[英]How to decode jwt token in javascript without using a library?
[英]How to verify an Azure OAuth Access JWT Token in native Javascript without using a library?
我有一个 OAuth 访问令牌(来自 Azure)。 我想验证签名。
我已经解码了令牌
标题
{
"typ": "JWT",
"alg": "RS256",
"x5t": "abc123",
"kid": "abc123"
}
和有效载荷
{
"aud": "api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"iss": "https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/",
"iat": 1580132587,
"nbf": 1580132587,
"exp": 1580136487,
"acct": 0,
"acr": "1",
"aio": "xxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxx==",
"amr": [
"pwd"
],
"appid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxf",
"appidacr": "0",
"ipaddr": "yyy.yyy.yyy.yyy",
"name": "test",
"oid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"scp": "user_impersonation",
"sub": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"tid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"unique_name": "test@mycompany.onmicrosoft.com",
"upn": "test@mycompany.onmicrosoft.com",
"uti": "xxxxxxxxxxxxx-xxxxxxxxx",
"ver": "1.0"
}
(在验证目标受众(aud)之后)我需要验证签名。 为此,我首先需要计算签名。 要做到这一点
https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys
这给了我一个数组
[{ "kty": "RSA", "use": "sig", "kid": "abc123", "x5t": "abc123", "n": "...", "e": "...", "x5c": [..."], "issuer": " https: //login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0" }, { "kty": "RSA", "use": "sig", "kid": "...", "x5t": "...", "n": "....", "e": "...", "x5c": ["."], "issuer": "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0" }, ]
我检查kid
和x5t
匹配的头字段。
问题
RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), public_key)
获取与收到的令牌的孩子匹配的 x5t。 这是公钥,尽管它通常需要转换为 PEM 格式。
大多数人然后使用经过认证的库来验证带有公钥的签名。 这是我的一些代码,用于验证 Azure 令牌。
我认为原生 JavaScript 指的是 NodeJS,因为访问令牌是通过 API 而不是 UI 验证的。
最终,我相信像 jsonwebtoken 这样的库调用底层操作系统加密代码 - 不适合胆小的人..
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.