将Python后端从Gitkit迁移到使用python-jose的Firebase-Auth进行令牌验证 [英] Migrating Python backend from Gitkit to to Firebase-Auth with python-jose for token verification
问题描述
在GitHub 上有帮助的Google开发者告诉我为了创建用户会话,您的python后端服务器只需要一个JWT
库来验证Firebase身份验证令牌(签名和在
请求中,并从令牌负载中提取用户信息。
我在验证令牌。
这就是我所在的地方;为了开始迁移,我进行了以下操作:
-
我将Firebase-Auth添加到Android应用程序,但仍然有Gitkit在应用中,直到Firebase-Auth工作。现在我有两个登录按钮,一个登录到Firebase,另一个登录到几乎不推荐使用的Gitkit中。
-
在firebase.com上,我导入了Google项目导入到一个新的Firebase项目中,所以用户数据库是一样的。我已经设法在Android应用程序中使用Firebase-Auth,可以以已知用户的身份登录,并且可以通过调用
mFirebaseAuth成功检索我将用于后端服务器的令牌。 getCurrentUser()。为gettoken(假).getResult()。为gettoken()。它包含与GitKit标记相同的user_id。 现在我试图替换 I added Firebase-Auth to the Android App, while still having Gitkit in the App until Firebase-Auth works. Now I have two sign-in buttons, one which signs in into Firebase and one for the "almost deprecated" Gitkit.
On firebase.com I imported the Google project into a new Firebase Project, so the user database is the same. I've already managed to use Firebase-Auth in the Android App, am able to log-in as a known user and I can successfully retrieve the token which I will need for my backend server by calling
mFirebaseAuth.getCurrentUser().getToken(false).getResult().getToken(). It contains the sameuser_idas the GitKit token.
identity-toolkit-python-client 图书馆与 python-jose 。由于我目前不是将Firebase令牌发送到后端,而只是发送Gitkit令牌,所以我想在Gitkit令牌上测试这个 python-jose 库。 在后台调用 GitKit.VerifyGitkitToken()之前,我现在正在打印 jose.jwt.get_unverified_header()和 jose.jwt.get_unverified_claims()为了检查我是否看到我期望。结果是好的,我可以像预期的那样查看Gitkit令牌的内容。
我的问题伴随着验证。我无法使用 jose.jwt.decode()进行验证,因为我不知道我需要使用哪个密钥。
$ b
jose.jwt.decode(token,key,algorithms = None,options = None,audience = None, issuer = None,subject = None,access_token = None)
如果有任何帮助的话,aud字段也会被存储。
回到工程师的评论
验证Firebase身份验证令牌(签名和受众群体)
如何执行此操作与我有信息的信息?我猜受众是声明中的'aud'字段,但是如何检查签名?
一旦我删除了服务器上的Gitkit依赖项,我将继续进行迁移。
从我所看到的,GitKit库显然是通过一个RPC调用Google服务器进行验证,但是我可能是错的。那么,这将是Gitkit令牌验证以及Firebase令牌验证的关键所在?
https:// www可以获得密钥
.googleapis.com / robot / v1 / metadata / x509 / securetoken @ system.gserviceaccount.com
以及Gitkit在
https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys
使用Google oauth2client 库使得验证非常简单。 p>
但是,如果您想使用 python-jose 而不是 oauth2client ,然后您首先需要将PEM证书转换为RSA公钥( update:此问题已得到解决,对于Firebase,现在由库,向下滚动到此评论前的GitHub链接的末尾。不确定Gitkit )。这个公钥是需要使用的关键。而且观众不应该从JWT标题中提取,而是将其硬编码到源代码中,在Firebase中,观众是项目ID,而在Gitkit中,它是可以在Google Developer Console Credentials部分找到OAuth 2.0客户端ID。
$ b
JWT中的 kid header用于选择合适的证书,用于获取用于执行验证的密钥。
#firebase
#target_audience =firebase-project-id
#certificate_url ='https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'
#gitkit
target_audience =123456789-abcdef.apps.googleusercontent.com#(从开发者控制台,OAuth 2.0客户端ID)
certificate_url ='https://www.googleapis.com / identitytoolkit / v3 / relyingparty / publicKeys'
response = urllib.urlopen(certificate_url)
certs = res ponse.read()
certs = json.loads(certs)
printCERTS,certs
print''
print''
# --------------验证通过oauth2client $ b $从oauth2client进口crypt
crypt.MAX_TOKEN_LIFETIME_SECS = 30 * 86400#根据https://github.com/google/identity -toolkit-python-client / blob / master / identitytoolkit / gitkitclient.py
打印VALID TOKEN,crypt.verify_signed_jwt_with_certs(idtoken,certs,target_audience)
print''
print''
#--------------通过python-jose验证
从jose导入jwt
unverified_header = jwt.get_unverified_header(idtoken)
printUNVERIFIED HEADER,unverified_header
print''
print''
unverified_claims = jwt.get_unverified_claims(idtoken)
printUNVERIFIED CLAIMS,unverified_claims
print''
print''
from ssl import PEM_cert_to_DER_cert
from Crypto.Util.asn1 import DerSequence
pe m = certs [unverified_header ['kid']]
der = PEM_cert_to_DER_cert(pem)
c证书= DerSequence()
cert.decode(der)
tbsCertificate = DerSequence b $ b tbsCertificate.decode(cert [0])
rsa_public_key = tbsCertificate [6]
打印VALID TOKEN,jwt.decode(idtoken,rsa_public_key,algorithms = unverified_header ['alg'],audience = target_audience)
Over on GitHub a helpful Google dev told me that
to create a user session, your python backend server only needs a JWT library to verify the Firebase Auth token (signature and audience) in the request and extract the user info from the token payload.
I am having trouble with verifying the token.
This is where I'm at; In order to start the migration I proceeded as follows:
Now I'm attempting to replace the identity-toolkit-python-client library with python-jose. Since I'm currently not sending the Firebase token to the backend, but only the Gitkit token, I want to test this python-jose library on the Gitkit token.
On the backend, before calling GitKit.VerifyGitkitToken() i'm now printing out the results of jose.jwt.get_unverified_header() and jose.jwt.get_unverified_claims() in order to check if I get to see what I expect. The results are good, I am able to view the content of the Gitkit token just as expected.
My problem comes with the verification. I'm unable to use jose.jwt.decode() for verification because I don't know which key I need to use.
jose.jwt.decode(token, key, algorithms=None, options=None, audience=None, issuer=None, subject=None, access_token=None)
I know the algorithm from the header and an 'aud' field is also stored in the claims, if that is of any help.
Getting back to the engineers comment
verify the Firebase Auth token (signature and audience)
How do I do that with the info I have avaliable? I guess audience is the 'aud' field in the claims, but how do I check the signature?
Once I've removed the Gitkit dependency on the server, I will continue with the migration.
From what I've seen, the GitKit library apparently makes an "RPC" call to a Google server for verification, but I may be wrong.
So, which will be the key for Gitkit token verification as well as the one for the Firebase token verification?
The keys can be obtained
for Firebase at
https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
and for Gitkit at
https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys
Using Googles oauth2client library makes the verification very easy.
But if you want to use python-jose instead of oauth2client, then you first need to convert the PEM certificate into an RSA public key (update: this issue got fixed, for Firebase this is now handled by the library, scroll down to the end in the GitHub link preceding this comment. Not sure about Gitkit). This public key is then the key that needs to be used. And the audience should not be extracted from the JWT header, but hard coded into the source code, where in Firebase the audience is the project id and in Gitkit it is one of the OAuth 2.0 client IDs which can be found in the Google Developer Console Credentials section.
The kid in the JWT header is used to select the appropriate certificate which will be used to obtain the key used to perform the verification.
# firebase
# target_audience = "firebase-project-id"
# certificate_url = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'
# gitkit
target_audience = "123456789-abcdef.apps.googleusercontent.com" # (from developer console, OAuth 2.0 client IDs)
certificate_url = 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys'
response = urllib.urlopen(certificate_url)
certs = response.read()
certs = json.loads(certs)
print "CERTS", certs
print ''
print ''
# -------------- verify via oauth2client
from oauth2client import crypt
crypt.MAX_TOKEN_LIFETIME_SECS = 30 * 86400 # according to https://github.com/google/identity-toolkit-python-client/blob/master/identitytoolkit/gitkitclient.py
print "VALID TOKEN", crypt.verify_signed_jwt_with_certs(idtoken, certs, target_audience)
print ''
print ''
# -------------- verify via python-jose
from jose import jwt
unverified_header = jwt.get_unverified_header(idtoken)
print "UNVERIFIED HEADER", unverified_header
print ''
print ''
unverified_claims = jwt.get_unverified_claims(idtoken)
print "UNVERIFIED CLAIMS", unverified_claims
print ''
print ''
from ssl import PEM_cert_to_DER_cert
from Crypto.Util.asn1 import DerSequence
pem = certs[unverified_header['kid']]
der = PEM_cert_to_DER_cert(pem)
cert = DerSequence()
cert.decode(der)
tbsCertificate = DerSequence()
tbsCertificate.decode(cert[0])
rsa_public_key = tbsCertificate[6]
print "VALID TOKEN", jwt.decode(idtoken, rsa_public_key, algorithms=unverified_header['alg'], audience=target_audience)
这篇关于将Python后端从Gitkit迁移到使用python-jose的Firebase-Auth进行令牌验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
