【发布时间】:2020-05-12 23:17:01
【问题描述】:
我有一个 OAuth 访问令牌(来自 Azure)。我想验证签名。
我已经解码了令牌
标题
{
"typ": "JWT",
"alg": "RS256",
"x5t": "abc123",
"kid": "abc123"
}
还有有效载荷
{
"aud": "api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"iss": "https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/",
"iat": 1580132587,
"nbf": 1580132587,
"exp": 1580136487,
"acct": 0,
"acr": "1",
"aio": "xxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxx==",
"amr": [
"pwd"
],
"appid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxf",
"appidacr": "0",
"ipaddr": "yyy.yyy.yyy.yyy",
"name": "test",
"oid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"scp": "user_impersonation",
"sub": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"tid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"unique_name": "test@mycompany.onmicrosoft.com",
"upn": "test@mycompany.onmicrosoft.com",
"uti": "xxxxxxxxxxxxx-xxxxxxxxx",
"ver": "1.0"
}
(验证目标受众(aud)后)我需要验证签名。为此,我首先需要计算签名。这样做
- 我需要调用 Azure 元数据文档来确认标头中的公钥。
- 从中我得到了公钥(JWKS URI),例如
https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys
-
这给了我一个数组
[{ "kty": "RSA", "use": "sig", "kid": "abc123", "x5t": "abc123", "n": "...", "e": "...", "x5c": [..."], "issuer": " https: //login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0" }, { "kty": "RSA", "use": "sig", "kid": "...", "x5t": "...", "n": "....", "e": "...", "x5c": ["."], "issuer": "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0" }, ] 我检查
kid和x5t是否与标题中的字段匹配。
问题
- 如何计算实际签名?在我的情况下,签名算法是 RS256,所以我必须做这样的事情
RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), public_key)
- 什么是 public_key?
- 在原生 Javascript 中是否有函数 RSASHA256 ?
【问题讨论】:
标签: javascript azure oauth-2.0 jwt