我正在尝试在 java 中验证 jwt,我使用了与这篇文章类似的代码:Java - Auth0 JWT Verification - 这是正确的吗?
public void parseJWTKey(HttpHeaders header)
{
try
{
Jwk jwk = getPublicKey(); //method to retrieve public key from auth server (identity server)
RSAPublicKey publicKey = (RSAPublicKey) jwk.getPublicKey();
Algorithm alg = Algorithm.RSA256(publicKey, null);
JWTVerifier verifier = JWT.require(alg)
.withIssuer("auth0")
.build();
String headerString = header.toString();
String parsedHeader = headerString.substring(headerString.indexOf(" "), headerString.lastIndexOf("\""));
DecodedJWT dJwt = verifier.verify(parsedHeader);
}
catch(JWTVerificationException | JwkException | NullPointerException a)
{
a.printStackTrace();//TODO: Logging
}
}
但我收到错误:com.auth0.jwt.exceptions.SignatureVerificationException:使用算法验证时令牌的签名无效:SHA256withRSA我也看过这篇文章:com.auth0.jwt.exceptions.SignatureVerificationException:令牌的签名导致无效使用算法验证时:SHA256withRSA但我没有使用 HMAC256。
虽然我可以得到 jwt:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjdjNDM5MmMxMDA1MGJiN2E2MDYwMTVlMTk0MTNkOWMxIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NzE2NTU3NzEsImV4cCI6MTU3MTY4NDU3MSwiaXNzIjoiaHR0cDovLzE5Mi4xNjguMTAwLjEwMTo1MDU1IiwiYXVkIjpbImh0dHA6Ly8xOTIuMTY4LjEwMC4xMDE6NTA1NS9yZXNvdXJjZXMiLCJjbGFpbXNhcGkiXSwiY2xpZW50X2lkIjoicm8udGVzdGNsaWVudCIsInN1YiI6IjEiLCJhdXRoX3RpbWUiOjE1NzE2NTU3NzEsImlkcCI6ImxvY2FsIiwic2NvcGUiOlsib2ZmaWNlIiwib3BlbmlkIiwicHJvZmlsZSIsImNsYWltc2FwaSJdLCJhbXIiOlsicHdkIl19.oK4Cg2laKUgdAHpyZ3yB7bVlgdHevhkzQMn47wnQPbvc04GME90wXScHxTSNkgtTPnuXK_t-ddyPYrxOZFnHPfDr9PLTjDXilLF90Ga91a4khFvRqvTqRwXAnpsamAsBdXZoybkbQ8c_x7kPua5NwN13AJU_cL37tSuor4ujYIJ9McLdQDLIBhD7b76QAMF2UkstFG_oPUSwycot-18zuaB97K4b5X-rO-j2DfEy15caRmMGxX-1c4EMw4T4pxHkQc4WVumA0C2nsCufJ1ZyZ74bcebRTTbb9y__QDvekGa1vfUYG6Pon7q83gQVWiH580vwiH60rrICjl9fNK4hmQ
我无法访问私钥以检查jwt.io上的签名,因为它保存在不受我控制的身份服务器实例上,但是由于我对 oauth 的了解有限,我认为这不是问题。