[英]Token signature invalid error
我抛出了这个错误
com.auth0.jwt.exceptions.SignatureVerificationException:使用算法验证时令牌的签名无效:HmacSHA256
private static String SECRET = "some secret...";
public static DecodedJWT verify(String token) throws JWTVerificationException, UnsupportedEncodingException {
JWTVerifier verifier = JWT.require(Algorithm.HMAC256(SECRET))
.withIssuer("auth0")
.acceptLeeway(1)
.acceptExpiresAt(5 * 60)
.build();
return verifier.verify(token);
}
这个秘密有什么问题吗,在 jwt.io 网站上,我点击了 64 位编码的秘密,然后它变成了蓝色。
我尝试使用https://www.base64encode.net在 base 64 中编码我的秘密,但同样的问题。 请指教。
javadoc说您需要提供原始秘密值。 这意味着您需要对当前拥有的值进行base64解码:
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.io.UnsupportedEncodingException;
import java.util.Base64;
public class JwtVerification {
private static final String SECRET = "zZrq0sZK1yt9RJk51RTJ/jeU6WERbvr8nqKMWQJRX1E=";
public static DecodedJWT verify(String token) throws JWTVerificationException, UnsupportedEncodingException {
JWTVerifier verifier = JWT.require(Algorithm.HMAC256(Base64.getDecoder().decode(SECRET)))
.withIssuer("auth0")
.acceptLeeway(1)
.acceptExpiresAt(5 * 60)
.build();
return verifier.verify(token);
}
public static void main(String[] args) throws UnsupportedEncodingException {
final String token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0aWQiOiJiZWJlMjM4Zi1iMGM4LTQwYzMtOTYyMC1jZDRlOGUyMzIwZGMiLCJvaWQiOiI5MjJjMmZiNC0zNWI1LTExZDctOWE2NC0wMGIwZDBmY2I5ZTMiLCJzdWIiOiI5MjJjMmZiNC0zNWI1LTExZDctOWE2NC0wMGIwZDBmY2I5ZTMiLCJlbWFpbCI6InRlc3RAdGVzdC5jb20iLCJpYXQiOjE1MTg0NDk5NzYsImV4cCI6MTUxODQ1MzU3NiwibmJmIjoxNTE4NDQ5OTc2fQ.6InknrU67g_HEkaLxD9Ul5vOzbYGf54mJNcSyPr-xek";
System.out.println(verify(token));
}
}
我目前收到此异常,但它看起来像是令牌本身的问题:
Exception in thread "main" com.auth0.jwt.exceptions.InvalidClaimException: The Claim 'iss' value doesn't match the required one.
at com.auth0.jwt.JWTVerifier.assertValidStringClaim(JWTVerifier.java:424)
at com.auth0.jwt.JWTVerifier.verifyClaims(JWTVerifier.java:382)
at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:355)
at com.swiftkey.parametron.data.JWT2.verify(JWT2.java:23)
at com.swiftkey.parametron.data.JWT2.main(JWT2.java:28)
实际上,令牌没有指定iss字段,但由于.withIssuer("auth0") ,验证器希望它是 "auth0" 。
如果您查看令牌内部:
final String token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0aWQiOiJiZWJlMjM4Zi1iMGM4LTQwYzMtOTYyMC1jZDRlOGUyMzIwZGMiLCJvaWQiOiI5MjJjMmZiNC0zNWI1LTExZDctOWE2NC0wMGIwZDBmY2I5ZTMiLCJzdWIiOiI5MjJjMmZiNC0zNWI1LTExZDctOWE2NC0wMGIwZDBmY2I5ZTMiLCJlbWFpbCI6InRlc3RAdGVzdC5jb20iLCJpYXQiOjE1MTg0NDk5NzYsImV4cCI6MTUxODQ1MzU3NiwibmJmIjoxNTE4NDQ5OTc2fQ.6InknrU67g_HEkaLxD9Ul5vOzbYGf54mJNcSyPr-xek";
final DecodedJWT decodedJwt = JWT.decode(token);
System.out.println("Header = " + decodedJwt.getHeader());
System.out.println("Algorithm = " + decodedJwt.getAlgorithm());
System.out.println("Audience = " + decodedJwt.getAudience());
decodedJwt.getClaims().forEach((k, v) -> {
System.out.println("Claim " + k + " = " + v.asString());
});
System.out.println("ContentType = " + decodedJwt.getContentType());
System.out.println("ExpiresAt = " + decodedJwt.getExpiresAt());
System.out.println("Id = " + decodedJwt.getId());
System.out.println("Issuer = " + decodedJwt.getIssuer());
System.out.println("Subject = " + decodedJwt.getSubject());
您将看到Issuer字段为null
Header = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
Algorithm = HS256
Audience = null
Claim sub = 922c2fb4-35b5-11d7-9a64-00b0d0fcb9e3
Claim nbf = null
Claim oid = 922c2fb4-35b5-11d7-9a64-00b0d0fcb9e3
Claim exp = null
Claim iat = null
Claim tid = bebe238f-b0c8-40c3-9620-cd4e8e2320dc
Claim email = test@test.com
ContentType = null
ExpiresAt = Mon Feb 12 16:39:36 GMT 2018
Id = null
Issuer = null
Subject = 922c2fb4-35b5-11d7-9a64-00b0d0fcb9e3
生成该令牌的人没有指定Issuer (又名iss )字段。 因此验证失败,因为我们将验证器设置为期望iss等于auth0 。
issuer-field 通常是一个类似 url 的值。 如果您的应用程序的 auth0 域是yourcompany.eu.auth0.com ,则发行人很可能是https://yourcompany.eu.auth0.com/
尝试改变
.withIssuer("auth0")
到
.withIssuer("https://yourcompany.eu.auth0.com/")
创建验证器时。
无法从中提取令牌和机密:'401未经授权-无效的签名
[英]Can't extract token and secret from this: '401 Unauthorized - Invalid signature
Azure AD 令牌签名的验证无效。 使用算法验证时,令牌的签名无效:SHA256withRSA
[英]Validation of Azure AD token signature is invalid. The Token's Signature resulted invalid when verified using the Algorithm: SHA256withRSA
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.