jwt.io 从哪里获取 JWT 令牌的公钥? [英] Where does jwt.io get the public key from JWT token?
问题描述
我正在通过 jwt.io(在调试器部分中)解码 JWT 令牌以查看标头、有效负载.令人惊讶的是,它也得到了验证,我可以看到它(jwt.io 调试器)也能够检索公钥.
所以我的问题是:JWT 令牌是否提供公钥以及 JWT 令牌的一部分?
我正在粘贴其中的一部分(由于安全原因,无法完整粘贴,将截断部分实际 JWT 令牌)
<预> <代码> F3cy5jb21cL2V1LXdlc3QtMV9ZckVRYjY5Z1giLCJleHAiOjE2MDE2Mzg4OTMsImlhdCI6MTYwMTYzNTI5MywidmVyc2lvbiI6MiwianRpIjoiNmI2YmZiNmYtY2M0MS00N2Q5LWI0YzYtOTBmOGFmNWM2MjQ1IiwiY2xpZW50X2lkIjoiMTM0MWxxa3N1ZmUwbm1vaW9kdnRjc2t2cWIifQ.RtKfz54uBgSZ1gc4KRPjzL4dPe5AbH2YMJu-DDvIxBzgMjqT9q4ApGzcWYB62-MgDUf-F_hK0kF9eIwAi9fARhp 0HGGnyiuydW_our6zE3EphLvXQByTDY5xzOUuSvt7WbDZWeSfpHcjrBttRSJAPOsZ2gInafKjZgWKyGL4vJB9swEhOMSSpTQDGWKenJCyp4emhe8E4XGzYTo9WEb-Wqg6sI__LrusDNd917FaocPKBxA解码的消息(再次被截断)
标题
<代码>{孩子":cJ0PzkBXPyjX7FM67jcOECIY=",alg":RS256";}有效载荷:
<代码>{子":13lqs0moiodvtcskvqb",token_use":访问",范围":example.com/Manage",auth_time":1601293,iss":https://cognito.eu.amazonaws.com/",exp":1601638,iat":10353,版本":2,jti":cc1-47d9-b6-5c6245",client_id":nmodvtcb";}在那里,可以看到公钥(截断)
<代码>-----开始公钥-----QEFAAOCAQ8AMIIBCxmf9bakWk556KYmIZB+Sy1ftkkGa4qlUsmRvcG2Hll+7HBWp1ao6MVLskjdaaKg8iH1Iz4DKGlgqT/ndwhoxvTBuvm0X2CZoNzZn4S8wDTr78m/S/YegZRhv6y58gkiKSEmbbC/g5Bp+AF88NwBvLm1jdd-----结束公钥-----
jwt.io 中的调试器从哪里检索公钥?我无法理解这一点.
token包含token的issuer(iss)和key id(kid),标识验证签名需要的公钥有了这些信息,jwt.io 可以找到 JWK 形式的公钥(JSON Web Key) 在 JWKS 端点 (/.well-known/jwks.json) 上验证令牌.一个 JWKS(JSON Web 密钥集) 包含一个 JWK 数组,链接显示了一个示例.
根据 cognito 文档,当您使用 Amazon 用户池对您的用户进行身份验证时,会使用此机制.
通过 jwks 端点提供密钥是一种标准机制,其他提供者也使用该机制,例如微软 Azure.
I was decoding a JWT token via jwt.io (in the Debugger section) to see Headers, Payload. Surprisingly, it also verified, and I could see it (jwt.io debugger) is able to retrieve the public key as well.
So my question is: Does JWT token provide the public key as well as part of the JWT token?
I am pasting part of it (can't paste full due to security reasons, will be truncating part of the actual JWT token)
F3cy5jb21cL2V1LXdlc3QtMV9ZckVRYjY5Z1giLCJleHAiOjE2MDE2Mzg4OTMsImlhdCI6MTYwMTYzNTI5MywidmVyc2lvbiI6MiwianRpIjoiNmI2YmZiNmYtY2M0MS00N2Q5LWI0YzYtOTBmOGFmNWM2MjQ1IiwiY2xpZW50X2lkIjoiMTM0MWxxa3N1ZmUwbm1vaW9kdnRjc2t2cWIifQ.RtKfz54uBgSZ1gc4KRPjzL4dPe5AbH2YMJu-DDvIxBzgMjqT9q4ApGzcWYB62-MgDUf-F_hK0kF9eIwAi9fARhp 0HGGnyiuydW_our6zE3EphLvXQByTDY5xzOUuSvt7WbDZWeSfpHcjrBttRSJAPOsZ2gInafKjZgWKyGL4vJB9swEhOMSSpTQDGWKenJCyp4emhe8E4XGzYTo9WEb-Wqg6sI__LrusDNd917FaocPKBxA
Decoded messages (again truncated)
Headers
{
"kid": "cJ0PzkBXPyjX7FM67jcOECIY=",
"alg": "RS256"
}
Payload:
{
"sub": "13lqs0moiodvtcskvqb",
"token_use": "access",
"scope": "example.com/Manage",
"auth_time": 1601293,
"iss": "https://cognito.eu.amazonaws.com/",
"exp": 1601638,
"iat": 10353,
"version": 2,
"jti": "cc1-47d9-b6-5c6245",
"client_id": "nmodvtcb"
}
In there, can see the Public key (truncated)
-----BEGIN PUBLIC KEY-----
QEFAAOCAQ8AMIIBCxmf9bakWk
556KYmIZB+Sy1ftkkGa4qlUsmRvcG2Hll+7HBWp1ao6MVLskjdaaKg8iH1Iz4DKG
lgqT/ndwhoxvTBuvm0X2CZoNzZn4S8wDTr78m/S/YegZRhv6y58gkiKSEmbbC/g5
Bp+AF88NwBvLm1jdd
-----END PUBLIC KEY-----
Where from the debugger in jwt.io is retrieving the public key? I am not able to understand this.
The token contains the issuer (iss) of the token and the key id (kid), which identifies the public key that is needed to verify the signature With this information, jwt.io can find the public key in form of a JWK (JSON Web Key) on a JWKS endpoint (/.well-known/jwks.json), to verify the token. A JWKS (JSON Web Key Set) contains an array of JWKs, the link shows an example.
According to the cognito documentation, this mechanism is used, when you use the Amazon user pool to authenticate your users.
Providing keys via a jwks endpoint is a standard mechanism which is also used by other providers, e.g. Microsoft Azure.
这篇关于jwt.io 从哪里获取 JWT 令牌的公钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
