Auth 0 配置受众 [英] Auth 0 configuration audience
问题描述
我刚刚发现我的 auth0 有问题,这与 auth0 配置受众有关.因此,当我明确写入受众时,JWT 验证失败,错误为 所提供的算法与 JWT 的 Header 中定义的算法不匹配.
当我不写入受众时,一切都会正常进行,除了现在每次令牌过期并且用户单击登录链接时,它都会跳过登录过程并立即使用以前的凭据登录.我不希望这种情况发生,我希望用户在令牌过期后仍然重新进行身份验证,就像我写观众时一样.
I just found out that I have a problem with auth0 and it relates to the auth0 configuration audience. So when I explicitly write the audience, the JWT verification failed with error The provided Algorithm doesn't match the one defined in the JWT's Header.
When I don't write the audience, everything will work fine, except now everytime the token expire and user click on login link it skip the login process and immediately logged in with the previous credential. I don't want this to happen, I want user to still authenticate themselves again after token expire, just like when I write the audience.
那么什么是受众?它为什么会影响这样的行为?
So what is audience and why does it affect the behaviour like this?
我该如何修复它以获得我想要的行为?
And How can I fix it to get the behaviour I wanted?
下面是Auth0的配置
Below is the configuration of the Auth0
auth0 = new auth0.WebAuth({
clientID: environment.auth0ClientId,
domain: environment.auth0Domain,
responseType: 'token id_token',
//Below is the audience I'm talking about
audience: '${constants.MY_APP}/userinfo',
redirectUri: `${constants.ORIGIN_URL}/auth`,
scope: 'openid email'
});
我需要知道如何使 JWT 得到正确验证,以及如何在 JWT 过期时正确进行登录行为.
I need to know how I can make the JWT to be verified correctly as well as make the login behaviour correctly when the JWT expire.
推荐答案
Auth0 可以发出两种类型的令牌:opaque 和 JWT.
Auth0 can issue two types of tokens: opaque and JWT.
当您指定 audience
参数时,您将收到一个 JWT 令牌.JWT 与不透明令牌的不同之处在于它们是自包含的,因此您可以直接在应用程序中对其进行验证.
When you specify the audience
parameter, you will receive a JWT token. JWTs differ from opaque tokens in that they are self-contained and therefore you verify them directly in your application.
在这种情况下,您收到的 JWT 使用的算法与您在验证逻辑中定义的算法不同.您可以使用 https://jwt.io 解码 JWT,您可以在 <标头的code>alg 属性.
In this case, the JWT you have received is signed with an algorithm different to that which you've defined in your verification logic. You can decode the JWT using https://jwt.io and you can see which algorithm it was signed with in the alg
attribute of the header.
您还可以在 Auth0 仪表板中找到您的 API 使用的签名算法.转到 API,单击您的 API,单击设置选项卡,然后滚动到令牌设置.您将看到它列为签名算法.
You can also find out the signing algorithm your API uses in the Auth0 dashboard. Go APIs, click your API, click the Settings tab and then scroll to Token Setting. You will see it listed as the Signing Algorithm.
根据错误消息判断,您使用的是 java-jwt
库,在这种情况下,您需要按照此处概述的步骤相应地更改签名算法:https://github.com/auth0/java-jwt#verify-a-token
Judging by the error message, you are using the java-jwt
library, in which case you will need change the signing algorithm accordingly per the steps outlined here: https://github.com/auth0/java-jwt#verify-a-token
对于 HS256:
try {
Algorithm algorithm = Algorithm.HMAC256("secret");
JWTVerifier verifier = JWT.require(algorithm)
.withIssuer("auth0")
.build(); //Reusable verifier instance
DecodedJWT jwt = verifier.verify(token);
} catch (JWTVerificationException exception){
//Invalid signature/claims
}
其中 secret
是您的 API 的签名密钥.
Where secret
is your API's Signing Secret.
对于 RS256,涉及更多.您首先需要解码令牌以从标头中检索 kid
(密钥 ID):
For RS256, it's a little more involved. You first need to decode the token to retrieve the kid
(key ID) from the header:
String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkEE";
try {
DecodedJWT jwt = JWT.decode(token);
} catch (JWTDecodeException exception){
//Invalid token
}
然后您需要使用 jwks-rsa-java 库构建 JwkProvider:
You then need to construct a JwkProvider using the jwks-rsa-java library:
JwkProvider provider = new UrlJwkProvider("https://your-domain.auth0.com/");
Jwk jwk = provider.get(jwt.getKeyId());
最后,您可以使用从 JWKS 检索到的公钥并使用它来验证令牌:
Finally, you can use the public key retrieved from the JWKS and use it to verify the token:
RSAPublicKey publicKey = (RSAPublicKey) jwk.getPublicKey();
try {
Algorithm algorithm = Algorithm.RSA256(publicKey, null);
JWTVerifier verifier = JWT.require(algorithm)
.withIssuer("auth0")
.build(); //Reusable verifier instance
DecodedJWT jwt = verifier.verify(token);
} catch (JWTVerificationException exception) {
//Invalid signature/claims
}
请记住,出于此处列出的原因,最好使用 RS256 而不是 HS256:https://auth0.com/docs/apis#signing-algorithms
Keep in mind that it's preferred to use RS256 over HS256 for the reasons outlined here: https://auth0.com/docs/apis#signing-algorithms
您可能还会发现这篇文章对验证令牌的详细信息很有用:https://auth0.com/docs/api-auth/tutorials/verify-access-token
You may also find this article useful for detailed information on verifying tokens: https://auth0.com/docs/api-auth/tutorials/verify-access-token
这篇关于Auth 0 配置受众的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!