[英]How to validate JWT token from Google pub/sub push (No pem found for envelope)
I'm following Google's RTDNs guide on enabling Real-Time Developer Notifications.我正在关注谷歌关于启用实时开发者通知的 RTDNs指南。 I've successfully created the topic and subscription and have received the push notifications sent to the API that I have created.
我已经成功创建了主题和订阅,并收到了发送到我创建的 API 的推送通知。 I would now like to authenticate and validate these messages.
我现在想对这些消息进行身份验证和验证。 For that, I'm following this guide on Authentication and Authorization .
为此,我正在关注Authentication and Authorization 的本指南。 Their developer documentation here and here has a seemingly useful example.
他们的开发者文档在这里和这里都有一个看似有用的例子。
After following the resources outlined above, I get the following error:遵循上述资源后,我收到以下错误:
Error: No pem found for envelope: {"typ":"JWT","alg":"HS256"}
const authClient = new OAuth2Client();
// ...
app.post('/pubsub/authenticated-push', jsonBodyParser, async (req, res) => {
// Verify that the push request originates from Cloud Pub/Sub.
try {
// Get the Cloud Pub/Sub-generated JWT in the "Authorization" header.
const bearer = req.header('Authorization');
const [, token] = bearer.match(/Bearer (.*)/);
// Verify and decode the JWT.
// Note: For high volume push requests, it would save some network
// overhead if you verify the tokens offline by decoding them using
// Google's Public Cert; caching already seen tokens works best when
// a large volume of messages have prompted a single push server to
// handle them, in which case they would all share the same token for
// a limited time window.
// verifyIdToken is failing here with the `No pem found for envelope` error
const ticket = await authClient.verifyIdToken({
idToken: token,
audience: 'example.com',
});
// ...
} catch (e) {
res.status(400).send('Invalid token');
return;
}
res.status(200).send();
});
From this, I'm assuming I need to have some public key.由此,我假设我需要一些公钥。
I was able to find the source of this error in their code here :我可以在他们的代码中找到这个错误的来源:
if (!Object.prototype.hasOwnProperty.call(certs, envelope.kid)) {
// If this is not present, then there's no reason to attempt verification
throw new Error('No pem found for envelope: ' + JSON.stringify(envelope));
}
However, I've verified that the kid
attribute does indeed exist in the decoded object:但是,我已经验证在解码后的
kid
中确实存在 child 属性:
{"alg":"RS256","kid":"7d680d8c70d44e947133cbd499ebc1a61c3d5abc","typ":"JWT"}
Turns out the kid
was invalid and therefore threw the No pem found for envelope
error.原来这个
kid
是无效的,因此抛出了No pem found for envelope
。 Once a valid kid
was supplied, the error no longer persisted.一旦提供了有效的
kid
,错误就不再存在。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.