gpt4 book ai didi

jwt - JWT.io 是如何知道我的公钥的?

转载 作者:行者123 更新时间:2023-12-04 14:22:08 29 4
gpt4 key购买 nike

我的 JSON 网络 token (JWT):

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InU0T2ZORlBId0VCb3NIanRyYXVPYlY4NExuWSIsImtpZCI6InU0T2ZORlBId0VCb3NIanRyYXVPYlY4NExuWSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0Ny8iLCJpYXQiOjE1NjM0MDY2NjQsIm5iZiI6MTU2MzQwNjY2NCwiZXhwIjoxNTYzNDEwNTY0LCJhaW8iOiI0MkZnWUJCdGZ6U3I3YnIvcDR0cWVxZGwvMndOQmdBPSIsImFwcGlkIjoiZjFmNmQ1NWUtY2YyYy00MjJkLWIxODYtODQ4NjI0ZGI5NWU4IiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3LyIsIm9pZCI6ImRmOWRmZjhkLWJjYjUtNGIxNy04Y2VjLTRiZTFhMDFmOTIxMiIsInN1YiI6ImRmOWRmZjhkLWJjYjUtNGIxNy04Y2VjLTRiZTFhMDFmOTIxMiIsInRpZCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsInV0aSI6ImhpMDEtOFlSdUVtTExjeE05TDN6QUEiLCJ2ZXIiOiIxLjAifQ.kwfGrWiQwqhJpZfryW9D1hHDC2AC6tUT16OXkmlIeyxTMqY0gdO0U3KClYczDzMs6kpXc5sQOBaTrBQgERnfKf1nqrHoDmHzaKmY20LKByMopH9uhcPF3lkDNW--dfruNHywF6DZ4cLtgSWcZOBs_BAwQqy1i5Hja7WNf5InyhyscXjUdntIz9rK599IzvD8MwkgYViMEXATNNh2CvEqRp-AZxVjCP_cI6h9Lx3j8__9xRIoWIwnv_rqHGcPpg6hJMfUJMtlLjJaBo0h0veCCZj-fUORidN7EPHNSw9IJF29-nGhw6rmkcD7F8q6WpK8dUfiYGk_QxOCRTw9gpkKKA
当我将此 token 粘贴到 jwt.io 时,它会自动填写一个公钥并说 token 上的签名已经过验证。它是如何知道公钥的?

最佳答案

来自智威汤逊最佳实践 (RFC 8725) :

The means of determining the keys owned by an issuer is application-specific. As one example, OpenID Connect issuer valuesare https URLs that reference a JSON metadata document that containsa jwks_uri value that is an https URL from which the issuer's keysare retrieved as a JWK Set (RFC 7517). This same mechanism is used byietf-oauth-discovery. Other applications may use differentmeans of binding keys to issuers.


OpenID Connect (OIDC) 提供者元数据位置记录在 OIDC Discovery 中。规范

OpenID Providers supporting Discovery MUST make a JSON documentavailable at the path formed by concatenating the string/.well-known/openid-configuration to the Issuer. The syntax andsemantics of .well-known are defined in RFC 5785 and applyto the Issuer value when it contains no path component.


您的 token 的有效负载是
{
"aud": "https://management.azure.com/",
"iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
"iat": 1563406664,
"nbf": 1563406664,
"exp": 1563410564,
"aio": "42FgYBBtfzSr7br/p4tqeqdl/2wNBgA=",
"appid": "f1f6d55e-cf2c-422d-b186-848624db95e8",
"appidacr": "2",
"idp": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
"oid": "df9dff8d-bcb5-4b17-8cec-4be1a01f9212",
"sub": "df9dff8d-bcb5-4b17-8cec-4be1a01f9212",
"tid": "72f988bf-86f1-41af-91ab-2d7cd011db47",
"uti": "hi01-8YRuEmLLcxM9L3zAA",
"ver": "1.0"
}
Issueriss 表示宣称。如果你取 iss 的值, 附加 /.well-known/openid-configuration到它并弹出 resulting URL在浏览器中,您将看到 OIDC 提供者元数据。此元数据文档中的键之一是 jwks_uri它指向另一个带有 JSON Web key 集的文档。后者是一组 JSON Web key (JWK)。 JWK 是加密 key 的 JSON 表示。为了识别集合中所需的 JWK,声明 x5t (X.509 证书的 SHA-1 指纹)和/或 kid (key id/alias/name) 来自相关 token 。 jwt.io通过提取基于 iss 的 OIDC 元数据,成功地在整个序列的第一步作弊。宣称。如果 JWT 是由不使用 OpenID Connect 和/或未实现所有这些相关规范的服务发布的, jwt.io不会找到验证签名的 key 。

关于jwt - JWT.io 是如何知道我的公钥的?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57085381/

29 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com