19 Star 137 Fork 65

monkeyk7 / MyOIDC

 / 详情

资源服务器如何通过jwks_uri解密 token,转换为用户信息

Backlog
Opened this issue  
2021-04-09 17:55

默认的 oidc client有个校验器,可以校验token,但是无法做到转换为用户信息吧,这个校验 和转换器就没有关系对吧。

public class OIDCTokenVerifier {


	private static final Logger LOG = LoggerFactory.getLogger(OIDCTokenVerifier.class);

	private final RPHolder rpHolder;
	private final String token;

	public OIDCTokenVerifier(RPHolder rpHolder, String token) {
		this.rpHolder = rpHolder;
		this.token = token;
	}

	public Map<String, Object> verify() {

		VerificationKeyResolver verificationKeyResolver = new HttpsJwksVerificationKeyResolver(new HttpsJwks(rpHolder.getDiscoveryEndpointInfo().getJwks_uri()));
		JwtConsumer consumer = new JwtConsumerBuilder()
				.setVerificationKeyResolver(verificationKeyResolver)
				//此处有许可项可配置进行校验,请根据实际需要配置
				//更多帮助可访问 https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples
		//{"user_name":"hr|318751","scope":["openid"],"exp":1615640771,"jti":"f297707f-fd0d-4224-9cd6-559c16f45309","client_id":"CRCC12-LDSC"}
				/**
				 *  payload
				 *      iss: jwt签发者
				 *      sub: jwt所面向的用户
				 *      aud: 接收jwt的一方
				 *      exp: jwt的过期时间,这个过期时间必须要大于签发时间
				 *      nbf: 定义在什么时间之前,该jwt都是不可用的
				 *      iat: jwt的签发时间
				 *      jti: jwt的唯一身份标识,主要用来作为一次性token,从而回避重放攻击。
				 *      。。。
				 */
				.setRequireExpirationTime()
//				.setRequireSubject()
//                .setRequireIssuedAt()
//                .setExpectedAudience(RESOURCE_ID)
//                .setRequireNotBefore()
//                    .setRequireJwtId()
				.build();
		try {
			JwtClaims claims = consumer.processToClaims(token);
			return claims.getClaimsMap();

资源服务器 必须指定上面的MyOIDCJwtAccessTokenConverter 对吧,那这个参数还是要传入 jwks_uri对吗?
还是 传入一个 public key啊?

@Slf4j
public class PigResourceServerConfigurerAdapter extends ResourceServerConfigurerAdapter {

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws JoseException, IOException {
	DefaultAccessTokenConverter accessTokenConverter = new DefaultAccessTokenConverter();
	UserAuthenticationConverter userTokenConverter = new PigUserAuthenticationConverter();
	accessTokenConverter.setUserTokenConverter(userTokenConverter);

	PigCustomTokenServices tokenServices = new PigCustomTokenServices();

	// ,对称加密 转换方法,就可以正常转换token信息,
//	JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
//	converter.setSigningKey("123");
//	converter.setVerifier(new MacSigner("123"));

	// 公钥加密,从 jwks_uri获取公钥,如何转换呢?
     
	HttpsJwks httpsJwks = new HttpsJwks("http://localhost:3000/.well-known/jwks");
	List<JsonWebKey> jsonWebKeys = httpsJwks.getJsonWebKeys();
	JsonWebKeySet jsonWebKeySet=new JsonWebKeySet(jsonWebKeys);
	PublicJsonWebKey publicJsonWebKey = (PublicJsonWebKey) jsonWebKeySet.findJsonWebKey(DEFAULT_KEY_ID, RsaKeyUtil.RSA, USE_SIG, OIDC_ALG);

	MyOIDCJwtAccessTokenConverter converter=new MyOIDCJwtAccessTokenConverter(publicJsonWebKey);

	JwtTokenStore jwtTokenStore = new JwtTokenStore(converter);
	tokenServices.setTokenStore(jwtTokenStore);
	tokenServices.setJwtAccessTokenConverter(converter);
	tokenServices.setDefaultAccessTokenConverter(accessTokenConverter);

	resources
			.authenticationEntryPoint(resourceAuthExceptionEntryPoint)
			.tokenServices(tokenServices);
}

Comments (1)

yang872546 created任务
yang872546 set related repository to monkeyk7/MyOIDC
yang872546 changed description
Expand operation logs

通过publicKey verify id_token 成功后,会获取到 JwtClaims, 通过claims可以获取到对应的用户数据信息(key-value);具体的用户数据需要双方约定好。

Sign in to comment

Status
Assignees
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(2)
7238 mkk 1578914473
Java
1
https://gitee.com/mkk/MyOIDC.git
git@gitee.com:mkk/MyOIDC.git
mkk
MyOIDC
MyOIDC

Search