Sign in Sign up
Explore Enterprise Education Gitee Premium Blog
Open Source > Web Development > OAuth/SSO &&
Scan WeChat QR to Pay
Cancel
Complete
Watch
Unwatch Watching Releases Only Ignoring
15 Star 104 Fork 52

monkeyk7 / MyOIDC

Code Issues 4 Pull Requests 0 Wiki Insights
DevOps
Service
Issues
 / 详情

资源服务器如何通过jwks_uri解密 token,转换为用户信息

Backlog
yang872546
Opened this issue  
2021-04-09 17:55

默认的 oidc client有个校验器,可以校验token,但是无法做到转换为用户信息吧,这个校验 和转换器就没有关系对吧。

public class OIDCTokenVerifier {


	private static final Logger LOG = LoggerFactory.getLogger(OIDCTokenVerifier.class);

	private final RPHolder rpHolder;
	private final String token;

	public OIDCTokenVerifier(RPHolder rpHolder, String token) {
		this.rpHolder = rpHolder;
		this.token = token;
	}

	public Map<String, Object> verify() {

		VerificationKeyResolver verificationKeyResolver = new HttpsJwksVerificationKeyResolver(new HttpsJwks(rpHolder.getDiscoveryEndpointInfo().getJwks_uri()));
		JwtConsumer consumer = new JwtConsumerBuilder()
				.setVerificationKeyResolver(verificationKeyResolver)
				//此处有许可项可配置进行校验,请根据实际需要配置
				//更多帮助可访问 https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples
		//{"user_name":"hr|318751","scope":["openid"],"exp":1615640771,"jti":"f297707f-fd0d-4224-9cd6-559c16f45309","client_id":"CRCC12-LDSC"}
				/**
				 *  payload
				 *      iss: jwt签发者
				 *      sub: jwt所面向的用户
				 *      aud: 接收jwt的一方
				 *      exp: jwt的过期时间,这个过期时间必须要大于签发时间
				 *      nbf: 定义在什么时间之前,该jwt都是不可用的
				 *      iat: jwt的签发时间
				 *      jti: jwt的唯一身份标识,主要用来作为一次性token,从而回避重放攻击。
				 *      。。。
				 */
				.setRequireExpirationTime()
//				.setRequireSubject()
//                .setRequireIssuedAt()
//                .setExpectedAudience(RESOURCE_ID)
//                .setRequireNotBefore()
//                    .setRequireJwtId()
				.build();
		try {
			JwtClaims claims = consumer.processToClaims(token);
			return claims.getClaimsMap();

资源服务器 必须指定上面的MyOIDCJwtAccessTokenConverter 对吧,那这个参数还是要传入 jwks_uri对吗?
还是 传入一个 public key啊?

@Slf4j
public class PigResourceServerConfigurerAdapter extends ResourceServerConfigurerAdapter {

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws JoseException, IOException {
	DefaultAccessTokenConverter accessTokenConverter = new DefaultAccessTokenConverter();
	UserAuthenticationConverter userTokenConverter = new PigUserAuthenticationConverter();
	accessTokenConverter.setUserTokenConverter(userTokenConverter);

	PigCustomTokenServices tokenServices = new PigCustomTokenServices();

	// ,对称加密 转换方法,就可以正常转换token信息,
//	JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
//	converter.setSigningKey("123");
//	converter.setVerifier(new MacSigner("123"));

	// 公钥加密,从 jwks_uri获取公钥,如何转换呢?
     
	HttpsJwks httpsJwks = new HttpsJwks("http://localhost:3000/.well-known/jwks");
	List<JsonWebKey> jsonWebKeys = httpsJwks.getJsonWebKeys();
	JsonWebKeySet jsonWebKeySet=new JsonWebKeySet(jsonWebKeys);
	PublicJsonWebKey publicJsonWebKey = (PublicJsonWebKey) jsonWebKeySet.findJsonWebKey(DEFAULT_KEY_ID, RsaKeyUtil.RSA, USE_SIG, OIDC_ALG);

	MyOIDCJwtAccessTokenConverter converter=new MyOIDCJwtAccessTokenConverter(publicJsonWebKey);

	JwtTokenStore jwtTokenStore = new JwtTokenStore(converter);
	tokenServices.setTokenStore(jwtTokenStore);
	tokenServices.setJwtAccessTokenConverter(converter);
	tokenServices.setDefaultAccessTokenConverter(accessTokenConverter);

	resources
			.authenticationEntryPoint(resourceAuthExceptionEntryPoint)
			.tokenServices(tokenServices);
}

Comments (1)

yang872546 created任务
yang872546 set related repository to monkeyk7/MyOIDC
yang872546 changed description
Expand operation logs

通过publicKey verify id_token 成功后,会获取到 JwtClaims, 通过claims可以获取到对应的用户数据信息(key-value);具体的用户数据需要双方约定好。

Sign in to comment

Status
Assignees
Labels
Not set
Label settings
Milestones
No related milestones
No related milestones
Pull Requests
None yet
None yet
Successfully merging a pull request will close this issue.
Branches
No related branch
Branches (5)
Tags (2)
1.1.2
master
1.1.1
1.1.0
1.0.0
v1.1.1
v1.1.0
Planed to start   -   Planed to end
-
Top level
Not Top
Top Level: High
Top Level: Medium
Top Level: Low
Priority
Not specified
Serious
Main
Secondary
Unimportant
参与者(2)
7238 mkk 1578914473
Java
1
https://gitee.com/mkk/MyOIDC.git
git@gitee.com:mkk/MyOIDC.git
mkk
MyOIDC
MyOIDC
Going to Help Center

Search

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
See more results
Share to
Comment
Repository Report
Back to the top