验证 Auth0 JWT 抛出无效算法 [英] Verifying Auth0 JWT throws invalid algorigthm
问题描述
我已经创建了一个 Auth0 客户端,我正在登录并收到此令牌:
<预> <代码> eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1rVkdOa1l5T1VaQ1JqTkRSVE5EUmtNeU5rVkROMEUyUTBVMFJrVXdPVEZEUkVVNU5UQXpOZyJ9.eyJpc3MiOiJodHRwczovL3RvdGFsY29tbW56LmF1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwMzI5NzA4OTYyMTk5NjUwMjY2MiIsImF1ZCI6ImxTWUtXMUZZdENkMWJLQmdXRWN0MWpCbmtDU3R2dW5SIiwiaWF0IjoxNTA5ODYyMTI1LCJleHAiOjE1MTAyMjIxMjV9.kjmckPxLJ4H9R11XiBBxSNZEvQFVEIgAY_jj2LBy4sEJozBB8ujGE7sq9vEIjMms-Lv2q9WzFQPrqcxyBcYC4Je4QojMgvqLDCodtpot0QUle8QfGmonc1vZYIZyX-wqyOXtRqhoZVEKTeLhm9Le2CV4_a3BwgjkE1LjcDx01GZfsnaId8mh10kGk-DBmr5aVc8MxglLCq5Uk8Zbl2vDc__UMDgx1eQPQg-zve4fUf8zHcxizypYTnF_v0dEAT00L2j5J41SFYdWvP6ReQ3vhVYew2o9iM6u1s75HE-xW8s4pzV4BZAQtgfgIeCd6aVGZs76bcnQXBLej1B7zaPBvA我现在要做的是使用 jsonwebtoken 验证令牌.令牌使用 RS256 算法签名.
我将签名证书下载为 .pem
并且我成功使用它来验证令牌,如下所示:
var cert = fs.readFileSync('certificate.pem');jwt.verify(token, cert, {algorithm: 'RS256'}, (err, decoded) => {控制台日志(错误)控制台日志(解码)});
我想做但不起作用的是使用密钥(在 Auth0 客户端设置中称为 Client Secret 并且是一个字符串)验证令牌.
jwt.verify(token, MYSECRET, {algorithm: 'RS256'}, (err, decoded) => {控制台日志(错误)控制台日志(解码)});
这段代码总是抛出一个错误:
{ JsonWebTokenError: 无效算法在 Object.module.exports [作为验证] (C:codeawslearn-authorizer
ode_modulesjsonwebtokenverify.js:90:17)在对象<匿名>(C:codeawslearn-authorizer estme.js:25:5)在 Module._compile (module.js:624:30)在 Object.Module._extensions..js (module.js:635:10)在 Module.load (module.js:545:32)在 tryModuleLoad (module.js:508:12)在 Function.Module._load (module.js:500:3)在 Function.Module.runMain (module.js:665:10)启动时 (bootstrap_node.js:187:16)在 bootstrap_node.js:608:3 名称:'JsonWebTokenError',消息:'无效算法'}
我的问题是:如何使用密钥而不是使用证书文件来验证 RS256 令牌?(我也尝试创建一个使用 HS256 算法的新客户端,但我得到了同样的错误).
如果您只使用一个秘密密钥,那么使用 RS256 将不起作用,因为它基于私钥/公钥对.仅使用密钥通常表示 H256.在我的回答中,我假设您所说的 MYSECRET
只是 certificate.pem
的内容.
无论如何,我认为您的字符串必须包含
-----开始RSA私钥--
和
-----END RSA 私钥-----
或 PUBLIC 而不是 PRIVATE.
您可以在来源中看到这一点.您的错误消息中提到的行包含:
if (!~options.algorithms.indexOf(header.alg)) {return done(new JsonWebTokenError('invalid algorithm'));}
和 options.algorithms
定义为
if (!options.algorithms) {options.algorithms = ~secretOrPublicKey.toString().indexOf('BEGIN CERTIFICATE') ||~secretOrPublicKey.toString().indexOf('BEGIN PUBLIC KEY') ?['RS256','RS384','RS512','ES256','ES384','ES512']:~secretOrPublicKey.toString().indexOf('BEGIN RSA PUBLIC KEY') ?['RS256','RS384','RS512']:['HS256','HS384','HS512'];}
如果您在开始和结束时没有 RSA 内容,它将查找以下算法:'HS256','HS384','HS512'
.
我之前没有将 RS256 与 JWT 一起使用,但我已经将其与 ssh 一起使用,并且我知道它对具有标头非常敏感.字符串必须采用完全正确的格式.
I have created an Auth0 client, I am logging in and receive this token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1rVkdOa1l5T1VaQ1JqTkRSVE5EUmtNeU5rVkROMEUyUTBVMFJrVXdPVEZEUkVVNU5UQXpOZyJ9.eyJpc3MiOiJodHRwczovL3RvdGFsY29tbW56LmF1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwMzI5NzA4OTYyMTk5NjUwMjY2MiIsImF1ZCI6ImxTWUtXMUZZdENkMWJLQmdXRWN0MWpCbmtDU3R2dW5SIiwiaWF0IjoxNTA5ODYyMTI1LCJleHAiOjE1MTAyMjIxMjV9.kjmckPxLJ4H9R11XiBBxSNZEvQFVEIgAY_jj2LBy4sEJozBB8ujGE7sq9vEIjMms-Lv2q9WzFQPrqcxyBcYC4Je4QojMgvqLDCodtpot0QUle8QfGmonc1vZYIZyX-wqyOXtRqhoZVEKTeLhm9Le2CV4_a3BwgjkE1LjcDx01GZfsnaId8mh10kGk-DBmr5aVc8MxglLCq5Uk8Zbl2vDc__UMDgx1eQPQg-zve4fUf8zHcxizypYTnF_v0dEAT00L2j5J41SFYdWvP6ReQ3vhVYew2o9iM6u1s75HE-xW8s4pzV4BZAQtgfgIeCd6aVGZs76bcnQXBLej1B7zaPBvA
What I am trying to do now is to verify the token using jsonwebtoken. The token is signed with an RS256 algorithm.
I downloaded the signing certificate as a .pem
and I am successfully using it to verify the token like this:
var cert = fs.readFileSync('certificate.pem');
jwt.verify(token, cert, {algorithm: 'RS256'}, (err, decoded) => {
console.log(err)
console.log(decoded)
});
What I want to do and it doesn't work is verifying the token using the secret (which is called Client Secret in the Auth0 client settings and is a string).
jwt.verify(token, MYSECRET, {algorithm: 'RS256'}, (err, decoded) => {
console.log(err)
console.log(decoded)
});
This code always throws an error:
{ JsonWebTokenError: invalid algorithm
at Object.module.exports [as verify] (C:codeawslearn-authorizer
ode_modulesjsonwebtokenverify.js:90:17)
at Object.<anonymous> (C:codeawslearn-authorizer estme.js:25:5)
at Module._compile (module.js:624:30)
at Object.Module._extensions..js (module.js:635:10)
at Module.load (module.js:545:32)
at tryModuleLoad (module.js:508:12)
at Function.Module._load (module.js:500:3)
at Function.Module.runMain (module.js:665:10)
at startup (bootstrap_node.js:187:16)
at bootstrap_node.js:608:3 name: 'JsonWebTokenError', message: 'invalid algorithm' }
My question is: how can I verify the RS256 token using the secret key as opposed to using the certificate file? (I also tried creating a new client which is using the HS256 algorithm, but I get the same error).
If you are using only a secret key then using RS256 won't work, as it's based on a private/public key pair. Using only a secret key usually indicates H256. In my answer I assume that what you call MYSECRET
is just the content of certificate.pem
.
Anyways, I would assume your string has to contain
-----BEGIN RSA PRIVATE KEY-----
and
-----END RSA PRIVATE KEY-----
or PUBLIC instead of PRIVATE.
You can see this in source. The lines mentioned in your error message contains:
if (!~options.algorithms.indexOf(header.alg)) {
return done(new JsonWebTokenError('invalid algorithm'));
}
and options.algorithms
is defined as
if (!options.algorithms) {
options.algorithms = ~secretOrPublicKey.toString().indexOf('BEGIN CERTIFICATE') ||
~secretOrPublicKey.toString().indexOf('BEGIN PUBLIC KEY') ?
[ 'RS256','RS384','RS512','ES256','ES384','ES512' ] :
~secretOrPublicKey.toString().indexOf('BEGIN RSA PUBLIC KEY') ?
[ 'RS256','RS384','RS512' ] :
[ 'HS256','HS384','HS512' ];
}
If you don't have the RSA things at the start and end it will look for the following algorithms: 'HS256','HS384','HS512'
.
I haven't used RS256 with JWT before, but I have used it with ssh, and I know that it's very sensitive to having the header. The string has to be in the exactly correct format.
这篇关于验证 Auth0 JWT 抛出无效算法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!