使用vertx的JWT公/私钥身份验证中的握手
[英]Handshake in JWT public/private key authentication using vertx
问题描述
I created a small vertx auth-server which signs/generates JWT tokens using public/private key. 
我创建了一个小型vertx auth-server,该服务器使用公钥/私钥对JWT令牌进行签名/生成。
PrivateKey privateKey = CertUtil.getPrivateKey("config/private_key.der");
PublicKey publicKey = CertUtil.getPublicKey("config/public_key.der");
// Create a JWT Auth Provider
JWTAuth jwt = JWTAuth.create(vertx, new JWTAuthOptions()
.setPubSecKeys(List.of(new PubSecKeyOptions()
.setAlgorithm("RS256")
.setPublicKey(Base64.getEncoder().encodeToString(publicKey.getEncoded()))
.setSecretKey(Base64.getEncoder().encodeToString(privateKey.getEncoded())))));
// protect the API
router.route("/api/*").handler(JWTAuthHandler.create(jwt, "/api/new-token"));
// this route is excluded from the auth handler
router.get("/api/new-token").handler(ctx -> this.generateAndSendToken(ctx, jwt));
// this is the secret API
router.get("/api/protected").handler(ctx -> {
ctx.response().putHeader("Content-Type", "text/plain");
ctx.response().end("a secret you should keep for yourself...");
});
vertx.createHttpServer().requestHandler(router).listen(8080);
now when i access /api/new-token from client i get a JWT token back signed from my auth-server above. 现在,当我从客户端访问/ api / new-token时,我从上面的身份验证服务器获得了JWT令牌的重新签名。 however I have some open questions: 但是我有一些未解决的问题:
- How is auth-server making sure that client has server public key and it is genuine? auth-server如何确保客户端具有服务器公钥并且是真实的?
- How can client send public key to auth-server? 客户端如何将公钥发送到身份验证服务器?
- How can i make /api/new-token secure so only legitimate client can connect to it? 如何使/ api / new-token安全,以便只有合法客户端才能连接到它?
1 个解决方案
解决方案1
0 已采纳 2019-03-25 15:39:12
Why don't you delegate this task to KeyCloak an Open Source Identity and Access Management. 您为什么不将此任务委托给KeyCloak开放源代码身份和访问管理。 It adds authentication to your app and secures services with minimum fuss. 它将身份验证添加到您的应用程序,并以最小的麻烦确保服务的安全。
We have used it into our project and it works pretty well! 我们已经将其用于我们的项目,并且效果很好!
To plug it with Vert.x, you can follow these tutos : 要将其插入Vert.x,可以遵循以下Tutos:
- https://vertx.io/blog/vertx-3-and-keycloak-tutorial/ https://vertx.io/blog/vertx-3-and-keycloak-tutorial/
- https://medium.com/@alexpitacci/vert-x-and-keycloak-working-together-9d459a5ebd9e https://medium.com/@alexpitacci/vert-x-and-keycloak-working-together-9d459a5ebd9e
- http://paulbakker.io/java/jwt-keycloak-angular2/ http://paulbakker.io/java/jwt-keycloak-angular2/
- https://piotrminkowski.wordpress.com/2017/09/15/building-secure-apis-with-vert-x-and-oauth2/ https://piotrminkowski.wordpress.com/2017/09/15/building-secure-apis-with-vert-x-and-oauth2/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.