[英]How to verify token signature in Nimbus JOSE + JWT
在使用Nimbus JOSE + JWT的每次資源請求中,我都有從服務器到客戶端的來回令牌
用於創建JWT令牌的代碼:
public class TokenProvider {
String token = "";
public String getToken(String email) {
try {
KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA");
keyGenerator.initialize(1024);
KeyPair kp = keyGenerator.genKeyPair();
RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
RSAPrivateKey privateKey = (RSAPrivateKey) kp.getPrivate();
System.out.println("publicKey: " + publicKey);
System.out.println("privateKey: " + privateKey.toString());
JWSSigner signer = new RSASSASigner(privateKey);
JWTClaimsSet claimsSet = new JWTClaimsSet();
claimsSet.setSubject("RTH");
claimsSet.setCustomClaim("email", email);
claimsSet.setCustomClaim("role", "USER");
claimsSet.setIssuer("https://rth.com");
claimsSet.setExpirationTime(new Date(new Date().getTime() + 60 * 1000));
SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);
signedJWT.sign(signer);
token = signedJWT.serialize();
TokenSaverAndValidatorDAO tokenSaver = new TokenSaverAndValidatorDAO();
tokenSaver.saveTokenToDB(email, token);
signedJWT = SignedJWT.parse(token);
JWSVerifier verifier = new RSASSAVerifier(publicKey);
System.out.println("verifier: " + verifier);
System.out.println("verify method: " + signedJWT.verify(verifier));
assertTrue(signedJWT.verify(verifier));
assertEquals("RTH", signedJWT.getJWTClaimsSet().getSubject());
assertEquals("https://rth.com", signedJWT.getJWTClaimsSet().getIssuer());
assertTrue(new Date().before(signedJWT.getJWTClaimsSet().getExpirationTime()));
} catch (JOSEException | ParseException | NoSuchAlgorithmException ex) {
Logger.getLogger(TokenProvider.class.getName()).log(Level.SEVERE, null, ex);
}
return token;
}
}
到目前為止,它工作正常,但問題是如何驗證從客戶端收到的令牌簽名?
從API來看,只有一種方法看起來像是用於驗證,但是它僅接受公鑰( RSAPublicKey )作為參數而不是令牌。
使用此庫從事JWT工作的任何人都請幫忙。 謝謝
有示例代碼可以執行此操作,但是您已在問題中使用了所有代碼來執行此操作。
對於共享密鑰:
JWSVerifier verifier = new MACVerifier(sharedKey.getBytes());
如果您使用的是RSA密鑰對(如您的示例所示),則只需提供公共密鑰:
JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
然后要求它驗證簽名,並指出如果簽名無效,它將引發異常:
boolean verifiedSignature = false;
try {
JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
verifiedSignature = signedJWT.verify(verifier);
}
catch (JOSEException e) {
System.err.println("Couldn't verify signature: " + e.getMessage());
}
檢驗令牌簽名的完整方法如下所示:
public static boolean isSignatureValid(String token) {
// Parse the JWS and verify its RSA signature
SignedJWT signedJWT;
try {
signedJWT = SignedJWT.parse(token);
JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
return signedJWT.verify(verifier);
} catch (ParseException | JOSEException e) {
return false;
}
}
如何使用 nimbus-jose-jwt 解碼 JWT 令牌以獲取 Header 和 Payload 的詳細信息?
[英]How to decode JWT token to get details of Header and Payload using nimbus-jose-jwt?
在 nimbus-jose-jwt 中,lifespan 和 refreshTime 有什么區別?
[英]In nimbus-jose-jwt, what is difference between lifespan and refreshTime?
有沒有一種干凈的方法來更改 Nimbus Jose JWT 中的默認 JWKSetCache TTL?
[英]Is there a clean way to change the default JWKSetCache TTL in Nimbus Jose JWT?
如何在Java中驗證Azure B2C id令牌的JWT簽名?
[英]How do I verify a JWT signature for an Azure B2C id token in Java?
nimbus-jose-jwt 和 io.jsonwebtoken - 選擇哪個 jjwt 庫,為什么?
[英]The nimbus-jose-jwt and io.jsonwebtoken - which jjwt library to pick and why?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.