jwt - JWT.io 是如何知道我的公钥的？

Question

我的 JSON 网络 token (JWT):

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InU0T2ZORlBId0VCb3NIanRyYXVPYlY4NExuWSIsImtpZCI6InU0T2ZORlBId0VCb3NIanRyYXVPYlY4NExuWSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0Ny8iLCJpYXQiOjE1NjM0MDY2NjQsIm5iZiI6MTU2MzQwNjY2NCwiZXhwIjoxNTYzNDEwNTY0LCJhaW8iOiI0MkZnWUJCdGZ6U3I3YnIvcDR0cWVxZGwvMndOQmdBPSIsImFwcGlkIjoiZjFmNmQ1NWUtY2YyYy00MjJkLWIxODYtODQ4NjI0ZGI5NWU4IiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3LyIsIm9pZCI6ImRmOWRmZjhkLWJjYjUtNGIxNy04Y2VjLTRiZTFhMDFmOTIxMiIsInN1YiI6ImRmOWRmZjhkLWJjYjUtNGIxNy04Y2VjLTRiZTFhMDFmOTIxMiIsInRpZCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsInV0aSI6ImhpMDEtOFlSdUVtTExjeE05TDN6QUEiLCJ2ZXIiOiIxLjAifQ.kwfGrWiQwqhJpZfryW9D1hHDC2AC6tUT16OXkmlIeyxTMqY0gdO0U3KClYczDzMs6kpXc5sQOBaTrBQgERnfKf1nqrHoDmHzaKmY20LKByMopH9uhcPF3lkDNW--dfruNHywF6DZ4cLtgSWcZOBs_BAwQqy1i5Hja7WNf5InyhyscXjUdntIz9rK599IzvD8MwkgYViMEXATNNh2CvEqRp-AZxVjCP_cI6h9Lx3j8__9xRIoWIwnv_rqHGcPpg6hJMfUJMtlLjJaBo0h0veCCZj-fUORidN7EPHNSw9IJF29-nGhw6rmkcD7F8q6WpK8dUfiYGk_QxOCRTw9gpkKKA

当我将此 token 粘贴到 jwt.io 时，它会自动填写一个公钥并说 token 上的签名已经过验证。它是如何知道公钥的？

Answer 1

来自智威汤逊最佳实践 (RFC 8725) :

The means of determining the keys owned by an issuer is application-specific. As one example, OpenID Connect issuer valuesare https URLs that reference a JSON metadata document that containsa jwks_uri value that is an https URL from which the issuer's keysare retrieved as a JWK Set (RFC 7517). This same mechanism is used byietf-oauth-discovery. Other applications may use differentmeans of binding keys to issuers.

OpenID Connect (OIDC) 提供者元数据位置记录在 OIDC Discovery 中。规范

OpenID Providers supporting Discovery MUST make a JSON documentavailable at the path formed by concatenating the string/.well-known/openid-configuration to the Issuer. The syntax andsemantics of .well-known are defined in RFC 5785 and applyto the Issuer value when it contains no path component.

您的 token 的有效负载是

{
  "aud": "https://management.azure.com/",
  "iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
  "iat": 1563406664,
  "nbf": 1563406664,
  "exp": 1563410564,
  "aio": "42FgYBBtfzSr7br/p4tqeqdl/2wNBgA=",
  "appid": "f1f6d55e-cf2c-422d-b186-848624db95e8",
  "appidacr": "2",
  "idp": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
  "oid": "df9dff8d-bcb5-4b17-8cec-4be1a01f9212",
  "sub": "df9dff8d-bcb5-4b17-8cec-4be1a01f9212",
  "tid": "72f988bf-86f1-41af-91ab-2d7cd011db47",
  "uti": "hi01-8YRuEmLLcxM9L3zAA",
  "ver": "1.0"
}

Issuer由 iss 表示宣称。如果你取 iss 的值, 附加 /.well-known/openid-configuration到它并弹出 resulting URL在浏览器中，您将看到 OIDC 提供者元数据。此元数据文档中的键之一是 jwks_uri它指向另一个带有 JSON Web key 集的文档。后者是一组 JSON Web key (JWK)。 JWK 是加密 key 的 JSON 表示。为了识别集合中所需的 JWK，声明 x5t (X.509 证书的 SHA-1 指纹)和/或 kid (key id/alias/name) 来自相关 token 。 jwt.io通过提取基于 iss 的 OIDC 元数据，成功地在整个序列的第一步作弊。宣称。如果 JWT 是由不使用 OpenID Connect 和/或未实现所有这些相关规范的服务发布的， jwt.io不会找到验证签名的 key 。