前端验证的地方.我尝试了其他几个软件包,但遇到了类似的问题.
To receive the JWT token, in a RS256 format. I am now struggling to validate, and parse the token in Golang. I’ve tried to parse it using jwt-go, but it appears to support HMAC instead by default and read somewhere that they recommend using frontend validation instead. I tried a few other packages and had similar problems.
我在这里遇到了这个答案:Go Language and Verify JWT 但假设代码已过时,因为它只是说panic:无法找到密钥.
I came across this answer here: Go Language and Verify JWT but assume the code is outdated as that just says panic: unable to find key.
jwt.io 可以很容易地解码密钥,并且可能也可以验证.我不确定亚马逊生成令牌时公共/秘密密钥在哪里,但据我所知,我也需要使用 JWK URL 进行验证?我找到了一些 AWS 特定的解决方案,但它们似乎都有数百行长.在 Golang 中肯定没有那么复杂吧?
jwt.io can easily decode the key, and probably verify too. I’m not sure where the public/secret keys are as Amazon generated the token, but from what I understand I need to use a JWK URL to validate too? I’ve found a few AWS specific solutions, but they all seem to be hundreds of lines long. Surely it isn’t that complicated in Golang is it?
推荐答案
Amazon Cognito 的公钥
正如您已经猜到的,您需要公钥来验证 JWT 令牌.
As you already guessed, you'll need the public key in order to verify the JWT token.
为您的用户池下载并存储相应的公共 JSON Web 密钥 (JWK).它作为 JSON Web 密钥集 (JWKS) 的一部分提供.你可以在https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
Download and store the corresponding public JSON Web Key (JWK) for your user pool. It is available as part of a JSON Web Key Set (JWKS). You can locate it at https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
解析密钥并验证令牌
该 JSON 文件结构记录在网络中,因此您可以手动解析该结构,生成公钥等.
That JSON file structure is documented in the web, so you could potentially parse that manually, generate the public keys, etc.
但是只使用一个库可能会更容易,例如这个:https://github.com/lestrrat-go/jwx
But it'd probably be easier to just use a library, for example this one: https://github.com/lestrrat-go/jwx
然后jwt-go处理JWT部分:https://github.com/dgrijalva/jwt-go
And then jwt-go to deal with the JWT part: https://github.com/dgrijalva/jwt-go
然后你可以:
使用第一个库下载并解析公钥 JSON
Download and parse the public keys JSON using the first library
keySet, err := jwk.Fetch(THE_COGNITO_URL_DESCRIBED_ABOVE)
用jwt-go解析token时,使用kid"JWT 标头中的字段以找到要使用的正确密钥
When parsing the token with jwt-go, use the "kid" field from the JWT header to find the right key to use
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodRS256); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
kid, ok := token.Header["kid"].(string)
if !ok {
return nil, errors.New("kid header not found")
}
keys := keySet.LookupKeyID(kid);
if !ok {
return nil, fmt.Errorf("key with specified kid is not present in jwks")
}
var publickey interface{}
err = keys.Raw(&publickey)
if err != nil {
return nil, fmt.Errorf("could not parse pubkey")
}
return publickey, nil
这篇关于如何在 Go 中从 AWS Cognito 验证 JWT 令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
