我想使用jwt作为身份验证机制,所以我选择了auth0-jwt java libs。为了实现身份验证服务,我对令牌验证进行了测试。测试很简单,使用此标记:
{ "alg":"HS256", "typ": "JWT" }
{ "sub": "dummySubject", "exp": "1498054620653" }
使用supersecretpassphrase验证签名。鉴于这个令牌,我期待这一点(由jwt.io拍摄):
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkdW1teVN1YmplY3QiLCJleHAiOiIxNDk4MDU0NjIwNjUzIn0.VTL9gIQ-POIoI8W0OI9y_Q7rDGFbniUGNcfd_EliK60
但测试失败。返回的令牌是:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJkdW1teVN1YmplY3QiLCJleHAiOjE0OTgwNTQ2MjB9.2dOy3HmWH7vMWiJoQvMOUsx2nR6l6phZ1nwIz-TSkNk
jwt.io表示该令牌具有以下形状:
{ "typ": "JWT", "alg": "HS256" }
{ "sub": "dummySubject", "exp": "1498054620" }
看起来exp松了几毫秒。这就是我填写令牌的方式:
private String computeToken(JwtToken token) throws Exception {
Algorithm algorithmHS = Algorithm.HMAC256(passphrase);
Date expirationTime = new Date(token.getExpirationTime().toInstant().toEpochMilli());
Builder jwtToken = JWT.create().withSubject(token.getSubject()).withExpiresAt(expirationTime);
Iterator<Entry<String, Object>> candidateClaimsIterator = token.getPayload().entrySet().iterator();
...
return jwtToken.sign(algorithmHS);
}
JwtToken token参数是我用来发送和验证我想要放入令牌的数据的简单bean,
public class JwtToken implements Serializable {
private static final long serialVersionUID = 1L;
@NotNull(message = "Subject can not be null")
@Size(min = 10)
private String subject;
@NotNull(message = "Expiration time can not be null")
private ZonedDateTime expirationTime;
private Map<String, Object> payload;
...
(getters and setters)
}
当com.auth0.jwt.JWTCreator在JSON字符串中转换java.util.Date时,似乎exp松开了它的毫秒数。难道我做错了什么?这是预期的行为吗?