如何在不使用库的情况下在本机 Javascript 中验证 Azure OAuth 访问 JWT 令牌?
[英]How to verify an Azure OAuth Access JWT Token in native Javascript without using a library?
问题描述
I have an OAuth Access Token (its from Azure).
我有一个 OAuth 访问令牌(来自 Azure)。 I would like to verify the signature.我想验证签名。
I've decoded the token我已经解码了令牌
Header标题
{
"typ": "JWT",
"alg": "RS256",
"x5t": "abc123",
"kid": "abc123"
}
And the payload和有效载荷
{
"aud": "api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"iss": "https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/",
"iat": 1580132587,
"nbf": 1580132587,
"exp": 1580136487,
"acct": 0,
"acr": "1",
"aio": "xxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxx==",
"amr": [
"pwd"
],
"appid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxf",
"appidacr": "0",
"ipaddr": "yyy.yyy.yyy.yyy",
"name": "test",
"oid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"scp": "user_impersonation",
"sub": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"tid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"unique_name": "test@mycompany.onmicrosoft.com",
"upn": "test@mycompany.onmicrosoft.com",
"uti": "xxxxxxxxxxxxx-xxxxxxxxx",
"ver": "1.0"
}
(After verifying the intended audience (aud)) I need to verify the signature. (在验证目标受众(aud)之后)我需要验证签名。 To do that I first need to calculate the signature.为此,我首先需要计算签名。 To do that要做到这一点
- I need to call the Azure metadata document to confirm the public key in the header.我需要调用 Azure 元数据文档来确认标头中的公钥。
https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/.well-known/openid-configuration https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/.well-known/openid-configuration
- From that I get the public keys (JWKS URI), eg从中我得到公钥(JWKS URI),例如
https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys
This gives me an array
这给了我一个数组[{ "kty": "RSA", "use": "sig", "kid": "abc123", "x5t": "abc123", "n": "...", "e": "...", "x5c": [..."], "issuer": " https: //login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0" }, { "kty": "RSA", "use": "sig", "kid": "...", "x5t": "...", "n": "....", "e": "...", "x5c": ["."], "issuer": "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0" }, ]I check that
kidandx5tmatch the fields in the header.我检查kid和x5t匹配的头字段。
Questions问题
- How to calculate the actual signature?如何计算实际签名? In my case the signing algorithm is RS256, so I got to do something like this在我的情况下,签名算法是 RS256,所以我必须做这样的事情
RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), public_key)
- What is the public_key?什么是public_key?
- And in native Javascript is there a function RSASHA256 ?在原生 Javascript 中是否有函数 RSASHA256 ?
1 个解决方案
解决方案1
2 2020-01-27 18:10:54
Get the x5t that matches the kid of the received token.获取与收到的令牌的孩子匹配的 x5t。 That is the public key, though it typically needs translating to PEM format.这是公钥,尽管它通常需要转换为 PEM 格式。
Most people then use a certified library to validate the signature with the public key.大多数人然后使用经过认证的库来验证带有公钥的签名。 Here is some code of mine that does that to validate an Azure token. 这是我的一些代码,用于验证 Azure 令牌。
By native JavaScript I assume you mean NodeJS, since access tokens are validated by APIs and not UIs.我认为原生 JavaScript 指的是 NodeJS,因为访问令牌是通过 API 而不是 UI 验证的。
Ultimately I believe libraries like jsonwebtoken call underlying operating system crypto code - not for the faint hearted ..最终,我相信像 jsonwebtoken 这样的库调用底层操作系统加密代码 - 不适合胆小的人..
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.