Jak*_*kim 10 java amazon-web-services jwt aws-cognito
我正在使用aws cognito用户池,在用户登录后,我在我的单页应用程序中获得了一个id令牌,这是预期的,然后对于每个请求,我需要在我的后端rest API中验证id令牌,这是在java中,aws doc没有提到太多关于如何做到这一点.
它有什么例子吗?
混淆包括:
id令牌似乎不仅仅是一个签名的JWT,它也是加密的,当使用nimbus库时,我需要为加密的JWT指定一个秘密,我在哪里可以得到这个秘密?我的理解是这应该来自aws,我是否需要下载一些内容然后放入我的jvm密钥库?
有一个着名的jwts.json可以从aws下载,它看起来像:
`
{
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"kid": "HFPWHdsrG5WyulOwH5dai69YTsWz2KBB1NHbAcVx7M0=",
"kty": "RSA",
"n": "...",
"use": "sig"
},
{
"alg": "RS256",
"e": "AQAB",
"kid": "kSwTdVq/qD4Ra4Q8dJqUTlvOA7eiLxezOZ3mJKI61zU=",
"kty": "RSA",
"n": "....",
"use": "sig"
}
]
}
`
如何理解这一点,每个属性用于什么?是用户池中的每个用户代表一个密钥?
And*_*Dev 20
我只是在努力解决这个问题并认为我分享了它.
如果您使用maven将此添加到您的pom.xml
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.3.0</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>jwks-rsa</artifactId>
<version>0.4.0</version>
</dependency>
如果你使用gradle add
compile 'com.auth0:jwks-rsa:0.4.0'
compile 'com.auth0:java-jwt:3.3.0'
创建一个实现RSAKeyProvider的类
import com.auth0.jwk.Jwk;
import com.auth0.jwk.JwkProvider;
import com.auth0.jwk.JwkProviderBuilder;
import com.auth0.jwt.interfaces.RSAKeyProvider;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
public class AwsCognitoRSAKeyProvider implements RSAKeyProvider {
private final URL aws_kid_store_url;
public AwsCognitoRSAKeyProvider(String aws_cognito_region, String aws_user_pools_id) {
String url = String.format("https://cognito-idp.%s.amazonaws.com/%s/.well-known/jwks.json", aws_cognito_region, aws_user_pools_id);
try {
this.aws_kid_store_url = new URL(url);
} catch (MalformedURLException e) {
throw new RuntimeException(String.format("Invalid URL provided, URL=%s", url));
}
}
@Override
public RSAPublicKey getPublicKeyById(String kid) {
try {
JwkProvider provider = new JwkProviderBuilder(aws_kid_store_url).build();
Jwk jwk = provider.get(kid);
return (RSAPublicKey) jwk.getPublicKey();
} catch (Exception e) {
throw new RuntimeException(String.format("Failed to get JWT kid=%s from aws_kid_store_url=%s", kid, aws_kid_store_url));
}
}
@Override
public RSAPrivateKey getPrivateKey() {
return null;
}
@Override
public String getPrivateKeyId() {
return null;
}
}
现在,您可以通过验证令牌
String aws_cognito_region = "us-east-1"; // Replace this with your aws cognito region
String aws_user_pools_id = "us-east-1_7DEw1nt5r"; // Replace this with your aws user pools id
RSAKeyProvider keyProvider = new AwsCognitoRSAKeyProvider(aws_cognito_region, aws_user_pools_id);
Algorithm algorithm = Algorithm.RSA256(keyProvider);
JWTVerifier jwtVerifier = JWT.require(algorithm)
//.withAudience("2qm9sgg2kh21masuas88vjc9se") // Validate your apps audience if needed
.build();
String token = "eyJraWQiOiJjdE.eyJzdWIiOiI5NTMxN2E.VX819z1A1rJij2"; // Replace this with your JWT token
jwtVerifier.verify(token);
请注意,JwkProviderBuilder将构建一个带有LRU缓存的JwkProvider,缓存从aws密钥存储区中恢复的密钥,这非常简洁!可以使用构建器更改缓存规则.
| 归档时间: |
|
| 查看次数: |
2975 次 |
| 最近记录: |