如何在节点应用程序中解码 google OAuth 2.0 JWT (OpenID Connect)? [英] How can I decode a google OAuth 2.0 JWT (OpenID Connect) in a node app?

问题描述

我在这里尝试使用 google OAuth 对我的 node express 应用中的用户进行身份验证时遇到了麻烦.我可以成功执行 OAuth，它会返回如下响应:

I'm having a heck of a time here trying to use google OAuth to authenticate users in my node express app. I can successfully do the OAuth, which returns a response like so:

{
  access_token: 'token string',
  id_token: 'id.string',
  expires_in: 3599,
  token_type: "Bearer"
}

这一切都说得通，但我终其一生都无法弄清楚如何解码 JWT.我对这一切有点缺乏经验，所以这对我来说有点陌生.

This all makes sense, but I can't for the life of me figure out how to decode the JWT. I am a bit inexperienced in all this, so this is all a bit foreign to me.

按照此处列出的说明进行操作:https://developers.google.com/accounts/docs/OAuth2Login#validatinganidtoken 我正在尝试在我的节点应用程序中本地解码 JWT.

Following the instructions listed here: https://developers.google.com/accounts/docs/OAuth2Login#validatinganidtoken I am attempting to decode the JWT locally in my node app.

我在我的节点环境中安装了 https://github.com/hokaccha/node-jwt-simple.

I installed https://github.com/hokaccha/node-jwt-simple in my node environment.

而且我很确定我需要使用此证书 (https://www.googleapis.com/oauth2/v1/certs) 以某种方式对其进行解码，但我在这里有点不知所措.我真的不明白如何将证书放入我的节点应用程序，然后如何将它与 node-jwt-simple 一起使用.而且我也不太明白我如何知道何时需要提取新证书，而不是使用缓存证书.

And I'm pretty certain I need to use this certificate (https://www.googleapis.com/oauth2/v1/certs) in all this somehow to decode it, but I am at a bit of a loss here. I don't really understand how I get the certificate into my node app, and after that how to use it with node-jwt-simple. And I also don't really understand how I know when I need to pull a fresh certificate, vs using a cached one.

哪位有这方面的经验可以帮助我?

Anyone out there with some experience in this that can help me out?

感谢您的帮助.在这一点上，我完全不知所措.

Thanks for any help. I'm totally at a loss at this point.

** 更新**

所以我已经取得了一些进展......有点.通过调用 jwt.decode(id_token, certificate, true);我能够成功解码令牌.即使证书 var 是一个空对象 {}.这给我留下了 3 个问题.1:使用谷歌的 url 将证书放入我的 express 应用程序的最佳方法是什么?2:我怎么知道什么时候需要引入它的新版本?3:似乎为 noVerify (jwt.decode 中的第三个参数)传递 true 是一个糟糕的主意.如果不通过它，我怎样才能让它工作?看起来 jwt-simple 可能期待 hs256 并且令牌正在使用 rs256.

So I have made some progress... Kind of. By calling jwt.decode(id_token, certificate, true); I am able to successfully decode the token. Even if the certificate var is an empty object {}. This leaves me with 3 questions still. 1: What is the best way to get the certificate into my express app using the url from google? 2: How will I know when I need to pull in a fresh version of it? 3: It seems like passing in true for noVerify (3rd arg in jwt.decode) is a terrible idea. How can I get that to work without passing that in? It looks like perhaps jwt-simple is expecting hs256 and the token is using rs256.

再说一次，我在这方面非常缺乏经验，所以我在这里可能有点离谱.

Again, I'm super inexperienced in this, so I may be way off base here.

* 更新 *感谢 Nat 的帮助，我得以完成这项工作！我想我尝试了每一个 JWT 和 JWS 节点模块.我最终登陆的内容如下:我发现我看到的所有模块都没有达到我想要的开箱即用的效果.我创建了以下用于解码 id_token 的 jwt 解码辅助方法，因此我可以从标头中获取孩子.

* UPDATE * Thanks to the help from Nat, I was able to get this working! I think I tried every single JWT and JWS node module out there. What I finally landed on is as follows: I found that none of the modules that I looked at did quite what I wanted out of the box. I created the following jwt decoding helper methods that I am using to decode the id_token, so I can get the kid from the header.

module.exports = {
  decodeJwt: function (token) {
    var segments = token.split('.');

    if (segments.length !== 3) {
      throw new Error('Not enough or too many segments');
    }

    // All segment should be base64
    var headerSeg = segments[0];
    var payloadSeg = segments[1];
    var signatureSeg = segments[2];

    // base64 decode and parse JSON
    var header = JSON.parse(base64urlDecode(headerSeg));
    var payload = JSON.parse(base64urlDecode(payloadSeg));

    return {
      header: header,
      payload: payload,
      signature: signatureSeg
    }

  }
}

function base64urlDecode(str) {
  return new Buffer(base64urlUnescape(str), 'base64').toString();
};

function base64urlUnescape(str) {
  str += Array(5 - str.length % 4).join('=');
  return str.replace(/-/g, '+').replace(/_/g, '/');
}

我正在使用此解码来确定是否需要从以下位置提取新的公共证书:https://www.googleapis.com/oauth2/v1/certs

I am using this decoding to determine if I need to pull in a new public cert from: https://www.googleapis.com/oauth2/v1/certs

然后我使用该公共证书和 node-jws (https://github.com/brianloveswords/node-jws) jws.verify(id_token, cert) 来验证签名！

Then I am using that public cert and node-jws (https://github.com/brianloveswords/node-jws) jws.verify(id_token, cert) to verify the signature!

万岁！再次感谢您在回复中提供的额外解释.这在帮助我理解我什至试图做的事情方面大有帮助.希望这对其他人也有帮助.

Hooray! Thanks again for the extra explanation you gave in your response. That went a long way in helping me understand what I was even trying to do. Hope this might help others too.

推荐答案

从规范来看，你遇到的是[OpenID Connect].

From the specification point of view, what you are encountering is [OpenID Connect].

id_token 是一个 [JWS] 签名的 [JWT].在这种情况下，它是一个."具有三个组件的分隔字符串.第一部分是标题.第二个是有效载荷.三是签名.它们中的每一个都是 Base64url 编码的字符串.

id_token is a [JWS] signed [JWT]. In this case, it is a "." separated string with three components. The first portion is the header. The second is the payload. The third is the signature. Each of them are Base64url encoded string.

当你解码标题时，你会得到类似的东西:

When you decode the header, you will get something like:

{"alg":"RS256","kid":"43ebb53b0397e7aaf3087d6844e37d55c5fb1b67"}

{"alg":"RS256","kid":"43ebb53b0397e7aaf3087d6844e37d55c5fb1b67"}

alg"表示签名算法为RS256，在[JWA]中定义.kid"表示与用于签名的密钥相对应的公钥的密钥id.

The "alg" indicates that the signature algorithm is RS256, which is defined in [JWA]. The "kid" indicates the key id of the public key that corresponds to the key used to sign.

现在我准备回答你的一些问题:

Now I am ready to answer some of your questions:

2:我如何知道何时需要引入它的新版本?

2: How will I know when I need to pull in a fresh version of it?

当缓存的证书文件(一个 [JWK] 文件)的孩子与标头中的孩子不匹配时，获取一个新的证书文件.(顺便说一句，您从中提取证书的 URL 称为 x5u.)

When the kid of the cached cert file (a [JWK] file) does not match the kid in the header, fetch a new cert file. (BTW, the URL from which you pull the certs are called x5u.)

3:似乎为 noVerify 传递了 true(jwt.decode 中的第三个参数)这是一个可怕的想法.我怎样才能让它工作而不通过它在?

3: It seems like passing in true for noVerify (3rd arg in jwt.decode) is a terrible idea. How can I get that to work without passing that in?

确实如此.也许您可能想查看另一个库，例如 kjur.github.io/jsjws/.

Indeed. Perhaps you might want to look at another library such as kjur.github.io/jsjws/ .

参考文献

• [OpenID 连接] openid.bitbucket.org/openid-connect-core-1_0.html
• [JWS] tools.ietf.org/html/draft-ietf-jose-json-web-signature
• [JWT] tools.ietf.org/html/draft-ietf-oauth-json-web-token
• [JWK] tools.ietf.org/html/draft-ietf-oauth-json-web-keys
• [JWA] tools.ietf.org/html/draft-ietf-jose-json-web-algorithms

这篇关于如何在节点应用程序中解码 google OAuth 2.0 JWT (OpenID Connect)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！