stackoom
  简体   繁体   中英

Auth0 - verify JWT

 原文  2020-07-17 13:57:50       java/ jwt/ openid-connect/ auth0

Question

I'm trying to verify my JWT returned from OpenID flow using Auth0 libraries. This is my code:

@Test
void verify() {
    final String token = "eyJraWQiOiJpc2FjLW9pZGMiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2lzYWMuc3ZpbnQuaW5mb2NlcnQuaXQiLCJzdWIiOiJNMDE0MDE2OCIsImF1ZCI6IkVDT01NRVJDRSIsImV4cCI6MTU5NDkwNTc4OSwiaWF0IjoxNTk0OTA1NDg5LCJqdGkiOiJ2SmljeGNSTkQ1RkVCd3BGVzE2TWF3IiwibmJmIjoxNTk0OTA1MzY5LCJhdXRoX3RpbWUiOjE1OTQ5MDU0ODN9.EsK6lR9vHtLWAeoKvBL_ipJJqvzJMKCOKSPMUUcSK4W7MStQHQc0TlN20-2P8reCi69zQ-R2Fn2V_i-JnH8N1rz_Ar-SdX4ghI2BStOL8Z1Sl3iZZ3VV7dJBqAvrq5mZXTj7bdzbFwdDIEdSVYTrEDvJuNIOYP0e7RSQ5Hi-QA6tatW5_ir3DrSYDACNcXE1sacvdA2onIsyw1UrD1XW9nqsZSn4wWA0totQGJcA1FYjQb0-28Ttkt2P_5uYaX_VDojKQVfhUTJZQKGeKjBpRCVmV__I1U-nVhSnP5UcgCnjbJkO72aIGLWj7I0lLJF2gSmicfqmrAlu8MHMokAmxw";
    final String publicKey = "??"
    try {

        byte[] publicBytes = Base64.decodeBase64(publicKey);
        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicBytes);
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        PublicKey pubKey = keyFactory.generatePublic(keySpec);

        final Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) pubKey, null);
        final JWTVerifier verifier = JWT.require(algorithm)
                .withIssuer("https://isac.svint.infocert.it")
                .build(); //Reusable verifier instance
        final DecodedJWT jwt = verifier.verify(token);
        logger.info("{}", jwt);
    } catch (JWTVerificationException | NoSuchAlgorithmException | InvalidKeySpecException exception) {
        //Invalid signature/claims
        Assertions.fail(exception.getMessage());
    }
}

Now, I'm not sure about the correct procedure for obtaining public key. Following OpenID / Oauth2 protocol, the identity provider expose this API:

{{endporint}}/keys

{
    "keys": [
        {
            "kty": "RSA",
            "kid": "myidp-oidc",
            "use": "sig",
            "alg": "RS256",
            "n": "<some_value>",
            "e": "AQAB"
        }
    ]
}

How can I use the above info to obtain key and verify JWT?

1 answers

solution1
 0  2020-07-17 14:27:08

Solved, I had to import on pom.xml

<dependency>
    <groupId>com.auth0</groupId>
    <artifactId>jwks-rsa</artifactId>
    <version>0.9.0</version>
    <scope>test</scope>
</dependency>

And then:

final String token = "<some_token>";

try {

    final DecodedJWT decodedJWT = JWT.decode(token);
    final JwkProvider provider = new UrlJwkProvider(new URL("<endpoint_idp>/keys"));
    final Jwk jwk = provider.get(decodedJWT.getKeyId());
    final Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);

    final JWTVerifier verifier = JWT.require(algorithm)
            .withIssuer("<issue>")
            .build(); //Reusable verifier instance
    final DecodedJWT verifiedJWT = verifier.verify(token);
    logger.info("{}", verifiedJWT);
} catch (JWTVerificationException | JwkException | MalformedURLException exception) {
    //Invalid signature/claims
    Assertions.fail(exception.getMessage());
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Auth0 JWT with Java Java - Auth0 JWT Verification - Is this correct? Auth0 API + Spring: How to verify user identity from successful Auth0 API response Auth0 java-jwt serialization: name of the field Auth0 JWT java library throws error random times Error java.lang.NoClassDefFoundError: com/auth0/jwt/algorithms/Algorithm Auth0 upgrade to Node8 Spring boot JWT auth Implementing a JWT Auth Service Verify Signature using JWT ( java-jwt)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM