解析来自Xero的RS256 JWT,使用JJWT库。

huangapple go评论88阅读模式
英文:

Parsing a RS256 JWT from Xero using JJWT

问题

我正在尝试解析来自Xero的用于单点登录的JWT。
Xero的文档指出:“JWT是使用您的客户端密钥和RS256签名算法进行签名的JSON有效负载”。
我可以从Xero获取JWT。我知道我的“客户端密钥”(字符串)。

如何将它们组合在一起,使用Java设置setSigningKey来验证RS256的响应?谢谢。

英文:

I'm trying to parse a JWT from Xero for SSO.
Xero documentation states "The JWT is a JSON payload signed with your client secret and the RS256 signing algorithm".
I can get the JWT from Xero. I know my "client secret" (string).

How do put it together to setSigningKey to verify the response for RS256? using Java.
Thanks

答案1

得分: 1

感谢提出这个问题。我作为一个完全的初学者来到这里,学习曲线相当陡峭。因为我正在代理Xero的登录,以便我可以支持一个应用程序处理多个域名,所以我需要手动处理oauth2的内容。关于这个问题几乎没有任何问题,这让我有点疯狂,所以我添加了一个Python答案,以防对其他人有帮助。

在Python 3中,可以这样做:

# 使用 pip install pyjwt[crypto]
import jwt
...

def decode_id_token(self, id_token):
    # 我的一个类中的一个方法,self.client_id来自于Xero应用程序
    # decoded_without_verification = jwt.decode(id_token, options={"verify_signature": False})

    discovery_url = "https://identity.xero.com/.well-known/openid-configuration/jwks"
    jwks_client = jwt.PyJWKClient(discovery_url)
    signing_key = jwks_client.get_signing_key_from_jwt(id_token)
    decoded = jwt.decode(id_token, signing_key.key, algorithms=["RS256"], audience=self.client_id)
    return decoded

我不知道是否有一种方法可以避免硬编码发现URL。我从这个Xero讨论中获取了它:https://community.xero.com/developer/discussion/115505302

英文:

Thanks for asking this question. I came to this as a complete beginner and there is quite a learning curve. Because I am proxying the Xero signin so I can support multiple domains with one app, I needed to handle the oauth2 stuff manually.
There are hardly any questions on this and it was driving me a bit crazy, so I have added a python answer in case it helps others.

In python3, this is how it can be done:

    # using pip install pyjwt[crypto]
    import jwt
    ...
         def decode_id_token(self,id_token):
             #a method in a class I have, self.client_id is from the Xero app
             #decoded_without_verification = jwt.decode(id_token,options={"verify_signature":False})

             discovery_url = "https://identity.xero.com/.well-known/openid-configuration/jwks"
             jwks_client = jwt.PyJWKClient(discovery_url)
             signing_key = jwks_client.get_signing_key_from_jwt(id_token)
             decoded = jwt.decode(id_token,signing_key.key,
algorithms=["RS256"],audience=self.client_id)
             return decoded

I don't know if there is some way to avoid hardcoding the discovery URL. I got it from this Xero discussion: https://community.xero.com/developer/discussion/115505302

答案2

得分: 0

你的目标只是正确查看 id_token 中的数据,对吗?
> 如果您的目标是验证JWT的合法性,我建议使用一个库来处理验证的安全部分 https://openid.net/developers/certified/

然而,如果您要寻找的只是其中包含的数据(电子邮件、名字、姓氏),您可以简单地使用这个库解码JWT。或者查看解码函数以自行实现(它将自动查找哈希算法并为您解码)

https://github.com/auth0/java-jwt#decode-a-token

英文:

your goal is to just see the data in the id_token correct?
> If your goal is to validate the legitimacy of the JWT i'd recommend using a library to handle that security portion of validation https://openid.net/developers/certified/

However, if what your looking for is just the data contained within (email, first name, last name) you can simply decode the JWT with this lib. Or checkout the decode function to roll your own (it will programmatically lookup hashing algo and decode it for you)

https://github.com/auth0/java-jwt#decode-a-token

huangapple
  • 本文由 发表于 2020年9月17日 17:11:46
  • 转载请务必保留本文链接:https://go.coder-hub.com/63934848.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定