资源服务器如何通过jwks_uri解密 token,转换为用户信息

默认的 oidc client有个校验器，可以校验token，但是无法做到转换为用户信息吧，这个校验 和转换器就没有关系对吧。
```
public class OIDCTokenVerifier {

private static final Logger LOG = LoggerFactory.getLogger(OIDCTokenVerifier.class);

private final RPHolder rpHolder;
	private final String token;

public OIDCTokenVerifier(RPHolder rpHolder, String token) {
		this.rpHolder = rpHolder;
		this.token = token;
	}

public Map<String, Object> verify() {

VerificationKeyResolver verificationKeyResolver = new HttpsJwksVerificationKeyResolver(new HttpsJwks(rpHolder.getDiscoveryEndpointInfo().getJwks_uri()));
		JwtConsumer consumer = new JwtConsumerBuilder()
				.setVerificationKeyResolver(verificationKeyResolver)
				//此处有许可项可配置进行校验，请根据实际需要配置
				//更多帮助可访问 https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples
		//{"user_name":"hr|318751","scope":["openid"],"exp":1615640771,"jti":"f297707f-fd0d-4224-9cd6-559c16f45309","client_id":"CRCC12-LDSC"}
				/**
				 *  payload
				 *      iss: jwt签发者
				 *      sub: jwt所面向的用户
				 *      aud: 接收jwt的一方
				 *      exp: jwt的过期时间，这个过期时间必须要大于签发时间
				 *      nbf: 定义在什么时间之前，该jwt都是不可用的
				 *      iat: jwt的签发时间
				 *      jti: jwt的唯一身份标识，主要用来作为一次性token,从而回避重放攻击。
				 *      。。。
				 */
				.setRequireExpirationTime()
//				.setRequireSubject()
//                .setRequireIssuedAt()
//                .setExpectedAudience(RESOURCE_ID)
//                .setRequireNotBefore()
//                    .setRequireJwtId()
				.build();
		try {
			JwtClaims claims = consumer.processToClaims(token);
			return claims.getClaimsMap();
```

**资源服务器 必须指定上面的MyOIDCJwtAccessTokenConverter 对吧，那这个参数还是要传入 jwks_uri对吗？
还是 传入一个 public key啊？** 
```
@Slf4j
public class PigResourceServerConfigurerAdapter extends ResourceServerConfigurerAdapter {

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws JoseException, IOException {
	DefaultAccessTokenConverter accessTokenConverter = new DefaultAccessTokenConverter();
	UserAuthenticationConverter userTokenConverter = new PigUserAuthenticationConverter();
	accessTokenConverter.setUserTokenConverter(userTokenConverter);

PigCustomTokenServices tokenServices = new PigCustomTokenServices();

// ,对称加密 转换方法，就可以正常转换token信息，
//	JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
//	converter.setSigningKey("123");
//	converter.setVerifier(new MacSigner("123"));

// 公钥加密，从 jwks_uri获取公钥，如何转换呢？
     
	HttpsJwks httpsJwks = new HttpsJwks("http://localhost:3000/.well-known/jwks");
	List<JsonWebKey> jsonWebKeys = httpsJwks.getJsonWebKeys();
	JsonWebKeySet jsonWebKeySet=new JsonWebKeySet(jsonWebKeys);
	PublicJsonWebKey publicJsonWebKey = (PublicJsonWebKey) jsonWebKeySet.findJsonWebKey(DEFAULT_KEY_ID, RsaKeyUtil.RSA, USE_SIG, OIDC_ALG);

MyOIDCJwtAccessTokenConverter converter=new MyOIDCJwtAccessTokenConverter(publicJsonWebKey);

JwtTokenStore jwtTokenStore = new JwtTokenStore(converter);
	tokenServices.setTokenStore(jwtTokenStore);
	tokenServices.setJwtAccessTokenConverter(converter);
	tokenServices.setDefaultAccessTokenConverter(accessTokenConverter);

resources
			.authenticationEntryPoint(resourceAuthExceptionEntryPoint)
			.tokenServices(tokenServices);
}
```

monkeyk7/MyOIDC

Content Risk Flag

Comments (1)

monkeyk7/MyOIDC .gitee-modal { width: 500px !important; }

Content Risk Flag