dongshen9058 2013-04-24 08:51
浏览 1154
已采纳

如何验证JWT签名?

I want to authenticate Android users with a Go AppEngine backend,

I can easily get an ID-token in Android by following http://android-developers.blogspot.co.il/2013/01/verifying-back-end-calls-from-android.html

the ID-token payload can be verified with the oauth2/v2 package of the https://code.google.com/p/google-api-go-client/ library.

some installation tweaks are necessary for using it with AppEngine, I found some pointers at http://golangtutorials.blogspot.co.il/2011/11/using-external-api-in-go-appengine.html

according to the doc: "Verify Signature It turns out that this is signed using a Google public/private key pair, and Google publishes the public keys (which we change regularly) at www.googleapis.com/oauth2/v1/certs; go ahead and have a look.

You have to verify that the ID Token, which is actually a JSON Web Token, was signed with one of those certs. Fortunately, there are decent libraries around to do this; in this post, I’ll give pointers for Java, Ruby, and PHP.

The libraries can cache the Google certs and only refresh them when required, so the verification is (almost always) a fast static call."

how do I verify in Go that the token was signed by Google?

  • 写回答

2条回答 默认 最新

  • dsgrs26202 2013-07-14 14:33
    关注

    this is what I ended up doing (using https://github.com/dgrijalva/jwt-go):

    package XXX

import (
    "errors"
    oauth2 "code.google.com/p/google-api-go-client/oauth2/v2"
    "jwt"
    "appengine"
    "appengine/urlfetch"
)

func getTokeninfo(c appengine.Context, token string) (*oauth2.Tokeninfo, error) {
    client := urlfetch.Client(c)

    oauth2Svc, err := oauth2.New(client) 

    if err != nil {
        return nil, err
    }

    return oauth2Svc.Tokeninfo().Id_token(token).Do()
}

func verifyToken(c appengine.Context, token string) (string, error) {
    parsedToken, err := jwt.Parse(token)

    if err != nil {
        c.Debugf(err.Error())
        return "", err
    }

    if parsedToken.Claims["aud"] != "XXX.apps.googleusercontent.com" {
        c.Debugf("aud mismatch")
        return "", errors.New("Aud mismatch")
    }

    if (parsedToken.Claims["azp"] != "XXX.apps.googleusercontent.com") && 
        (parsedToken.Claims["azp"] != "XXX.apps.googleusercontent.com") {

        c.Debugf("azp mismatch")
        return "", errors.New("Azp mismatch")
    }

    ti, err := getTokeninfo(c, token)

    if err != nil {
        c.Debugf(err.Error())
        return "", err
    }

    if (ti.Issued_to != "XXX.apps.googleusercontent.com") &&
        (ti.Issued_to != "XXX.apps.googleusercontent.com") {

        c.Debugf("cid mismatch")
        return "", errors.New("Client ID mismatch")
    }

    return ti.User_id, nil
}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

  • 如何验证JWT签名
    2013-04-24 08:51
    回答 2 已采纳 this is what I ended up doing (using https://github.com/dgrijalva/jwt-go): package XXX import (
  • Firebase JWT签名验证失败 php
    2016-02-29 18:30
    回答 1 已采纳 You don't need $secretKey or base64_decode the key for that matter, just do: $jwt = \Firebase\JWT
  • (Golang)JWT签名验证问题
    2016-03-11 21:16
    回答 1 已采纳 It's the Base64 encoding of the signature which can have the last letter changed to certain target
  • jwt:进行JWT签名验证验证
    2021-02-03 14:31
    jwt(Go的JSON Web令牌)关于该软件包是 (或Golang)的JWT签名者,验证者和验证者。 尽管有许多用于Go的JWT软件包,但许多都缺乏对某些签名验证验证方法的支持,并且当它们不支持时,它们过于复杂。 该程序包在...
  • 语言并验证JWT
    2016-12-10 16:55
    回答 1 已采纳 Below is an example of JWT decoding and verification. It uses both the jwt-go and jwk packages: p
  • 如何允许任何用户使用Laravel JWT身份验证访问路由? laravel php
    2016-08-20 00:39
    回答 1 已采纳 To solve this dilemma , I made my own middleware based on the JWTAuth GetUserFromToken middleware,
  • 如何在laravel 5中使用代码编写测试时重用JWT令牌? laravel php
    2015-11-09 07:01
    回答 2 已采纳 You can grab the token from json by using call to $I->grabDataFromJsonResponse(). Example assum
  • go 实现 jwt 签名验证
    2022-03-16 16:47
    用户昵称不能为空的博客 现在是使用JWT header 来认证。 golang中很方便自带的签发jwt的token。最新使用的库是 go get -u github.com/golang-jwt/jwt/v4 注意 很多老人都在使用github.com/dgrijalva/jwt-go,而这个实际上已经不维护和更新...
  • 如何生成用于签名JWT的正确RSA密钥?
    2017-12-07 10:51
    回答 1 已采纳 You are passing a RSA PRIVATE KEY but calling jwt.ParseRSAPublicKeyFromPEM. You should be calling
  • Go和JWT-简单身份验证
    2016-03-26 13:56
    回答 4 已采纳 To start, you need to import a JWT library in Golang (go get github.com/dgrijalva/jwt-go). You can
  • spring security 和 shiro 和 jwt的区别? spring
    2020-05-16 23:45
    回答 1 已采纳 spring security 和 shiro比较类似,提供了一整套认证和授权的支持,前者是spring提供的框架,后者不是spring家族的。jwt只是一套身份认证的解决方案 ,相对比较单一,只是
  • JWT数字签名与token实现
    2023-06-28 11:57
    矩阵科学的博客 该信息可以被验证和信任,因为它是数字签名的。什么时候你应该用JSON Web Token?Authorization (授权) : 这是使用JWT的最常见场景。一旦用户登录,后续每个请求都将包含JWT,允许用户访问该令牌允许的路由、服务和...
  • 登录后如何自动添加JWT
    2017-07-13 16:02
    回答 2 已采纳 When using JWT, the client typically have to specify the token itself. To make the token handling
  • 什么是JWT
    2022-03-14 00:01
    从流域到海域的博客 什么是JWT?它的结构,工作方式,优点。
  • JWT验证
    2021-12-13 23:31
    熬夜复习的博客 什么是JWT JWT用于分布式系统的单点登录SSO场景,主要用来做用户身份鉴别...后端核对用户名和密码成功后,将用户的id等其他信息作为JWT Payload(负载)、将其与头部分别进行Base64编码拼接后签名,形成一个JWT。形成
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥15 求帮我调试一下freefem代码
  • ¥15 R语言Rstudio突然无法启动
  • ¥15 关于#matlab#的问题:提取2个图像的变量作为另外一个图像像元的移动量,计算新的位置创建新的图像并提取第二个图像的变量到新的图像
  • ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
  • ¥15 用windows做服务的同志有吗
  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图