JWT.io 怎么知道我的 public 密钥?
How does JWT.io already know my public key?
我的 JSON 网络令牌 (JWT):
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InU0T2ZORlBId0VCb3NIanRyYXVPYlY4NExuWSIsImtpZCI6InU0T2ZORlBId0VCb3NIanRyYXVPYlY4NExuWSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0Ny8iLCJpYXQiOjE1NjM0MDY2NjQsIm5iZiI6MTU2MzQwNjY2NCwiZXhwIjoxNTYzNDEwNTY0LCJhaW8iOiI0MkZnWUJCdGZ6U3I3YnIvcDR0cWVxZGwvMndOQmdBPSIsImFwcGlkIjoiZjFmNmQ1NWUtY2YyYy00MjJkLWIxODYtODQ4NjI0ZGI5NWU4IiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3LyIsIm9pZCI6ImRmOWRmZjhkLWJjYjUtNGIxNy04Y2VjLTRiZTFhMDFmOTIxMiIsInN1YiI6ImRmOWRmZjhkLWJjYjUtNGIxNy04Y2VjLTRiZTFhMDFmOTIxMiIsInRpZCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsInV0aSI6ImhpMDEtOFlSdUVtTExjeE05TDN6QUEiLCJ2ZXIiOiIxLjAifQ.kwfGrWiQwqhJpZfryW9D1hHDC2AC6tUT16OXkmlIeyxTMqY0gdO0U3KClYczDzMs6kpXc5sQOBaTrBQgERnfKf1nqrHoDmHzaKmY20LKByMopH9uhcPF3lkDNW--dfruNHywF6DZ4cLtgSWcZOBs_BAwQqy1i5Hja7WNf5InyhyscXjUdntIz9rK599IzvD8MwkgYViMEXATNNh2CvEqRp-AZxVjCP_cI6h9Lx3j8__9xRIoWIwnv_rqHGcPpg6hJMfUJMtlLjJaBo0h0veCCZj-fUORidN7EPHNSw9IJF29-nGhw6rmkcD7F8q6WpK8dUfiYGk_QxOCRTw9gpkKKA
当我将此令牌粘贴到 jwt.io 时,它会自动填写一个 public 密钥并表示令牌上的签名已经过验证。它如何知道 public 键?
来自 JWT 当前最佳实践 (RFC 8725) :
The means of determining the keys owned by an issuer is application-
specific. As one example, OpenID Connect issuer values
are https URLs that reference a JSON metadata document that contains
a jwks_uri value that is an https URL from which the issuer's keys
are retrieved as a JWK Set (RFC 7517). This same mechanism is used by
ietf-oauth-discovery. Other applications may use different
means of binding keys to issuers.
中记录了 OpenID Connect (OIDC) 提供程序元数据位置
OpenID Providers supporting Discovery MUST make a JSON document
available at the path formed by concatenating the string
/.well-known/openid-configuration to the Issuer. The syntax and
semantics of .well-known are defined in RFC 5785 and apply
to the Issuer value when it contains no path component.
您的令牌的有效载荷是
{
"aud": "https://management.azure.com/",
"iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
"iat": 1563406664,
"nbf": 1563406664,
"exp": 1563410564,
"aio": "42FgYBBtfzSr7br/p4tqeqdl/2wNBgA=",
"appid": "f1f6d55e-cf2c-422d-b186-848624db95e8",
"appidacr": "2",
"idp": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
"oid": "df9dff8d-bcb5-4b17-8cec-4be1a01f9212",
"sub": "df9dff8d-bcb5-4b17-8cec-4be1a01f9212",
"tid": "72f988bf-86f1-41af-91ab-2d7cd011db47",
"uti": "hi01-8YRuEmLLcxM9L3zAA",
"ver": "1.0"
}
Issuer 由 iss 声明表示。如果您获取 iss 的值,向其附加 /.well-known/openid-configuration 并将 resulting URL 弹出到您的浏览器中,您将看到 OIDC 提供商元数据。此元数据文档中的一个键是 jwks_uri,它指向另一个具有 JSON Web 键集 的文档。后者是一组 JSON Web Keys (JWKs)。 JWK 是加密密钥的 JSON 表示。要在集合中识别所需的 JWK,声明 x5t(X.509 证书的 SHA-1 指纹)and/or kid(密钥 ID/别名/名称)来自令牌使用问题。
jwt.io 通过根据 iss 声明提取 OIDC 元数据,成功地在整个序列的第一步作弊。如果 JWT 是由不使用 OpenID Connect 的服务发布的 and/or 没有实现所有这些相关规范,jwt.io 就不会找到验证签名的密钥。
我的 JSON 网络令牌 (JWT):
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InU0T2ZORlBId0VCb3NIanRyYXVPYlY4NExuWSIsImtpZCI6InU0T2ZORlBId0VCb3NIanRyYXVPYlY4NExuWSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0Ny8iLCJpYXQiOjE1NjM0MDY2NjQsIm5iZiI6MTU2MzQwNjY2NCwiZXhwIjoxNTYzNDEwNTY0LCJhaW8iOiI0MkZnWUJCdGZ6U3I3YnIvcDR0cWVxZGwvMndOQmdBPSIsImFwcGlkIjoiZjFmNmQ1NWUtY2YyYy00MjJkLWIxODYtODQ4NjI0ZGI5NWU4IiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3LyIsIm9pZCI6ImRmOWRmZjhkLWJjYjUtNGIxNy04Y2VjLTRiZTFhMDFmOTIxMiIsInN1YiI6ImRmOWRmZjhkLWJjYjUtNGIxNy04Y2VjLTRiZTFhMDFmOTIxMiIsInRpZCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsInV0aSI6ImhpMDEtOFlSdUVtTExjeE05TDN6QUEiLCJ2ZXIiOiIxLjAifQ.kwfGrWiQwqhJpZfryW9D1hHDC2AC6tUT16OXkmlIeyxTMqY0gdO0U3KClYczDzMs6kpXc5sQOBaTrBQgERnfKf1nqrHoDmHzaKmY20LKByMopH9uhcPF3lkDNW--dfruNHywF6DZ4cLtgSWcZOBs_BAwQqy1i5Hja7WNf5InyhyscXjUdntIz9rK599IzvD8MwkgYViMEXATNNh2CvEqRp-AZxVjCP_cI6h9Lx3j8__9xRIoWIwnv_rqHGcPpg6hJMfUJMtlLjJaBo0h0veCCZj-fUORidN7EPHNSw9IJF29-nGhw6rmkcD7F8q6WpK8dUfiYGk_QxOCRTw9gpkKKA
当我将此令牌粘贴到 jwt.io 时,它会自动填写一个 public 密钥并表示令牌上的签名已经过验证。它如何知道 public 键?
来自 JWT 当前最佳实践 (RFC 8725) :
中记录了 OpenID Connect (OIDC) 提供程序元数据位置The means of determining the keys owned by an issuer is application- specific. As one example, OpenID Connect issuer values are
httpsURLs that reference a JSON metadata document that contains ajwks_urivalue that is anhttpsURL from which the issuer's keys are retrieved as a JWK Set (RFC 7517). This same mechanism is used byietf-oauth-discovery. Other applications may use different means of binding keys to issuers.
OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string
/.well-known/openid-configurationto theIssuer. The syntax and semantics of.well-knownare defined in RFC 5785 and apply to theIssuervalue when it contains no path component.
您的令牌的有效载荷是
{
"aud": "https://management.azure.com/",
"iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
"iat": 1563406664,
"nbf": 1563406664,
"exp": 1563410564,
"aio": "42FgYBBtfzSr7br/p4tqeqdl/2wNBgA=",
"appid": "f1f6d55e-cf2c-422d-b186-848624db95e8",
"appidacr": "2",
"idp": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
"oid": "df9dff8d-bcb5-4b17-8cec-4be1a01f9212",
"sub": "df9dff8d-bcb5-4b17-8cec-4be1a01f9212",
"tid": "72f988bf-86f1-41af-91ab-2d7cd011db47",
"uti": "hi01-8YRuEmLLcxM9L3zAA",
"ver": "1.0"
}
Issuer 由 iss 声明表示。如果您获取 iss 的值,向其附加 /.well-known/openid-configuration 并将 resulting URL 弹出到您的浏览器中,您将看到 OIDC 提供商元数据。此元数据文档中的一个键是 jwks_uri,它指向另一个具有 JSON Web 键集 的文档。后者是一组 JSON Web Keys (JWKs)。 JWK 是加密密钥的 JSON 表示。要在集合中识别所需的 JWK,声明 x5t(X.509 证书的 SHA-1 指纹)and/or kid(密钥 ID/别名/名称)来自令牌使用问题。
jwt.io 通过根据 iss 声明提取 OIDC 元数据,成功地在整个序列的第一步作弊。如果 JWT 是由不使用 OpenID Connect 的服务发布的 and/or 没有实现所有这些相关规范,jwt.io 就不会找到验证签名的密钥。