在Ruby中生成JWT

时间:2016-02-06 18:53:31

标签: ruby jwt hmac

我正在尝试发布到Ping Identity的PingID API,它一直给我403无效签名。

我相当确定我正确编码JSON消息。我得到的标题字符串与他们的示例数据相同,但我不确定我是否正确创建了HMAC SHA256签名。

我正在使用the API walkthrough,我写的代码是:

require 'json'
require 'base64'
require 'OpenSSL'
require 'rest-client'


use_base64_key = "JWC41crr322aUfdckVfJKHvGKNIPyAPGL7rMsTbzHlA="

jwtheader = {
    "alg": "HS256",
    "org_alias": "aaaaaaaa-a1b2-123a-b456-1234abcd5678",
    "token": "1a2b3c4d5e6f"
}

jwtpayload = {
    "reqHeader": {
        "locale": "en",
        "orgAlias": "aaaaaaaa-a1b2-123a-b456-1234abcd5678",
        "secretKey": "1a2b3c4d5e6f",
        "timestamp": "2015-09-03 11:57:25.229",
        "version": "4.6"
    },
    "reqBody": {
        "activateUser": false,
        "email": "marcher@pingdevelopers.com",
        "fName": "Meredith",
        "lname": "Archer",
        "username": "meredith",
        "role": "REGULAR",
        "clientData": nil
    }
}

jwtheader64 = Base64.urlsafe_encode64(jwtheader.to_json).chomp[0...-1]
jwtpayload64 = Base64.urlsafe_encode64(jwtpayload.to_json).chomp[0...-1]
signeddata = jwtheader64 + "." + jwtpayload64

digest = OpenSSL::Digest.new('sha256')
instance = OpenSSL::HMAC.digest(digest, use_base64_key, signeddata)
signature = Base64.urlsafe_encode64(instance).chomp[0...-1]

当我使用自己的信息时,会返回403错误。要获得我正在使用的格式的时间戳:

timestamp = Time.now.utc.strftime("%m-%e-%y %H:%M:%S.000")

我做错了什么?

解决方案:

我能够使用此代码成功构建令牌:

require 'json'
require 'base64'
require 'OpenSSL'
require 'rest-client'

pidalg = "HS256"
pidorg = "aaaaaaaa-a1b2-123a-b456-1234abcd5678"
pidtok = "c9fed74c5c994509b849ff65adb367d1"
timestamp = Time.now.utc.strftime("%Y-%m-%d %H:%M:%S.000")
uid = "meredith"
pidkey = "JWC41crr322aUfdckVfJKHvGKNIPyAPGL7rMsTbzHlA="

#jwt header
jwtheader = {
    "alg": pidalg,
    "org_alias": pidorg,
    "token": pidtok
}

#jwt payload
jwtpayload = {
    "reqHeader":{
        "locale":"en",
        "orgAlias":pidorg,
        "secretKey":pidtok,
        "timestamp":timestamp,
        "version":"4.6"
    },
    "reqBody":{
        "getSameDeviceUsers":false,
        "userName":uid,
    }
}

jwtheaderJSON = jwtheader.to_json
jwtheaderUTF = jwtheaderJSON.encode("UTF-8")
tokenheader = Base64.urlsafe_encode64(jwtheaderUTF)
puts tokenheader

jwtpayloadJSON = jwtpayload.to_json
jwtpayloadUTF = jwtpayloadJSON.encode("UTF-8")
tokenpayload = Base64.urlsafe_encode64(jwtpayloadUTF)
puts tokenpayload

signeddata = tokenheader + "." + tokenpayload

digest = OpenSSL::Digest.new('sha256')
bin_key = Base64.decode64(pidkey)
puts bin_key
instance = OpenSSL::HMAC.digest(digest, bin_key, signeddata)
signature = Base64.urlsafe_encode64(instance)
puts signature

apitoken = signeddata + "." + signature

puts apitoken

2 个答案:

答案 0 :(得分:1)

您的代码基本上是正确的,但是您使用base64编码的表示作为对JWT进行签名的密钥,您应该使用二进制密钥,即首先对其进行64位解码,如下所示:

digest = OpenSSL::Digest.new('sha256')
bin_key = Base64.decode64(use_base64_key)
instance = OpenSSL::HMAC.digest(digest, bin_key, signeddata)
signature = Base64.urlsafe_encode64(instance).chomp[0...-1]

答案 1 :(得分:0)

jwt gem可用于编码和解码JWT令牌

payload = { id: 1, email: 'user@example.com' }
secret = Rails.application.credentials.secret_key_base
token = JWT.encode(payload, secret, 'HS256')
相关问题
最新问题