gpt4 book ai didi

java - 在 spring security 中解码 AWS Cognito 生成的 JWT 时出错

转载 作者:行者123 更新时间:2023-11-29 09:26:31 25 4
gpt4 key购买 nike

decoding 由 AWS Cognito 生成的 JWT 时,我们突然开始低于 error。Spring Security JWT

{
"error": "access_denied",
"error_description": "Invalid token does not contain resource id (oauth2-resource)"
}

我们使用 Spring boot 版本:2.0.3.RELEASE

这更具体地针对 AWS Cognito 生成的 token 。以及为什么它突然停止工作而没有更改代码库/spring 库或基础设施


最新更新:似乎 AWS 已经在解码的 JWT 下方恢复了更改(添加“aud 声明”)

今天(2019 年 10 月 16 日)智威汤逊

 {
"sub": "XXXXXXXXXXXX-6a8dd388a720",
"token_use": "access",
"scope": "XXXXXXXXXXXX",
"auth_time": 1571227222,
"iss": "YYYYYYYYYYYYYYYY",
"exp": 1571230822,
"iat": 1571227222,
"version": 2,
"jti": "XXXXXXXXXXXXXYYYYYYYYYYYYY",
"client_id": "someclient_id",
"username": "someusername"
}

昨天我们得到:

  {
"sub": "xxxxxxxxxxxxx",
**"aud": "sameasclientid",**
"token_use": "access",
"scope": "somescope",
"auth_time": 1571132619,
"iss": "rrrrrrrrrrrrrrrrrrrrr",
"exp": 1571136219,
"iat": 1571132619,
"version": 2,
"jti": "xxxxxxxxxxxxxxxxx",
"client_id": "sameasclientid",
"username": "someusername"
}

最佳答案

我遇到了类似的问题,在我的情况下,我不需要验证在 JWT 声明中添加的“aud”参数。

这不是 AWS Cognito 的正确实现,意思是,“aud”应该包含将使用携带 token 的资源服务器的资源 ID,但 Cognito 只是复制与“clientId”相同的值。在我们的例子中,有多个客户端可以调用一个资源服务器,根据 Coginto 的实现,资源服务器需要知道 clientId 的列表,这在 Oauth2 标准中是错误的。

要了解更多信息,请访问 https://www.rfc-editor.org/rfc/rfc7523 , 它说

The JWT MUST contain an "aud" (audience) claim containing avalue that identifies the authorization server as an intendedaudience. The token endpoint URL of the authorization serverMAY be used as a value for an "aud" element to identify theauthorization server as an intended audience of the JWT. Theauthorization server MUST reject any JWT that does not containits own identity as the intended audience. In the absence of anapplication profile specifying otherwise, compliant applicationsMUST compare the audience values using the Simple StringComparison method defined in Section 6.2.1 of RFC 3986[RFC3986]. As noted in Section 5, the precise strings to beused as the audience for a given authorization server must beconfigured out of band by the authorization server and theissuer of the JWT.

所以如果你不需要验证“aud”参数,将资源服务器的resourceId设置为null(默认值'oauth2-resource'),如下所示。

@Override
public void configure(ResourceServerSecurityConfigurer config) throws Exception {
config.resourceId(null).tokenServices(tokenServices());
}

如果资源服务器的 resourceId 为 null,Spring security 会忽略“aud”参数。

关于java - 在 spring security 中解码 AWS Cognito 生成的 JWT 时出错,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58393715/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com