Envoy 验证 Jwt 失败 [英] Jwt verification fails by Envoy
问题描述
我有一个 Laravel(Lumen) 登录 API,它使用 HS256 生成 JWT.然后我将我的不记名令牌发送到 Envoy Gateway 并从 Envoy 获取
I have a Laravel(Lumen) Login API, which generates a JWT using HS256. Then I sent my bearer token to Envoy Gateway and get from Envoy
JWT 验证失败
在官方 JWT 解码网站上,我可以成功解码并验证我的不记名令牌.在这里我生成我的 JWT:
On official JWT decode site I could successfully decode and verify my bearer token. Here I generate my JWT:
{
$payload = [
'iss' => config('app.name'), // Issuer vom Token
'sub' => strval($user->ID), // Subject vom Token
'username' => $user->username,
'iat' => time() - 500, // Time when JWT was issued.
'exp' => time() + config('jwt.ttl'), // Expiration time
'alg' => 'HS256',
'kid' => 'ek4Z9ouLmGnCoezntDXMxUwmjzNTBqptKNkfaqc6Ew8'
];
$secretKey = 'helloworld'; //my base64url
$jwtEnc = JWT::encode($payload, $secretKey, $payload['alg'], $payload['kid']);
return $jwtEnc;
}
这是我的 Envoy 配置:
Here is my Envoy config:
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
'@type': 'type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager'
stat_prefix: edge
http_filters:
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
provider1:
issuer: 'Lumen'
forward: true
local_jwks:
inline_string: '{"keys": [{"kty": "oct", "use": "sig", "kid": "ek4Z9ouLmGnCoezntDXMxUwmjzNTBqptKNkfaqc6Ew8", "k": "helloworld", "alg": "HS256"}]}' //'k' is here base64url
rules:
- match:
prefix: "/list"
requires:
provider_name: "provider1"
- name: envoy.filters.http.router
route_config:
virtual_hosts:
- name: all_domains
domains: [ "*" ]
routes:
- match:
prefix: "/api"
route:
cluster: loginapi
clusters:
- name: loginapi
connect_timeout: 5s
load_assignment:
cluster_name: loginapi
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 0.0.0.0
port_value: 8080
推荐答案
使用对称算法 (HS256) 对令牌进行签名和验证.
对称密钥的密钥参数以 JSON Web Key 的形式提供在 Envoy 配置的 local_jwks 参数中.参数k"中的键值本身应该以Base64Url格式存储:
The token is signed and verified with a symmetric algorithm (HS256).
The key parameters of the symmetric key are provided in form of a JSON Web Key in the local_jwks parameter in the Envoy configuration. The key value itself in the parameter "k" is supposed to be stored in Base64Url format:
k"(key value) 参数包含对称(或其他单值)密钥的值.它表示为包含键值的八位字节序列的base64url编码.
The "k" (key value) parameter contains the value of the symmetric (or other single-valued) key. It is represented as the base64url encoding of the octet sequence containing the key value.
(参见 RFC7518 第 6.4.1 节)
这里使用 Base64Url 编码以便能够使用二进制密钥(即每个字节可以具有从 0 到 255 的完整范围内的任何值的密钥)进行签名.
Base64Url encoding is used here in order to be able to use binary keys (i.e keys in which every byte can have any value in the full range from 0 to 255) for signing.
当密钥用于签名和验证时,必须将其解码为(可能)二进制形式.
When the key is used for signing and verification, it has to be decoded to it's (potentially) binary form.
坚持使用简单的示例键helloworld";(当然,只是为了说明,而不是作为真正的密钥),这个密钥必须存储为 k":aGVsbG93b3JsZA"(helloworld"的 base64url 形式)配置中的内联 jwk 和以未编码的形式helloworld"使用;签署令牌.接收端也使用k的base64url解码值来验证签名.
To stick with the simple example key "helloworld" (of course, just for illustration, not as a real key), this key would have to be stored as "k":"aGVsbG93b3JsZA" (the base64url form of "helloworld") in the inline jwk in the configuration and
used in the not encoded form "helloworld" to sign the token. The receiving side also uses the base64url decoded value of k to verify the signature.
- 创建一个二进制密钥并使用 base64url 对其进行编码
- 将编码后的密钥存储在k"中.Envoy 配置中
local_jwks参数的参数 - 解码k"的值;将其用作验证或签署令牌的密钥
这篇关于Envoy 验证 Jwt 失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
