wso2 api manager 3.1.0 jwks 没有返回用于生成令牌的孩子
wso2 api manager 3.1.0 jwks is not returning kid used to generate a token
从 wso2 api 管理器 3.0.0 升级到 3.1.0 后,我面临验证 JWT 令牌的问题,该令牌由 wso2 生成以访问后端 API:
配置在deployment.toml
[apim.jwt]
enable = true
encoding = "base64" # base64,base64url
generator_impl = "DefaultJWTGenerator" #example
claim_dialect = "http://wso2.org/claims"
header = "Authorization"
signing_algorithm = "SHA256withRSA"
enable_user_claims = true
claims_extractor_impl = "org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever"
/oauth2/jwks url.
的响应中缺少添加到生成的令牌的孩子
例如 header 生成的令牌:
"typ": "JWT",
"alg": "RS256",
"kid": "ODFjMzAxZjhmNzY2MDBhOTBlNDYwNGY2Yzc1MWM1YjgzYzJmYTJlMA"
}
来自/oauth2/jwks的回复:
{"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"M2Y4OGJhNzhlMzJiNzgwMjU3NDBmNTc3ZWIyNDNlMTQyYmQwM2JhZWIyNjgxODNlNGE4ODAwMTAyYWRmODI4Yg_RS256","alg":"RS256","n":"1n880ZJW22CKADeTMLm-d1K75fuUqu6ciV9-iw3kAfmevx_SMxpv5Gm7nj_t5HeXZcBKIhOQT-wZwdaZcEQBSEwXDOgNrGM4upYzGwqm6Q_lg7tAlpz_7zpJlf_buOlUwz0Fsbnuw25cYhMg67P1mSIQ8MuhfZ3mG_WScitDcGKKgNC0-9U6FN2txiauf2dVZzoSUrQLOvFhYmSO9z-Leb9pnhGLCPjXcStAoaHtI-F8yUXB-N-x1z0C1bp0KzaIPCIRdc5sy_8CYrAKVjp4bnuoaC5n5v3ciLTvBlvw5gvDMtLDdsmR4vmoBt2uz5_iEHMBEgb7q2ouwpDm2ER0PQ"}]}
我可以看到令牌中的孩子来自 keystore.jks 文件中的 wso2carbon 密钥。但找不到 jwks 中的密钥来自哪里。
问题是孩子生成从 SHA-1 更改为 SHA-256。如果您有同样的问题,您可以自定义 JWT 令牌生成并使用下面的代码放置孩子:
String certThumbPrint = OAuth2Util.getThumbPrint(tenantDomain, tenantId);
JWSAlgorithm accessTokenSignAlgorithm = OAuth2Util.mapSignatureAlgorithmForJWSAlgorithm(signatureAlgorithm);
String kid = OAuth2Util.getKID(certThumbPrint, accessTokenSignAlgorithm);
从 wso2 api 管理器 3.0.0 升级到 3.1.0 后,我面临验证 JWT 令牌的问题,该令牌由 wso2 生成以访问后端 API:
配置在deployment.toml
[apim.jwt]
enable = true
encoding = "base64" # base64,base64url
generator_impl = "DefaultJWTGenerator" #example
claim_dialect = "http://wso2.org/claims"
header = "Authorization"
signing_algorithm = "SHA256withRSA"
enable_user_claims = true
claims_extractor_impl = "org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever"
/oauth2/jwks url.
的响应中缺少添加到生成的令牌的孩子例如 header 生成的令牌:
"typ": "JWT",
"alg": "RS256",
"kid": "ODFjMzAxZjhmNzY2MDBhOTBlNDYwNGY2Yzc1MWM1YjgzYzJmYTJlMA"
}
来自/oauth2/jwks的回复:
{"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"M2Y4OGJhNzhlMzJiNzgwMjU3NDBmNTc3ZWIyNDNlMTQyYmQwM2JhZWIyNjgxODNlNGE4ODAwMTAyYWRmODI4Yg_RS256","alg":"RS256","n":"1n880ZJW22CKADeTMLm-d1K75fuUqu6ciV9-iw3kAfmevx_SMxpv5Gm7nj_t5HeXZcBKIhOQT-wZwdaZcEQBSEwXDOgNrGM4upYzGwqm6Q_lg7tAlpz_7zpJlf_buOlUwz0Fsbnuw25cYhMg67P1mSIQ8MuhfZ3mG_WScitDcGKKgNC0-9U6FN2txiauf2dVZzoSUrQLOvFhYmSO9z-Leb9pnhGLCPjXcStAoaHtI-F8yUXB-N-x1z0C1bp0KzaIPCIRdc5sy_8CYrAKVjp4bnuoaC5n5v3ciLTvBlvw5gvDMtLDdsmR4vmoBt2uz5_iEHMBEgb7q2ouwpDm2ER0PQ"}]}
我可以看到令牌中的孩子来自 keystore.jks 文件中的 wso2carbon 密钥。但找不到 jwks 中的密钥来自哪里。
问题是孩子生成从 SHA-1 更改为 SHA-256。如果您有同样的问题,您可以自定义 JWT 令牌生成并使用下面的代码放置孩子:
String certThumbPrint = OAuth2Util.getThumbPrint(tenantDomain, tenantId);
JWSAlgorithm accessTokenSignAlgorithm = OAuth2Util.mapSignatureAlgorithmForJWSAlgorithm(signatureAlgorithm);
String kid = OAuth2Util.getKID(certThumbPrint, accessTokenSignAlgorithm);