dongtao4787 2016-12-10 16:55
浏览 85
已采纳

语言并验证JWT

I have been searching for an example I can understand of how to validate the signature of a JWT with the GO Language.

This might be especially tricky since I am using Okta, and it uses JWKs, so it is not especially straight forward.

When I receive a JWT, I can decode it no problem, just get stuck on how to verify the signature.

Below I have included a JWT, and the JWK details. If anyone is comfortable with this, and can complete signature validation with an Example, that would be amazing.:)

You can get to all of this information here: https://oktaproxy.com/oidcgenerator.php, this site will generate a JWT from Okta, and the keys can be obtained here: https://companyx.okta.com/oauth2/v1/keys.

Here is the JWT: 

eyJhbGciOiJSUzI1NiIsImtpZCI6Ind5TXdLNEE2Q0w5UXcxMXVvZlZleVExMTlYeVgteHlreW1ra1h5Z1o1T00ifQ.eyJzdWIiOiIwMHUxOGVlaHUzNDlhUzJ5WDFkOCIsIm5hbWUiOiJva3RhcHJveHkgb2t0YXByb3h5IiwidmVyIjoxLCJpc3MiOiJodHRwczovL2NvbXBhbnl4Lm9rdGEuY29tIiwiYXVkIjoidlpWNkNwOHJuNWx4ck45YVo2ODgiLCJpYXQiOjE0ODEzODg0NTMsImV4cCI6MTQ4MTM5MjA1MywianRpIjoiSUQuWm9QdVdIR3IxNkR6a3RUbEdXMFI4b1lRaUhnVWg0aUotTHo3Z3BGcGItUSIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBveTc0YzBnd0hOWE1SSkJGUkkiLCJub25jZSI6Im4tMFM2X1d6QTJNaiIsInByZWZlcnJlZF91c2VybmFtZSI6Im9rdGFwcm94eUBva3RhLmNvbSIsImF1dGhfdGltZSI6MTQ4MTM4ODQ0MywiYXRfaGFzaCI6Im1YWlQtZjJJczhOQklIcV9CeE1ISFEifQ.OtVyCK0sE6Cuclg9VMD2AwLhqEyq2nv3a1bfxlzeS-bdu9KtYxcPSxJ6vxMcSSbMIIq9eEz9JFMU80zqgDPHBCjlOsC5SIPz7mm1Z3gCwq4zsFJ-2NIzYxA3p161ZRsPv_3bUyg9B_DPFyBoihgwWm6yrvrb4rmHXrDkjxpxCLPp3OeIpc_kb2t8r5HEQ5UBZPrsiScvuoVW13YwWpze59qBl_84n9xdmQ5pS7DklzkAVgqJT_NWBlb5uo6eW26HtJwHzss7xOIdQtcOtC1Gj3O82a55VJSQnsEEBeqG1ESb5Haq_hJgxYQnBssKydPCIxdZiye-0Ll9L8wWwpzwig

Here are the Keys:

{
   "keys":[
      {
         "alg":"RS256",
         "e":"AQAB",
         "n":"ok6rvXu95337IxsDXrKzlIqw_I_zPDG8JyEw2CTOtNMoDi1QzpXQVMGj2snNEmvNYaCTmFf51I-EDgeFLLexr40jzBXlg72quV4aw4yiNuxkigW0gMA92OmaT2jMRIdDZM8mVokoxyPfLub2YnXHFq0XuUUgkX_TlutVhgGbyPN0M12teYZtMYo2AUzIRggONhHvnibHP0CPWDjCwSfp3On1Recn4DPxbn3DuGslF2myalmCtkujNcrhHLhwYPP-yZFb8e0XSNTcQvXaQxAqmnWH6NXcOtaeWMQe43PNTAyNinhndgI8ozG3Hz-1NzHssDH_yk6UYFSszhDbWAzyqw",
         "kid":"wyMwK4A6CL9Qw11uofVeyQ119XyX-xykymkkXygZ5OM",
         "kty":"RSA",
         "use":"sig"
      },
      {
         "alg":"RS256",
         "e":"AQAB",
         "n":"nXv6FSAcMjuanQ2hIIUb8Vkqe94t98kPh2T8-0j6-Jq8pOclgKdtVeIZcBE9F_XiuJvg4b6WVs-uvA-pS8mmMvQ21xU5Q_37Cojv8v_QlHWETHwEJdXXiY2Xq5LgXDSwEhhdDZHSMQYDuvhp_P6nl2LNqqUvJkjoFWcnn2btgSIUQROIaDdxtx7_2h4oUi5u11BGSF2SZZiEpDAKT08Htv3uwXdwDA6ll99fbi8X8RmH5oY_tIZTeIzu50qHxElPewoYO8QrJYsO9oFcCPMHGxYWjXQEa-QZYgo0wS9zRIkeJc5kshc4-9Uhv2DVIjk_-ofGlML9ieggGyillBKptw",
         "kid":"GRF55Lbzgg4sANCmER-sm55eX_qUOpY8UTptDmDG_6U",
         "kty":"RSA",
         "use":"sig"
      }
   ]
}
  • 写回答

1条回答 默认 最新

  • duanbogan5878 2016-12-10 17:07
    关注

    Below is an example of JWT decoding and verification. It uses both the jwt-go and jwk packages:

    package main

import (
    "errors"
    "fmt"

    "github.com/dgrijalva/jwt-go"
    "github.com/lestrrat-go/jwx/jwk"
)

const token = `eyJhbGciOiJSUzI1NiIsImtpZCI6Ind5TXdLNEE2Q0w5UXcxMXVvZlZleVExMTlYeVgteHlreW1ra1h5Z1o1T00ifQ.eyJzdWIiOiIwMHUxOGVlaHUzNDlhUzJ5WDFkOCIsIm5hbWUiOiJva3RhcHJveHkgb2t0YXByb3h5IiwidmVyIjoxLCJpc3MiOiJodHRwczovL2NvbXBhbnl4Lm9rdGEuY29tIiwiYXVkIjoidlpWNkNwOHJuNWx4ck45YVo2ODgiLCJpYXQiOjE0ODEzODg0NTMsImV4cCI6MTQ4MTM5MjA1MywianRpIjoiSUQuWm9QdVdIR3IxNkR6a3RUbEdXMFI4b1lRaUhnVWg0aUotTHo3Z3BGcGItUSIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBveTc0YzBnd0hOWE1SSkJGUkkiLCJub25jZSI6Im4tMFM2X1d6QTJNaiIsInByZWZlcnJlZF91c2VybmFtZSI6Im9rdGFwcm94eUBva3RhLmNvbSIsImF1dGhfdGltZSI6MTQ4MTM4ODQ0MywiYXRfaGFzaCI6Im1YWlQtZjJJczhOQklIcV9CeE1ISFEifQ.OtVyCK0sE6Cuclg9VMD2AwLhqEyq2nv3a1bfxlzeS-bdu9KtYxcPSxJ6vxMcSSbMIIq9eEz9JFMU80zqgDPHBCjlOsC5SIPz7mm1Z3gCwq4zsFJ-2NIzYxA3p161ZRsPv_3bUyg9B_DPFyBoihgwWm6yrvrb4rmHXrDkjxpxCLPp3OeIpc_kb2t8r5HEQ5UBZPrsiScvuoVW13YwWpze59qBl_84n9xdmQ5pS7DklzkAVgqJT_NWBlb5uo6eW26HtJwHzss7xOIdQtcOtC1Gj3O82a55VJSQnsEEBeqG1ESb5Haq_hJgxYQnBssKydPCIxdZiye-0Ll9L8wWwpzwig`

const jwksURL = `https://companyx.okta.com/oauth2/v1/keys`

func getKey(token *jwt.Token) (interface{}, error) {

    // TODO: cache response so we don't have to make a request every time
    // we want to verify a JWT
    set, err := jwk.FetchHTTP(jwksURL)
    if err != nil {
        return nil, err
    }

    keyID, ok := token.Header["kid"].(string)
    if !ok {
        return nil, errors.New("expecting JWT header to have string kid")
    }

    if key := set.LookupKeyID(keyID); len(key) == 1 {
        return key[0].Materialize()
    }

    return nil, fmt.Errorf("unable to find key %q", keyID)
}

func main() {
    token, err := jwt.Parse(token, getKey)
    if err != nil {
        panic(err)
    }
    claims := token.Claims.(jwt.MapClaims)
    for key, value := range claims {
        fmt.Printf("%s\t%v
", key, value)
    }
}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

  • 如何验证JWT签名?
    2013-04-24 08:51
    回答 2 已采纳 this is what I ended up doing (using https://github.com/dgrijalva/jwt-go): package XXX import (
  • Firebase JWT:签名验证失败 php
    2016-02-29 18:30
    回答 1 已采纳 You don't need $secretKey or base64_decode the key for that matter, just do: $jwt = \Firebase\JWT
  • Go和JWT-简单身份验证
    2016-03-26 13:56
    回答 4 已采纳 To start, you need to import a JWT library in Golang (go get github.com/dgrijalva/jwt-go). You can
  • 基于Java验证jwt token代码实例
    2020-08-25 06:02
    基于Java验证jwt token代码实例是指使用Java语言验证JSON Web Token(JWT)的代码实现。JWT是一种常用的身份验证机制,通过使用密钥对和加密算法来生成和验证token。 在这个代码实例中,使用了 Java 语言和Auth0...
  • jwt验证中,claims中有值,但解析之后返回null java spring boot 开发语言
    2022-08-04 21:39
    回答 1 已采纳 debug到这一行看下这个this对象的值
  • vue jwt作登录验证存储问题 ajax javascript php vue.js
    2021-01-04 13:51
    回答 8 已采纳 一般存cookie,发送http请求时cookie会被自动携带过去。至于刷新消失这个不用担心,cookie是可以设置有效时间的,一般不设置的话会被认为是会话级cookie,在关闭页面后消失。可以设置e
  • (Golang)JWT签名验证问题
    2016-03-11 21:16
    回答 1 已采纳 It's the Base64 encoding of the signature which can have the last letter changed to certain target
  • lua语言实现jwt源文件
    2023-01-17 11:06
    资源为lua语言调用jwt实现token验证的源文件,里面文件包括四个文件: evp.lua hmac.lua jwt-validators.lua jwt.lua 在你使用openresty的时候,需要调用jwt进行token操作,需要将这个四个文件拷贝到/usr/local/...
  • springboot使用shiro+jwt验证 前端每次携带jwt发送请求 都会进行重新登录一次并生成新的session java spring boot 其他 前端
    2022-01-20 17:11
    回答 3 已采纳 原因:前端axios访问没有携带shiro的jsession的cookie 导致shiro每次都会进行认证登录解决:开启axios携带cookie和后端开启跨域允许携带cookie就不会一直进行shi
  • PHP怎么使用jwt生成 token并且验证 php
    2021-12-01 13:06
    回答 2 已采纳 第一 账号密码登录 获取tokenJWT需要composer安装下,然后调用 $jwt_config = [ 'iss' => config('jwt.iss'), //签发者 可选
  • jwt密钥无效
    2017-06-29 03:43
    回答 2 已采纳 I think the example code you're referring to uses an outdated API of jwt-go. The RS256 signing met
  • JWT验证
    2021-01-30 15:09
    浮沉逆旅的博客 JWT 什么是JWT 官方文档网址:JWT introduction JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as...
  • jwt-token-verifier:验证JWT令牌OpenID提供程序
    2021-03-25 17:26
    "jwt-token-verifier"是一个专门用于验证JWT令牌的工具或库,它专注于与OpenID Connect提供程序(OP,OpenID Provider)交互。OpenID Connect是基于OAuth 2.0协议的身份认证层,它允许用户通过一个可信的第三方认证...
  • Go 中 JWT 身份验证指南
    2022-10-13 16:41
    pxr007的博客 JSON Web 令牌 (JWT) 是处理在线身份验证的流行方法,您可以使用任何服务器端编程语言实现 JWT 身份验证。对于一般的 JWT 阅读背景知识,我建议通过 LogRocket 博客上的这些文章了解更多关于JWT、最佳实践和使用 JWT...
  • JWT 生成Token及验证
    2019-01-22 14:10
    验证JWT的Token需要执行相反的操作,即首先对JWT的签名部分进行解码和验证,然后验证Header信息,以及检查Payload中的声明是否符合预期。在实际应用中,可以使用各种语言提供的JWT库来简化这一过程。 在使用JWT进行...
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥30 关于#java#的问题,请各位专家解答!
  • ¥30 vue+element根据数据循环生成多个table,如何实现最后一列 平均分合并
  • ¥20 pcf8563时钟芯片不启振
  • ¥20 pip2.40更新pip2.43时报错
  • ¥15 换yum源但仍然用不了httpd
  • ¥50 C# 使用DEVMOD设置打印机首选项
  • ¥15 麒麟V10 arm安装gdal
  • ¥20 OPENVPN连接问题
  • ¥15 flask实现搜索框访问数据库
  • ¥15 mrk3399刷完安卓11后投屏调试只能显示一个设备