PHP中的Auth0 JWT令牌验证
[英]Auth0 JWT Token validation in PHP
问题描述
I'm attempting to send an Auth0 JWT from my client to my server and have the token validated. 
我正在尝试将Auth0 JWT从客户端发送到服务器,并验证令牌。 I send the token_id returned from the auth0 authentication to my server via AuthHttp headers and i can obtain it without an issue within PHP. 我通过AuthHttp标头将auth0身份验证返回的token_id发送到我的服务器,并且在PHP中我可以毫无问题地获取它。
Short and Simple: 简短:
- Angular 2 Auth0 JWT gets sent to the PHP server. Angular 2 Auth0 JWT被发送到PHP服务器。
- How do i validate the signature is correct? 如何验证签名正确?
I have the Secret ID, i have the JWT helper class with the encode and decode. 我有Secret ID,我有带有编码和解码的JWT帮助程序类。
How do i check the header and body = the signature of the JWT sent over, if that's even the correct way to do it. 如果那是正确的方法,我如何检查标头和正文=发送的JWT的签名。
Edit: 编辑:
I pass in my token which is 我通过了我的令牌
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvbG93aWUuZXUuYXV0aDAuY29tXC8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNDY4ODk4NjgxNzEwNjQ3Mjc5MCIsImF1ZCI6IlYwWWVaREliYmVGdEJ4Z3F2UkNzVkFjWWxscXpaZGlNIiwiZXhwIjoxNDc4NzMxNjIzLCJpYXQiOjE0Nzg2OTU2MjN9._uyKrxJ0lPR-tEPjOFiI5ygeiM689gqURcIfG4sWkWc
In which i then get the body of this token and make it into an array 然后我在其中获取此令牌的主体并将其放入数组中
Array ( [iss] => https://lowie.eu.auth0.com/ [sub] => google-oauth2|104688986817106472790 [aud] => V0YeZDIbbeFtBxgqvRCsVAcYllqzZdiM [exp] => 1478731623 [iat] => 1478695623 )
Once i have the array, this is my payload right? 一旦有了阵列,这就是我的有效载荷吗?
// Here's an image of the token being verified as right https://gyazo.com/93777863d988d8c6ef0fc4ea50755949 //这是已验证正确的令牌的图像https://gyazo.com/93777863d988d8c6ef0fc4ea50755949
so why does the below code not give me the same token? 那么为什么以下代码没有给我相同的令牌?
$jwt = JWT::encode($bodyArray, "SuperSecureSecretSecret");
yet i receive this back 但是我收到了这个
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2xvd2llLmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNDY4ODk4NjgxNzEwNjQ3Mjc5MCIsImF1ZCI6IlYwWWVaREliYmVGdEJ4Z3F2UkNzVkFjWWxscXpaZGlNIiwiZXhwIjoxNDc4NzMxNjIzLCJpYXQiOjE0Nzg2OTU2MjN9.6lEg_0h0zytQZVBqDe-ZIS5PoSkFAJhWtRYSgaDCesY
1 个解决方案
解决方案1
0 2016-11-09 09:07:44
You should use an existing library that supports the type of JWT signature you're using. 您应该使用支持您所使用的JWT签名类型的现有库。 For a quick reference on your available options for PHP check the Libraries section in jwt.io . 有关您可用的PHP选项的快速参考,请查看jwt.io中的Libraries部分。
Using an existing library is preferred in most situations, however, it's also important to do some assessment on the quality of the library. 在大多数情况下,首选使用现有的库,但是,对库的质量进行一些评估也很重要。
For JWT signature validation read this article ( Critical vulnerabilities in JSON Web Token libraries ) to ensure that your usage of the libraries does not lead to possible vulnerabilities. 对于JWT签名验证,请阅读本文( JSON Web令牌库中的严重漏洞 ),以确保您对库的使用不会导致可能的漏洞。
Update: 更新:
The tokens are different because they are signed with different keys and the payload also differs; 令牌是不同的,因为它们是用不同的密钥签名的,并且有效载荷也有所不同。 the iss in one is "https://lowie.eu.auth0.com/" and on the other is "https:\\/\\/lowie.eu.auth0.com\\/" . 的iss在一个是"https://lowie.eu.auth0.com/"和另一个是"https:\\/\\/lowie.eu.auth0.com\\/" You can check that by decoding the payload with a Base64 decoder and look at the raw output. 您可以通过使用Base64解码器解码有效负载并查看原始输出来进行检查。
More importantly, you should not be creating any tokens, just validating that they are valid and were issued by the trusted issuer to which you delegated the actual authentication process. 更重要的是,您不应创建任何令牌,而只是验证它们是有效的,并且是由您将实际身份验证过程委派给该令牌的可信发行者所发行的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.