[英]How to verify an Azure OAuth Access JWT Token in native Javascript without using a library?
I have an OAuth Access Token (its from Azure).我有一个 OAuth 访问令牌(来自 Azure)。 I would like to verify the signature.
我想验证签名。
I've decoded the token我已经解码了令牌
Header标题
{
"typ": "JWT",
"alg": "RS256",
"x5t": "abc123",
"kid": "abc123"
}
And the payload和有效载荷
{
"aud": "api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"iss": "https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/",
"iat": 1580132587,
"nbf": 1580132587,
"exp": 1580136487,
"acct": 0,
"acr": "1",
"aio": "xxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxx==",
"amr": [
"pwd"
],
"appid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxf",
"appidacr": "0",
"ipaddr": "yyy.yyy.yyy.yyy",
"name": "test",
"oid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"scp": "user_impersonation",
"sub": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"tid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"unique_name": "test@mycompany.onmicrosoft.com",
"upn": "test@mycompany.onmicrosoft.com",
"uti": "xxxxxxxxxxxxx-xxxxxxxxx",
"ver": "1.0"
}
(After verifying the intended audience (aud)) I need to verify the signature. (在验证目标受众(aud)之后)我需要验证签名。 To do that I first need to calculate the signature.
为此,我首先需要计算签名。 To do that
要做到这一点
https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/.well-known/openid-configuration https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/.well-known/openid-configuration
https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys
This gives me an array这给了我一个数组
[{ "kty": "RSA", "use": "sig", "kid": "abc123", "x5t": "abc123", "n": "...", "e": "...", "x5c": [..."], "issuer": " https: //login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0" }, { "kty": "RSA", "use": "sig", "kid": "...", "x5t": "...", "n": "....", "e": "...", "x5c": ["."], "issuer": "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0" }, ]
I check that kid
and x5t
match the fields in the header.我检查
kid
和x5t
匹配的头字段。
Questions问题
RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), public_key)
Get the x5t that matches the kid of the received token.获取与收到的令牌的孩子匹配的 x5t。 That is the public key, though it typically needs translating to PEM format.
这是公钥,尽管它通常需要转换为 PEM 格式。
Most people then use a certified library to validate the signature with the public key.大多数人然后使用经过认证的库来验证带有公钥的签名。 Here is some code of mine that does that to validate an Azure token.
这是我的一些代码,用于验证 Azure 令牌。
By native JavaScript I assume you mean NodeJS, since access tokens are validated by APIs and not UIs.我认为原生 JavaScript 指的是 NodeJS,因为访问令牌是通过 API 而不是 UI 验证的。
Ultimately I believe libraries like jsonwebtoken call underlying operating system crypto code - not for the faint hearted ..最终,我相信像 jsonwebtoken 这样的库调用底层操作系统加密代码 - 不适合胆小的人..
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.