我对JWT的签名方面感到困惑。我相信我有标头并声称设置正确,因为我克服了最初编写此标头时看到的任何错误。我的问题主要是关于签名。具有HMACSHA256的HMac是否正确?我想我可能对从何处获取加密专用密钥感到困惑。如果有人有一些指导,那就太好了。
<cfset JWT_header = structNew()>
<cfset JWT_header['alg'] = 'RS256'>
<cfset JWT_header['typ'] = 'JWT'>
<cfset JWT_header = serializeJSON(JWT_header)>
<cfset JWT_claim_set = structNew()>
<cfset JWT_claim_set['iss'] = 'secret_iss'>
<cfset JWT_claim_set['scope'] = 'my_scope'>
<cfset JWT_claim_set['aud'] = 'https://www.googleapis.com/oauth2/v4/token'>
<cfset JWT_claim_set['exp'] = 'Time_Stamp')>
<cfset JWT_claim_set['iat'] = 'Time_Stamp')>
<cfset JWT_claim_set = serializeJSON(JWT_claim_set)>
<cfset data = ToBase64(JWT_header) & '.' & ToBase64(JWT_claim_set)>
<cfset hashedData = HMac(data, 'my_secret_private_key','HMACSHA256')>
<cfset signature = toBase64(hashedData)>
<cfset JWT = data & '.' & signature>
<cfhttp url="https://www.googleapis.com/oauth2/v4/token" method="post" result="result">
<cfhttpparam name="grant_type" type="formField" value="urn:ietf:params:oauth:grant-type:jwt-bearer" />
<cfhttpparam name="assertion" type="formField" value="#JWT#" />
</cfhttp>
<cfoutput>#result.filecontent#</cfoutput>
这将返回:
'{“错误”:“ invalid_grant”,“错误_description”:“无效的JWT签名。” }'
答案 0 :(得分:1)
我使它可以与Ben Nadel的代码(https://www.bennadel.com/blog/2941-experimenting-with-rsa-encrypted-signature-generation-and-verification-in-coldfusion.htm)一起使用,但是我必须对其进行修改才能起作用。我注释掉了与公钥有关的任何内容,因为我没有使用它来与Google交互。如果要增强它,我可以创建逻辑以寻找使用公钥或私钥。接下来,我跳过了带有Pem文件格式的所有内容,因为Google并未使用该格式。现在可以了。
答案 1 :(得分:1)
对于将来需要一些代码以使其走上正确道路的任何人。此代码用于Firebase消息传递API的推送通知,但可以适用于其他Google服务。
<cfscript>
variables.service_json = deserializeJSON(fileRead(expandPath('./serviceaccountprivatekey.json')));
variables.timestamp = dateDiff("s", CreateDate(1970,1,1), now());
variables.timestampUTC = timestamp + 21600; //add 6 hour to convert to utc
//generate jwt
variables.jwt_header = {
'alg': 'RS256',
'typ': 'JWT'
};
variables.jwt_header = serializeJSON(variables.jwt_header);
variables.jwt_header = toBase64(variables.jwt_header);
variables.jwt_claim = {
'iss': service_json.client_email,
'scope': 'https://www.googleapis.com/auth/firebase.messaging',
'aud': 'https://www.googleapis.com/oauth2/v4/token',
'iat': timestampUTC,
'exp': (timestampUTC + 3600)
};
variables.jwt_claim = serializeJSON(variables.jwt_claim);
variables.jwt_claim = toBase64(variables.jwt_claim);
variables.jwt = variables.jwt_header & '.' & variables.jwt_claim;
//sign jwt
variables.keyText = reReplace( service_json.private_key, "-----(BEGIN|END)[^\r\n]+", "", "all" );
variables.keyText = trim( keyText );
variables.privateKeySpec = createObject( "java", "java.security.spec.PKCS8EncodedKeySpec" )
.init(binaryDecode( variables.keyText, "base64" ));
variables.privateKey = createObject( "java", "java.security.KeyFactory" )
.getInstance( javaCast( "string", "RSA" ) )
.generatePrivate( privateKeySpec );
variables.signer = createObject( "java", "java.security.Signature" )
.getInstance( javaCast( "string", 'SHA256withRSA' ));
variables.signer.initSign( variables.privateKey );
variables.signer.update( charsetDecode( variables.jwt, "utf-8" ) );
variables.signedBytes = signer.sign();
variables.signedBase64 = toBase64(signedBytes);
variables.jwt_signed = variables.jwt & '.' & variables.signedBase64;
</cfscript>
<cfhttp
url="https://www.googleapis.com/oauth2/v4/token"
method="POST"
result="res"
>
<cfhttpparam name="grant_type" type="formField" value="urn:ietf:params:oauth:grant-type:jwt-bearer" />
<cfhttpparam name="assertion" type="formField" value="#variables.jwt_signed#" />
</cfhttp>
<cfset variables.res = deserializeJSON(res.filecontent) />
<cfscript>
variables.body = {
"message": {
"notification": {
"title": "test",
"body": "test test test"
},
"token": "e7blahblahSQ:thisisanexamplefirebasemessengingtokenpleaseputyourownonehere"
}
};
</cfscript>
<cfhttp url="https://fcm.googleapis.com/v1/projects/{project_id}/messages:send" method="post" result="res">
<cfhttpparam type="header" name="Content-type" value="application/json" />
<cfhttpparam type="header" name="Authorization" value="Bearer #variables.res.access_token#" />
<cfhttpparam type="body" value="#serializeJSON(body)#" />
</cfhttp>
<cfdump var="#res.fileContent#">