1

我正在尝试使用密码和客户端凭据方法从 WSO2 令牌端点生成 JWT,但没有发现子声明值的差异。它总是只指向用户 ID,它不应该在使用客户端凭据方法生成的 JWT 的子声明中包含应用程序 ID/客户端 ID 吗?

前任:

  1. 使用密码授予获得的令牌:

要求:

POST https://localhost:8243/token HTTP/1.1

内容类型:application/x-www-form-urlencoded
授权:基本 UnNOYWY5ams2MERCM2tXQ292ZGZEZnRTWklvYToxU1o0alg1bW5YV2lBT3BkYjRReFhmS09VN1lh
主机:localhost:8243
内容长度:53

grant_type=密码&用户名=api3dev&密码=api3dev

JWT 响应 {"typ":"JWT","alg":"RS256","x5t":"NTdmZjM4ZDk3NjY0Yzc5MmZmODgwMTE3MWYwNDE5MWRlZDg4Nzc4ZA=="} {"aud":"http://org.wso2.apimgt/gateway", " sub":"api3dev@carbon.super","application":{"owner":"api2dev","tierQuotaType":"requestCount","tier":"Unlimited","name":"demoapp_oriKeymgr","id":68,"uuid":null} ,"scope":"default","iss":"https://localhost:9443/oauth2/token","tierInfo":{"Unlimited":{"tierQuotaType":"requestCount","stopOnQuotaReach":true ,"spikeArrestLimit":0,"spikeArrestUnit":null}},"keytype":"PRODUCTION","subscribedAPIs":[{"subscriberTenantDomain":"carbon.super","name":"PizzaShackAPI","context" :"/pizzashack/1.0.0","publisher":"admin","version":"1.0.0","subscriptionTier":"Unlimited"}],"consumerKey":"RsNaf9jk60DB3kWCovdfDftSZIoa","exp":1600502664,"iat":1600499064,"jti":"426d64a9-932b-4f0c-b396-202fd03dd960"}

  1. 使用客户端凭据获取的令牌:

要求:

POST https://localhost:8243/token HTTP/1.1
内容类型:application/x-www-form-urlencoded
授权:基本 UnNOYWY5ams2MERCM2tXQ292ZGZEZnRTWklvYToxU1o0alg1bW5YV2lBT3BkYjRReFhmS09VN1lh
主机:localhost:8243
内容长度:29

grant_type=client_credentials

JWT 响应 {"typ":"JWT","alg":"RS256","x5t":"NTdmZjM4ZDk3NjY0Yzc5MmZmODgwMTE3MWYwNDE5MWRlZDg4Nzc4ZA=="} {"aud":"http://org.wso2.apimgt/gateway", " sub":"api2dev@carbon.super","application":{"owner":"api2dev","tierQuotaType":"requestCount","tier":"Unlimited","name":"demoapp_oriKeymgr","id":68,"uuid":null} ,"scope":"am_application_scope default","iss":"https://localhost:9443/oauth2/token","tierInfo":{"Unlimited":{"tierQuotaType":"requestCount","stopOnQuotaReach": true,"spikeArrestLimit":0,"spikeArrestUnit":null}},"keytype":"PRODUCTION","subscribedAPIs":[{"subscriberTenantDomain":"carbon.super","name":"PizzaShackAPI","context ":"/pizzashack/1.0.0","publisher":"admin","version":"1.0.0","subscriptionTier":"Unlimited"}],"consumerKey":"RsNaf9jk60DB3kWCovdfDftSZIoa","exp":1600502788,"iat":1600499188,"jti":"8091497e-9978-4541-99b9-efca50b16868"}

在上面的示例中,您可以看到子声明始终只有用户 ID。

4

1 回答 1

1

在 WSO2 API 管理器中,当您使用 client_credentials 生成 access_token 时,子声明将填充应用程序的所有者(服务提供者)。我不确定在客户端凭据中 sub 声明应该填充 Oauth2 应用程序的 client_id,认为客户端凭据是没有用户凭据的机器-机器 authz 进程,因此子(主题)声明应该是用户,在这种情况下所有者。对我来说,这是一个正确的值。

于 2020-09-24T20:16:28.077 回答