什么是 JWT 发行人?
What is a JWT Issuer?
从这个页面:https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html:
The fourth security-relevant reserved claim is "iss." This claim indicates the identity > of the party that issued the JWT. The claim holds a simple string, of which the value is > at the discretion of the issuer. The consumer of a JWT should always check that the > "iss" claim matches the expected issuer (e.g., sso.example.com).
例如,在 Kubernetes 中,当我像这样配置 kubernetes 身份验证以将 JWT 用于保险库服务帐户(来自 helm)时,我在访问保险库时不再收到 ISS 错误:
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
issuer="https://kubernetes.default.svc.cluster.local"
但这URL是什么意思?它是在生成 JWT 时设置的有点随意的字符串吗?
JWT 令牌发行者 - 是“创建”令牌并使用其私钥签署的方。
任何人都可以创建代币,请确保您收到的代币是由您信任的一方创建的。
从这个页面:https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html:
The fourth security-relevant reserved claim is "iss." This claim indicates the identity > of the party that issued the JWT. The claim holds a simple string, of which the value is > at the discretion of the issuer. The consumer of a JWT should always check that the > "iss" claim matches the expected issuer (e.g., sso.example.com).
例如,在 Kubernetes 中,当我像这样配置 kubernetes 身份验证以将 JWT 用于保险库服务帐户(来自 helm)时,我在访问保险库时不再收到 ISS 错误:
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
issuer="https://kubernetes.default.svc.cluster.local"
但这URL是什么意思?它是在生成 JWT 时设置的有点随意的字符串吗?
JWT 令牌发行者 - 是“创建”令牌并使用其私钥签署的方。
任何人都可以创建代币,请确保您收到的代币是由您信任的一方创建的。