dongyi1524 2018-10-05 21:29
浏览 168

DEX LDAP连接器令牌签名

I am playing around with DEX and openldap. When I get a token back in my browser and put it into JWT debugger with the public key i generated, it doesn't verify the signature. I am trying to step through the code of DEX, but the debugging tools are not really working on my computer. I have resorted to log statements. I can't really find where I can observe the signing of the token to see if the program is using the keys i provided or not. Which function actually signs the token and how can I observe what key it uses to sign?

  • 写回答

1条回答 默认 最新

  • dongzhihong3940 2018-11-27 19:51
    关注

    The key can be read from the DEX "keys" endpoint which can be obtained from:

    http://your.dex.com/.well-known/openid-configuration

    Typically, it would be something like:

    http://your.dex.co/keys

    After that, the public keys can be extracted using the following program:

    https://play.golang.org/p/wVusucNGDI

    One of those keys will be able to validate the token:

    from jose import jwt

key = '''-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArT9AtIlC8MxhLYhz8ODH
...
+QIDAQAB
-----END PUBLIC KEY-----'''

encoded = 'eyJh...ocw'

audience = ''
if audience == "":
    opts = {"verify_aud": False}
else:
    opts = {}
opts['verify_at_hash'] = False
decoded = jwt.decode(encoded, key, audience=audience, options=opts)

print(decoded)
    评论

报告相同问题?

悬赏问题

  • ¥15 用hfss做微带贴片阵列天线的时候分析设置有问题
  • ¥50 我撰写的python爬虫爬不了 要爬的网址有反爬机制
  • ¥15 Centos / PETSc / PETGEM
  • ¥15 centos7.9 IPv6端口telnet和端口监控问题
  • ¥120 计算机网络的新校区组网设计
  • ¥20 完全没有学习过GAN,看了CSDN的一篇文章,里面有代码但是完全不知道如何操作
  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 海浪数据 南海地区海况数据,波浪数据
  • ¥20 软件测试决策法疑问求解答
  • ¥15 win11 23H2删除推荐的项目,支持注册表等