我可以在 AWS IAM 上注册具有多个证书的 IDP 吗
[英]Can I register an IDP with multiple certificates on AWS IAM
问题描述
What I have is:
我所拥有的是:
- An OpenId Complaint service (Rest) that provides tokens提供令牌的 OpenId 投诉服务 (Rest)
- This service has multiple certificates (keyPairs) for signing tokens depending on some factors when requesting a token根据请求令牌时的某些因素,此服务有多个证书(keyPairs)用于签署令牌
- The service is implementing the 2 OpenId Endpoints (well known and certs)
- 该服务正在实施 2 个 OpenId 端点(众所周知的和证书)
What I did:我做了什么:
- I registered the service as an IDP on AWS IAM service successfully (hence my two OpenId Endpoints are working other wise AWS wont accept the IDP)我成功地将该服务注册为 AWS IAM 服务上的 IDP(因此我的两个 OpenId 端点正在工作,否则 AWS 不会接受 IDP)
- I created roles on IAM that are to be assumed using the IDP service tokens我在 IAM 上创建了要使用 IDP 服务令牌承担的角色
- I got two tokens from the IDP service to be used for assuming role (each signed with different key)我从 IDP 服务中获得了两个令牌用于承担角色(每个令牌都用不同的密钥签名)
Problem:问题:
- AssumeRole is failing and I'm getting invalid token exception for both tokens. AssumeRole 失败,我收到两个令牌的无效令牌异常。
I tried to set the "kid" claim in the tokens each with the corresponding kid of the certificate and it didn't work :(.我试图在令牌中设置“kid”声明,每个令牌都带有证书的相应孩子,但它不起作用:(。
Note:笔记:
- I'm assuming role using Java AWS API我使用 Java AWS API 担任角色
- When I remove one of the certificates (from the below sample response) the remaining certificate works fine.当我删除其中一个证书(从下面的示例响应中)时,剩余的证书工作正常。 So the problem is with having 2 certs, but I need to have and AWS should have a way of working with such case I just don't know how.所以问题在于拥有 2 个证书,但我需要拥有并且 AWS 应该有一种处理这种情况的方法,我只是不知道如何。
Sample of how my certs endpoint looks like:我的证书端点的示例:
{
"keys": [
{
"kid": "kid",
"kty": "kty",
"use": "use",
"alg": "alg",
"n": "nValue",
"e": "eValue",
"x5c": [
"cert1"
],
"x5t": "x5t=",
"x5t#S256": "x5t#S256"
},
{
"kid": "kid1",
"kty": "kty",
"use": "use",
"alg": "alg",
"n": "nValue",
"e": "eValue",
"x5c": [
"cert2"
],
"x5t": "x5t=",
"x5t#S256": "x5t#S256"
}
]
}
1 个解决方案
解决方案1
0 已采纳 2020-02-11 18:42:45
So the problem was that I tried to set the kid in the "claims" of the JWT.所以问题是我试图在 JWT 的“声明”中设置孩子。
However it turned out that ,in order for AWS to distinguish that this JWT was signed with this key (from the jwks response), it checks in the headers of the JWT.然而事实证明,为了让 AWS 区分这个 JWT 是用这个密钥签名的(来自 jwks 响应),它检查了 JWT 的标头。 If a kid is found in the header then it looks in the jwk response for the certificate with the corresponding kid.如果在标头中找到了孩子,那么它会在 jwk 响应中查找具有相应孩子的证书。
So to solve the issue I just had to set the kid of in the "headers" of the JWT.所以为了解决这个问题,我只需要在 JWT 的“标题”中设置孩子。
So if you are in java :所以如果你在 java 中:
public String buildToken(Key key) {
Map<String, Object> claims = new HashMap();
Map<String, Object> headers = new HashMap();
claims.put(claimName, someClaim);
...
headers.put(KID, KID_OF_THIS_TOKENS_CERTIFICATE);
...
return Jwts.builder().setClaims(claims).setHeader(headers).signWith(SignatureAlgorithm.RS256, key).compact();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.