gpt4 book ai didi

java - 如何在 Nimbus JOSE + JWT 中验证 token 签名

转载 作者:行者123 更新时间:2023-11-30 06:10:31 28 4
gpt4 key购买 nike

我使用 Nimbus JOSE + JWT 对每个资源请求在服务器和客户端之间来回传递 token

创建 JWT token 的代码:

public class TokenProvider {

String token = "";

public String getToken(String email) {
try {
KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA");
keyGenerator.initialize(1024);

KeyPair kp = keyGenerator.genKeyPair();
RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
RSAPrivateKey privateKey = (RSAPrivateKey) kp.getPrivate();

System.out.println("publicKey: " + publicKey);
System.out.println("privateKey: " + privateKey.toString());

JWSSigner signer = new RSASSASigner(privateKey);

JWTClaimsSet claimsSet = new JWTClaimsSet();
claimsSet.setSubject("RTH");
claimsSet.setCustomClaim("email", email);
claimsSet.setCustomClaim("role", "USER");
claimsSet.setIssuer("https://rth.com");
claimsSet.setExpirationTime(new Date(new Date().getTime() + 60 * 1000));

SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);

signedJWT.sign(signer);
token = signedJWT.serialize();
TokenSaverAndValidatorDAO tokenSaver = new TokenSaverAndValidatorDAO();
tokenSaver.saveTokenToDB(email, token);

signedJWT = SignedJWT.parse(token);

JWSVerifier verifier = new RSASSAVerifier(publicKey);
System.out.println("verifier: " + verifier);
System.out.println("verify method: " + signedJWT.verify(verifier));
assertTrue(signedJWT.verify(verifier));
assertEquals("RTH", signedJWT.getJWTClaimsSet().getSubject());
assertEquals("https://rth.com", signedJWT.getJWTClaimsSet().getIssuer());
assertTrue(new Date().before(signedJWT.getJWTClaimsSet().getExpirationTime()));
} catch (JOSEException | ParseException | NoSuchAlgorithmException ex) {
Logger.getLogger(TokenProvider.class.getName()).log(Level.SEVERE, null, ex);
}
return token;
}
}

到目前为止它工作正常,但问题是我如何验证从客户端收到的 token 签名?

来自API ,只有一种方法看起来像是用于验证,但它只接受公钥 (RSAPublicKey) 作为参数而不是 token 。

任何使用此库从事 JWT 工作的人请帮忙。谢谢

最佳答案

sample code执行此操作,但您已准备好在您的问题中执行此操作的所有代码。

对于共享 key :

JWSVerifier verifier = new MACVerifier(sharedKey.getBytes());

如果您使用的是 RSA key 对(如您的示例所示),则只需提供公钥:

JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);

然后要求它验证签名,注意如果签名无效会抛出异常:

boolean verifiedSignature = false;

try {
JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
verifiedSignature = signedJWT.verify(verifier);
}
catch (JOSEException e) {
System.err.println("Couldn't verify signature: " + e.getMessage());
}

检查 token 签名的完整方法可能如下所示:

public static boolean isSignatureValid(String token) {
// Parse the JWS and verify its RSA signature
SignedJWT signedJWT;
try {
signedJWT = SignedJWT.parse(token);
JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
return signedJWT.verify(verifier);
} catch (ParseException | JOSEException e) {
return false;
}
}

关于java - 如何在 Nimbus JOSE + JWT 中验证 token 签名,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35668971/

28 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com