JWT签名在响应头和请求头之间不同。

huangapple go评论93阅读模式
英文:

JWT signature is different between response and request headers

问题

我正在实现一个使用JWT的身份验证API,然后将其存储在cookie中。cookie在响应头中正确设置,并且在请求头中也是如此。问题是响应中的access_token的签名与请求中的签名不同。因此,在验证时会失败。

如上图所示,它们是不同的。我对请求头中的更改感到困惑。这是一种预期的行为吗?如果是这样,我该如何将其恢复到原始签名?这是我设置cookie的方式:

atCookie := new(http.Cookie)
atCookie.Name = "access_token"
atCookie.Value = "my-access-token"

这是我读取它的方式:

c.Cookie("access_token").Value

我正在使用https://github.com/golang-jwt/jwt。我认为我已经按照文档中的说明进行了操作。我正在使用Echo作为框架。我已经试图解决这个问题几个小时了,如果有人能帮助我,那就太好了。

更新
事实证明,我只需要设置cookie的路径。

atCookie.Path = "/"

不确定这是否正确,但它能够在浏览器中保存cookie。它根本没有向服务器发送任何cookie。Cookie头的值一团糟,因为它被其他标签页的cookie所混淆,这增加了困惑。

英文:

I'm implementing an authentication API that uses JWT which is then stored in a cookie. The cookie is set correctly in the response header and it seems so in the request header. The problem is the signature of the access_token in the response and the one in the request are different. Therefore, upon validation, it fails.

JWT签名在响应头和请求头之间不同。

As you can see in the image above, they're different. I'm confused why it's changed in the request header. Is this an intended behavior? If so, how do I put it back to its original signature? This is how I'm setting the cookie

atCookie := new(http.Cookie)
atCookie.Name = "access_token"
atCookie.Value = "my-access-token"

This is how I read it

c.Cookie("access_token").Value

I'm using https://github.com/golang-jwt/jwt. I think I followed everything from the documentation. I'm using Echo as the framework. I've been trying to figure this out for hours it would nice if someone can help me.

UPDATE
Turns out I just needed to set the cookie path.

atCookie.Path = "/"

Not sure if this correct though but it's able to save the cookie in the browser. It wasn't sending any cookie to the server at all. The Cookie header value is a mess as it's littered with cookies from other tabs so it added to the confusion.

答案1

得分: 1

你展示的日志来自对登录端点的请求。你在该端点发送一个访问令牌作为 cookie,进行登录,然后发出一个新的访问令牌并将其设置在响应头中。我认为这是完全正常的行为。

英文:

The logs that you're showing come from a request to your login endpoint. You send one access token in a cookie to that endpoint, perform login, then issue a new access token and set it in the response header. I think this is a perfectly normal behaviour.

huangapple
  • 本文由 发表于 2021年6月23日 12:08:34
  • 转载请务必保留本文链接:https://go.coder-hub.com/68093420.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定