如何从 WSO2 API Manager 验证 JWT [英] How to validate a JWT from WSO2 API Manager

问题描述

在后端 Web 服务位于单独的服务器上并且需要确定给定请求通过 APIM 网关身份验证和授权机制?

What is the recommended way for validating that a JWT was issued by a specific API Manager instance in a case where the backend web service lives on a separate server and needs to be certain that a given request passed through the APIM Gateway authentication and authorization mechanisms?

我知道 JWT 中的标头字段包含一个x5t"字段，它是对租户密钥存储中证书的编码引用，如下所述:

I know that the header fields in the JWT include an 'x5t' field which is an encoded reference to a certificate in the tenant key store, as detailed here:

https://asankastechtalks.wordpress.com/2013/12/05/obtaining-certificate-used-to-sign-a-jwt/

由于后端 Web 服务位于单独的服务器上，我们是否需要以某种方式将公钥分发给它?另外，我们如何更新用于签署 JWT 的证书，因为现在它使用的是默认值?

Since the backend web service is on a separate server, do we need to distribute the public key to it somehow? Also, how can we update the certificate that is used to sign the JWT since right now it is using the default?

推荐答案

这是您可以使用 WSO2 令牌中的 x5t 哈希作为查找从本地存储获取证书的方法:

This is how you can get the certificate from the local store using the x5t hash in the WSO2 token as a lookup:

// Use JwtSecurityTokenHandler to validate the JWT token
var tokenHandler = new JwtSecurityTokenHandler();

// Read the JWT
var parsedJwt = tokenHandler.ReadToken(token);

// Get X509 public certificate
var signerAlgorithm = ((JwtSecurityToken)parsedJwt).SignatureAlgorithm;
var signerHash = ((JwtSecurityToken)parsedJwt).Header["x5t"];
var thumbprint = Encoding.UTF8.GetString(Convert.FromBase64String(signerHash.ToString()));

X509Store store = new X509Store(StoreName.TrustedPublisher);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false)[0];

这篇关于如何从 WSO2 API Manager 验证 JWT的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！