如何在Nimbus JOSE + JWT

时间:2016-02-27 11:09:52

标签: java oauth jwt

我使用Nimbus JOSE + JWT

在每次资源请求时都有来回从服务器到客户端的令牌

创建JWT令牌的代码:

public class TokenProvider {

    String token = "";

    public String getToken(String email) {
        try {
            KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA");
            keyGenerator.initialize(1024);

            KeyPair kp = keyGenerator.genKeyPair();
            RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
            RSAPrivateKey privateKey = (RSAPrivateKey) kp.getPrivate();

            System.out.println("publicKey: " + publicKey);
            System.out.println("privateKey: " + privateKey.toString());

            JWSSigner signer = new RSASSASigner(privateKey);

            JWTClaimsSet claimsSet = new JWTClaimsSet();
            claimsSet.setSubject("RTH");
            claimsSet.setCustomClaim("email", email);
            claimsSet.setCustomClaim("role", "USER");
            claimsSet.setIssuer("https://rth.com");
            claimsSet.setExpirationTime(new Date(new Date().getTime() + 60 * 1000));

            SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);

            signedJWT.sign(signer);
            token = signedJWT.serialize();
            TokenSaverAndValidatorDAO tokenSaver = new TokenSaverAndValidatorDAO();
            tokenSaver.saveTokenToDB(email, token);

            signedJWT = SignedJWT.parse(token);

            JWSVerifier verifier = new RSASSAVerifier(publicKey);
            System.out.println("verifier: " + verifier);
            System.out.println("verify method: " + signedJWT.verify(verifier));
            assertTrue(signedJWT.verify(verifier));
            assertEquals("RTH", signedJWT.getJWTClaimsSet().getSubject());
            assertEquals("https://rth.com", signedJWT.getJWTClaimsSet().getIssuer());
            assertTrue(new Date().before(signedJWT.getJWTClaimsSet().getExpirationTime()));
        } catch (JOSEException | ParseException | NoSuchAlgorithmException ex) {
            Logger.getLogger(TokenProvider.class.getName()).log(Level.SEVERE, null, ex);
        }
        return token;
    }
}

到目前为止它的工作正常,但问题是如何验证从客户端收到的令牌签名?

API开始,只有一种方法看起来像是用于验证,但只接受公钥(RSAPublicKey)作为参数而不是令牌。

任何使用此库的JWT工作人员都可以提供帮助。谢谢

1 个答案:

答案 0 :(得分:2)

sample code要执行此操作,但您已准备好所有代码以便在您的问题中执行此操作。

对于共享密钥:

JWSVerifier verifier = new MACVerifier(sharedKey.getBytes());

如果您使用的是RSA密钥对(如您的示例所示),则只需提供公钥:

JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);

然后让它验证签名,注意如果它无效则会抛出异常:

boolean verifiedSignature = false;

    try {
      JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
      verifiedSignature = signedJWT.verify(verifier);
    }
    catch (JOSEException e) {
      System.err.println("Couldn't verify signature: " + e.getMessage());
    }

检查令牌签名的完整方法可能如下所示:

public static boolean isSignatureValid(String token) {
    // Parse the JWS and verify its RSA signature
    SignedJWT signedJWT;
    try {
        signedJWT = SignedJWT.parse(token);
        JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
        return signedJWT.verify(verifier);
    } catch (ParseException | JOSEException e) {
        return false;
    }
}
相关问题
最新问题