在 GO 中验证 AWS Cognito JWT
[英]Validate AWS Cognito JWT in GO
问题描述
I am trying validate JWT returned from a login from AWS Cognito (hosted UI).
我正在尝试验证从 AWS Cognito(托管 UI)登录返回的 JWT。 I noticed that once the login is done in cognito, it tries to access my app with some params like "id_token" and "access_token".我注意到,一旦在 cognito 中完成登录,它就会尝试使用诸如“id_token”和“access_token”之类的一些参数来访问我的应用程序。 Checked with jwt.io and looks like "id_token" is the jwt.使用 jwt.io 检查,看起来“id_token”是 jwt。
As a test, I wrote a post function in GO expecting a body with the jwt token and the access token (and implemented from this answer )作为测试,我在 GO 中编写了一个 post 函数,期待一个带有 jwt 令牌和访问令牌的主体(并从这个答案中实现)
func auth(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
keyset, err := jwk.Fetch(context.Background(), "https://cognito-idp.{Region}.amazonaws.com/{poolID}/.well-known/jwks.json")
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
json.NewEncoder(w).Encode(&model.ErrorResponse{
Response: model.Response{
Result: false,
},
StatusCd: "500",
StatusDesc: "Failed to fetch jwks. Authorization failed.",
Error: "errRes",
})
}
authRequest := &model.AuthRequest{}
json.NewDecoder(r.Body).Decode(&authRequest)
parsedToken, err := jwt.Parse(
[]byte(authRequest.Token), //This is the JWT
jwt.WithKeySet(keyset),
jwt.WithValidate(true),
jwt.WithIssuer("https://cognito-idp.{Region}.amazonaws.com/{poolID}"),
jwt.WithAudience("{XX APP CLIENT ID XX}"),
jwt.WithClaimValue("key", authRequest.Access), //This is the Access Token
)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
json.NewEncoder(w).Encode(&model.ErrorResponse{
Response: model.Response{
Result: false,
},
StatusCd: "500",
StatusDesc: "Failed token parse. Authorization failed.",
Error: "errRes",
})
}
result := parsedToken
json.NewEncoder(w).Encode(result)
}
Packages I am using are我正在使用的软件包是
"github.com/lestrrat-go/jwx/jwk"
"github.com/lestrrat-go/jwx/jwt"
Obviously, it failed at the token parse.显然,它在令牌解析中失败了。 What am I doing wrong and also what should I do with the parsedToken ?我做错了什么,我应该怎么处理parsedToken ?
I am new to this so, I have no clue if this is the correct approach and would really like some guidance.我对此很陌生,所以我不知道这是否是正确的方法,并且真的需要一些指导。
1 个解决方案
解决方案1
0 2021-07-28 22:17:30
I would suggest to start out by doing the minimal checks -- ie, first try just parsing without validation, then add validations one by one:我建议从做最少的检查开始——即,首先尝试不进行验证就进行解析,然后逐一添加验证:
- jwt.Parse([]byte(token)) // probably fails because of JWS jwt.Parse([]byte(token)) // 可能因为 JWS 而失败
- jwt.Parse([]byte(token), jwt.WithKeySet(...)) // should be OK? jwt.Parse([]byte(token), jwt.WithKeySet(...)) // 应该没问题?
- jwt.Parse(..., jwt.WithValidation(true), ...) // add conditions one by one jwt.Parse(..., jwt.WithValidation(true), ...) // 一一添加条件
Please note that I have no idea what's in id_token, as I have never used Cognito If it's a raw JWT, you shouldn't need a key set, and (1) should work.请注意,我不知道 id_token 中有什么,因为我从未使用过 Cognito 如果它是原始 JWT,则您不需要密钥集,并且 (1) 应该可以工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.