JWT从断言中解码-Google登录

时间:2018-10-24 08:04:49

标签: python oauth-2.0 jwt dialogflow actions-on-google

我正在尝试在Google的操作中实现帐户关联(使用this

我被困在处理自动链接步骤中。尝试使用指定的python-joseover here!解码时,我从请求中得到assertion 

from jose import jwt
key = "728f4016652079b9ed99861bb09bafc5a45baa86" # PUBLIC KEY OF GOOGLE from https://www.googleapis.com/oauth2/v3/certs
encoded = "ENCODED_ASSERTION"
decoded = jwt.decode(encoded, key, algorithms='RS256')
print (decoded)

当我运行此代码时,它会显示

Traceback (most recent call last):

File "/Users/jay.patel/env372/lib/python3.7/site-packages/jose/backends/pycrypto_backend.py", line 72, in __init__
    self.prepared_key = RSA.importKey(key)
  File "/Users/jay.patel/env372/lib/python3.7/site-packages/Crypto/PublicKey/RSA.py", line 757, in import_key
    raise ValueError("RSA key format is not supported")
ValueError: RSA key format is not supported

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/jay.patel/PycharmProjects/Prac/jwt.py", line 19, in <module>
    decoded = jwt.decode(encoded, key, algorithms='RS256')
  File "/Users/jay.patel/env372/lib/python3.7/site-packages/jose/jwt.py", line 135, in decode
    payload = jws.verify(token, key, algorithms, verify=verify_signature)
  File "/Users/jay.patel/env372/lib/python3.7/site-packages/jose/jws.py", line 77, in verify
    _verify_signature(signing_input, header, signature, key, algorithms)
  File "/Users/jay.patel/env372/lib/python3.7/site-packages/jose/jws.py", line 264, in _verify_signature
    if not _sig_matches_keys(keys, signing_input, signature, alg):
  File "/Users/jay.patel/env372/lib/python3.7/site-packages/jose/jws.py", line 212, in _sig_matches_keys
    key = jwk.construct(key, alg)
  File "/Users/jay.patel/env372/lib/python3.7/site-packages/jose/jwk.py", line 61, in construct
    return key_class(key_data, algorithm)
  File "/Users/jay.patel/env372/lib/python3.7/site-packages/jose/backends/pycrypto_backend.py", line 74, in __init__
    raise JWKError(e)
jose.exceptions.JWKError: RSA key format is not supported

我在做什么错?我刚刚使用过RS256,因为它是以Google的公共密钥(以JWKPEM格式提供)指定的

PS 当我尝试使用RS256算法对断言here进行解码时,它将显示无效的签名错误,如下图所示。

enter image description here

修改 我知道我传递了错误的密钥,所以现在我使用此代码从证书生成公共密钥,但这给了我这个错误。

initializer for ctype 'char' must be a bytes of length 1, not int

这是我的代码

from cryptography.x509 import load_pem_x509_certificate
from cryptography.hazmat.backends import default_backend

certificate_text = open('certificate.txt', 'r').read()
certBytes = list(certificate_text.encode())
certificate = load_pem_x509_certificate(certBytes, default_backend())
publicKey = certificate.public_key()

这是我的certificate.txt的样子:

-----BEGIN CERTIFICATE-----
MIIDJjCCAg6gAwIBAgIIHiSmgNCe4EIwDQYJKoZIhvcNAQEFBQAwNjE0MDIGA1UE
AxMrZmVkZXJhdGVkLXNpZ25vbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTAe
Fw0xODEwMjQxNDQ5MTFaFw0xODExMTAwMzA0MTFaMDYxNDAyBgNVBAMTK2ZlZGVy
YXRlZC1zaWdub24uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCPeue6aABtdQzCrAvfWU1Vi69YZuuJPu7L
sKBN6rB80t/pD1MxCUOJ2sUVIuBJ7YGJ+MSzBLoHiqmxcyWsyhKjMjBse5KShBl1
jabm8URlGTIcHiYApm7NSLlcfktWWVu/ZMGnoqyMlZJJbkGfJ6f2kh5qYd04Ohf8
8R0GGaqScNRFG66rcFvchWe50Y/wkJsdNnzplLZpLaGlgrd4Dx2+nXnkrWMowAb1
Yfz2OGR4VHrs6r2YP7IZkNo0I3yc5lHkjLD5ZAmjn6KMQByQdefVJ1gaNCCb/Z+8
QGx/SAkSObHYOs15pxkvINQD90H0kjLlmt8VnQf2XQiRKCCBRJqRAgMBAAGjODA2
MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsG
AQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQAXw0JJPtxs1hanLTxSFI21ib4BDUuI
+Aksnz1azijb6cKXVJAtDMQABpH2u6VTcnnGJ/nIQ4KeJHxMDL2w6wvViz9wwRH3
lru5D6Jks8IShBSeM80IOwrfxodEfju47B+G3Zxg/1qQ4QV0S3C+oMmcqQqHFK+l
Z6glTHJrNLjH+xtiwav6jIGUhDByHiRdEOp1hYBWt7tpbeLb4Mhxyk0schaf6o47
iF3bur6WaEPUI8rUBDv0rXKS3leN3AJmmEEnRZPCoBrNDg1Esxxy/VNLHhhKRHoc
+/K4sQuHeICO1a+yetfXIO6qa3rOOxEuL9ZpWvpSDqcRbYecDqa9CiZK
-----END CERTIFICATE-----

我在做什么错? (我已从here复制了一份证书,并从其中删除了\n

1 个答案:

答案 0 :(得分:2)

您在处理JWT方面遇到一些问题。

第一个是您所谓的“钥匙”实际上是“孩子”或“钥匙ID”。它引用了您应使用的https://www.googleapis.com/oauth2/v3/certs中的哪个键。这些密钥经常旋转,因此您有时需要重新获取它们,然后使用“孩子”来确定使用哪一个对其进行签名。没有提供“钥匙”本身,因为那是不安全的(想象一下发送一个锁着的玻璃盒子,把钥匙粘贴在它的顶部)。

我怀疑错误消息具有欺骗性。并非不支持RSA,而是不支持您提供的RSA密钥的格式。这很有道理-您尚未提供密钥。 The documentation说支持RS256。尽管没有示例,the documentation on verify()表示密钥可以是JWK or JWK Set,这是Google在证书URL上提供的,所以您应该只能提供这些密钥。

jwt.io手动解码显示签名无效的原因是……好……因为给出的信息已经存在。您没有在签名部分(蓝色部分)中为其提供公钥,该公钥可用于验证令牌的其他部分,因此它认为它是无效的。

相关问题
最新问题