stackoom
  简体   繁体   中英

Java code for verification of FusionAuth HS256 signed id token

 原文  2022-02-10 14:31:45       authentication/ oauth-2.0/ jwt/ fusionauth/ hmacsha256

Question

How to verify HS256 ID Token using FusionAuth java Client libraries?

Description: I have created an app in FusionAuth that has a Client ID and Client Secret generated, I have not touched any other section/tab like JWT etc, default JWT signing algo is OIDC standard HMAC SHA256.

I tried using following code approach to validate the token based on public key, but its not working for HS256 signed token, I searched over inte.net and found public key is not applicable for HS256

Could you please provide me a Java code to verify HS256 signed token using FusionAuth Java client libraries ( https://github.com/FusionAuth/fusionauth-jwt ). Please also let me know that do I need any additional configuration on FusionAuth Admin Console.

Code which I tried: It's giving blank public keys.

List<JSONWebKey> keys = JSONWebKeySetHelper.retrieveKeysFromJWKS("http://localhost:9011/.well-known/jwks.json");

Map<String, Verifier> publicKeyVerifiers = new HashMap<String, Verifier>();

JWT jwtDecoded = JWT.getDecoder().decode(idToken, publicKeyVerifiers);

2 answers

solution1
 2  2022-02-10 20:11:33

Tokens received by apps should usually be signed with an asymmetric key. You can then verify the digital signature of the token with its signing public key, which is provided via the JWKS endpoint. The most mainstream algorithm for tokens is RS256. Perhaps you need to reconfigure as suggested here ?. I think your code will then work also.

HS256 is a symmetric algorithm, which feels wrong, since clients would only be able to verify JWTs if they had the full signing key. This enables a malicious client to mint their own tokens, whereas only the Authorization Server should be able to do that. For this reason, if JWTs are ever signed with symmetric keys, the JWKS endpoint will not provide the token signing keys.

Meant to say Curity have a good related doc:

solution2
 1 ACCPTED  2022-02-10 14:45:19

It looks like there is an example in the README:

// Build an HMC verifier using the same secret that was used to sign the JWT
Verifier verifier = HMACVerifier.newVerifier("too many secrets");

// Verify and decode the encoded string JWT to a rich object
JWT jwt = JWT.getDecoder().decode(encodedJWT, verifier);

// Assert the subject of the JWT is as expected
assertEquals(jwt.subject, "f1e33ab3-027f-47c5-bb07-8dd8ab37a2d3");

https://github.com/FusionAuth/fusionauth-jwt#verify-and-decode-a-jwt-using-hmac

With HMAC signing you need to distribute the secret ( "too many secrets" in the example above) to all locations which need to verify the JWT.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Verification of ID token using FusionAuth- JWT library, getting PEMDecoderException: "Unexpected PEM Format" Why is my Azure Identity Experience Framework policy issuing a JwtToken with alg HS256 instead of RS256? What is signed authentication token? Generate a token for email verification in CodeIgniter 3 FusionAuth Lambdas token setting in headers and verification in jsonwebtoken Simple verification with code Java MongoDB Authentication Verification authentication token is encrypted but not signed - weakness? JWT generate token with algorithm ES256
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM