yahoo 第三方授權 jwt 驗證簽名這一段怎麼做??

yahoo 第三方授權 jwt 驗証簽名

jbuduoo 2022-04-20 17:51:41 ‧ 1282 瀏覽

有誰可以教我怎麼驗證這一段

資料來源:https://developer.yahoo.com/oauth2/guide/openid_connect/decode_id_token.html#decode-id-token

idToken:eyJhbGciOiJFUzI1NiIsImtpZCI6IjM0NjZkNTFmN2RkMGM3ODA1NjU2ODhjMTgzOTIxODE2YzQ1ODg5YWQifQ.eyJhdF9oYXNoIjoiTlN3cDVTTmZWb2NRVllaNkgyb2NrQSIsInN1YiI6Ik01WlFJS0dONVlSTVBWR1FHRTVFRkVXSFBFIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImJpcnRoZGF0ZSI6IjE5ODEiLCJnZW5kZXIiOiJvdGhlciIsImlzcyI6Imh0dHBzOi8vYXBpLmxvZ2luLnlhaG9vLmNvbSIsInByb2ZpbGVfaW1hZ2VzIjp7ImltYWdlNjQiOiJodHRwczovL3MueWltZy5jb20vYWcvaW1hZ2VzL2RlZmF1bHRfdXNlcl9wcm9maWxlX3BpY182NHNxLmpwZyIsImltYWdlMTkyIjoiaHR0cHM6Ly9zLnlpbWcuY29tL2FnL2ltYWdlcy9kZWZhdWx0X3VzZXJfcHJvZmlsZV9waWNfMTkyc3EuanBnIiwiaW1hZ2UxMjgiOiJodHRwczovL3MueWltZy5jb20vYWcvaW1hZ2VzL2RlZmF1bHRfdXNlcl9wcm9maWxlX3BpY18xMjhzcS5qcGciLCJpbWFnZTMyIjoiaHR0cHM6Ly9zLnlpbWcuY29tL2FnL2ltYWdlcy9kZWZhdWx0X3VzZXJfcHJvZmlsZV9waWNfMzJzcS5qcGcifSwiZ2l2ZW5fbmFtZSI6IuWLneWPsCIsIm1pZGRsZV9uYW1lIjoiIiwibG9jYWxlIjoiemgtSGFudC1UVyIsIm5vbmNlIjoiWWloc0Z3R0tndDNLSlVoNnRQczIiLCJwaWN0dXJlIjoiaHR0cHM6Ly9zLnlpbWcuY29tL2FnL2ltYWdlcy9kZWZhdWx0X3VzZXJfcHJvZmlsZV9waWNfMTkyc3EuanBnIiwic2lkIjoiNFJaYlVrOWZOZlNHIiwiYXVkIjoiZGoweUptazlWMHhOUWtST1ZHTmxlWGsxSm1ROVdWZHJPVlJIWkRKaWVtUlhUa1JKYldOSGJ6bE5RVDA5Sm5NOVkyOXVjM1Z0WlhKelpXTnlaWFFtYzNZOU1DWjRQV1UzIiwiYXV0aF90aW1lIjoxNjQ5OTI2MzA3LCJuaWNrbmFtZSI6IuWLneWPsCIsIm5hbWUiOiLmiLTli53lj7AiLCJzZXNzaW9uX2V4cCI6MTY1MTEzNTkwNywiZXhwIjoxNjUwNDM2Nzg0LCJpYXQiOjE2NTA0MzMxODQsImFwcF9pZCI6ImRqMHlKbWs5VjB4TlFrUk9WR05sZVhrMUptUTlXVmRyT1ZSSFpESmllbVJYVGtSSmJXTkhiemxOUVQwOUpuTTlZMjl1YzNWdFpYSnpaV055WlhRbWMzWTlNQ1o0UFdVMyIsImZhbWlseV9uYW1lIjoi5oi0IiwiZW1haWwiOiJqYnVkdW9vMTIzQHlhaG9vLmNvbSJ9.LhmytVBJ-BWrmeZMbDWJh-sAFoOjdraRDkpxl0yA44eLSGLMbyliFMTlEgcPISWhif-Hg98dkySuyzzikhSaSw

keysObject:{"kty":"EC","alg":"ES256","use":"sig","crv":"P-256","kid":"3466d51f7dd0c780565688c183921816c45889ad","x":"cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I","y":"rxX9OCD9rIaheKx6LAs4KWR6Rz1-Lj1phRCmdjUDL_I"}

payload:{"at_hash":"NSwp5SNfVocQVYZ6H2ockA","sub":"M5ZQIKGN5YRMPVGQGE5EFEWHPE","email_verified":true,"birthdate":"1981","gender":"other","iss":"https://api.login.yahoo.com","profile_images":{"image64":"https://s.yimg.com/ag/images/default_user_profile_pic_64sq.jpg","image192":"https://s.yimg.com/ag/images/default_user_profile_pic_192sq.jpg","image128":"https://s.yimg.com/ag/images/default_user_profile_pic_128sq.jpg","image32":"https://s.yimg.com/ag/images/default_user_profile_pic_32sq.jpg"},"given_name":"勝台","middle_name":"","locale":"zh-Hant-TW","nonce":"YihsFwGKgt3KJUh6tPs2","picture":"https://s.yimg.com/ag/images/default_user_profile_pic_192sq.jpg","sid":"4RZbUk9fNfSG","aud":"dj0yJmk9V0xNQkROVGNleXk1JmQ9WVdrOVRHZDJiemRXTkRJbWNHbzlNQT09JnM9Y29uc3VtZXJzZWNyZXQmc3Y9MCZ4PWU3","auth_time":1649926307,"nickname":"勝台","name":"戴勝台","session_exp":1651135907,"exp":1650436784,"iat":1650433184,"app_id":"dj0yJmk9V0xNQkROVGNleXk1JmQ9WVdrOVRHZDJiemRXTkRJbWNHbzlNQT09JnM9Y29uc3VtZXJzZWNyZXQmc3Y9MCZ4PWU3","family_name":"戴","email":"jbuduoo123@yahoo.com"}

signature:LhmytVBJ-BWrmeZMbDWJh-sAFoOjdraRDkpxl0yA44eLSGLMbyliFMTlEgcPISWhif-Hg98dkySuyzzikhSaSw

1. 獲取公鑰

Yahoo Discovery 文檔
{"issuer":"https://api.login.yahoo.com","authorization_endpoint":"https://api.login.yahoo.com/oauth2/request_auth","token_endpoint":"https://api.login.yahoo.com/oauth2/get_token","introspection_endpoint":"https://api.login.yahoo.com/oauth2/introspect","userinfo_endpoint":"https://api.login.yahoo.com/openid/v1/userinfo","token_revocation_endpoint":"https://api.login.yahoo.com/oauth2/revoke","jwks_uri":"https://api.login.yahoo.com/openid/v1/certs","response_types_supported":["code","token","id_token","code token","code id_token","token id_token","code token id_token"],"subject_types_supported":["public"],"grant_types_supported":["authorization_code","refresh_token"],"id_token_signing_alg_values_supported":["ES256","RS256"],"scopes_supported":["openid","openid2","profile","email"],"acr_values_supported":["AAL1","AAL2"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"],"claims_supported":["aud","email","email_verified","birthdate","exp","family_name","given_name","iat","iss","locale","name","sub","auth_time"],"response_modes_supported":["query"],"display_values_supported":["page"],"claims_parameter_supported":false,"request_parameter_supported":false,"request_uri_parameter_supported":false}
jwks_uri中參數
jwks_uri:https://api.login.yahoo.com/openid/v1/certs

2.匹配公鑰:

{"kty":"EC","alg":"ES256","use":"sig","crv":"P-256","kid":"3466d51f7dd0c780565688c183921816c45889ad","x":"cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I","y":"rxX9OCD9rIaheKx6LAs4KWR6Rz1-Lj1phRCmdjUDL_I"}

3.?

4.?

jbuduoo iT邦新手 4 級 ‧ 2022-04-20 17:58:54 檢舉

我目前找到比較接近的是這一篇，https://connect2id.com/products/nimbus-jose-jwt，但還是弄不出來

// Create an HMAC-protected JWS object with some payload
JWSObject jwsObject = new JWSObject(new JWSHeader(JWSAlgorithm.HS256),
new Payload("Hello, world!"));

// We need a 256-bit key for HS256 which must be pre-shared
byte[] sharedKey = new byte[32];
new SecureRandom().nextBytes(sharedKey);

// Apply the HMAC to the JWS object
jwsObject.sign(new MACSigner(sharedKey));

// Output in URL-safe format
System.out.println(jwsObject.serialize());

jbuduoo iT邦新手 4 級 ‧ 2022-04-22 13:58:49 檢舉

後來匯入jar包 https://search.maven.org/artifact/com.nimbusds/nimbus-jose-jwt ，使用以下程式就過了。但也花了快二天。

//驗証簽名
public boolean validateECDSASignatureWithNimbus(String idToken,JSONObject keysObject) throws Throwable {

ECKey key=null;
try {
key=ECKey.parse(keysObject.toString());
} catch (ParseException e1) {
e1.printStackTrace();
}

JWSVerifier verifier = new ECDSAVerifier(key);
return SignedJWT.parse(idToken).verify(verifier);
}

登入發表討論