10

如何验证从 Amazon Cognito 收到的 JWT 并从中获取信息?

我在 Cognito 中设置了 Google 身份验证,并将重定向 uri 设置为命中 API 网关,然后我收到一个代码,我将其发布到此端点:

https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html

以 RS256 格式接收 JWT 令牌。我现在正在努力验证和解析 Golang 中的令牌。我尝试使用 jwt-go 对其进行解析,但它似乎默认支持 HMAC,并在他们推荐使用前端验证的地方读取。我尝试了其他一些软件包并遇到了类似的问题。

我在这里遇到了这个答案:Go Language and Verify JWT,但假设代码已经过时,正如刚才所说的那样panic: unable to find key

jwt.io 可以轻松解码密钥,并且可能也可以验证。我不确定亚马逊生成令牌时公钥/密钥在哪里,但据我了解,我也需要使用 JWK URL 进行验证?我找到了一些 AWS 特定的解决方案,但它们似乎都有数百行长。Golang 肯定没那么复杂吧?

4

6 回答 6

9

Amazon Cognito 的公钥

正如您已经猜到的,您需要公钥来验证 JWT 令牌。

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-第2步

为您的用户池下载并存储相应的公共 JSON Web 密钥 (JWK)。它作为 JSON Web 密钥集 (JWKS) 的一部分提供。您可以在 https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json 找到它

解析密钥并验证令牌

该 JSON 文件结构记录在 Web 中,因此您可以手动解析它,生成公钥等。

但是只使用一个库可能会更容易,例如这个: https ://github.com/lestrrat-go/jwx

然后 jwt-go 处理 JWT 部分:https ://github.com/dgrijalva/jwt-go

然后您可以:

  1. 使用第一个库下载并解析公钥 JSON

     keySet, err := jwk.Fetch(THE_COGNITO_URL_DESCRIBED_ABOVE)

  2. 使用 jwt-go 解析令牌时,使用 JWT 标头中的“kid”字段来查找要使用的正确密钥

     token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
 if _, ok := token.Method.(*jwt.SigningMethodRS256); !ok {
     return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
 }
 kid, ok := token.Header["kid"].(string)
 if !ok {
     return nil, errors.New("kid header not found")
 }
 keys := keySet.LookupKeyID(kid);
 if !ok {
     return nil, fmt.Errorf("key with specified kid is not present in jwks")
 }
 var publickey interface{}
 err = keys.Raw(&publickey)
 if err != nil {
     return nil, fmt.Errorf("could not parse pubkey")
 }
 return publickey, nil
于 2019-07-05T17:57:08.207 回答
6

eugenioy 和 Kevin Wydler 提供的代码中的类型断言对我不起作用:*jwt.SigningMethodRS256 is not a type.

*jwt.SigningMethodRS256是初始提交中的一种类型。从第二次提交(早在 2014 年 7 月)开始,它被抽象并替换为全局变量(请参见此处)。

以下代码适用于我:

func verify(tokenString string, keySet *jwk.Set) {
  tkn, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
    if token.Method.Alg() != "RSA256" { // jwa.RS256.String() works as well
      return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
    }
    kid, ok := token.Header["kid"].(string)
    if !ok {
      return nil, errors.New("kid header not found")
    }
    keys := keySet.LookupKeyID(kid)
    if len(keys) == 0 {
      return nil, fmt.Errorf("key %v not found", kid)
    }
    var raw interface{}
    return raw, keys[0].Raw(&raw)
  })
}

使用以下依赖版本:

github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1
github.com/lestrrat-go/jwx v1.0.4
于 2020-08-28T11:01:32.183 回答
5

这就是我只用最新的 ( v1.0.8)所做的github.com/lestrrat-go/jwx。请注意,github.com/dgrijalva/jwt-go它似乎不再被维护,人们正在分叉它以进行他们需要的更新。

package main

import (
    ...
    "github.com/lestrrat-go/jwx/jwk"
    "github.com/lestrrat-go/jwx/jwt"
)
    ...

    keyset, err := jwk.Fetch("https://cognito-idp." + region + ".amazonaws.com/" + userPoolID + "/.well-known/jwks.json")

    parsedToken, err := jwt.Parse(
        bytes.NewReader(token), //token is a []byte
        jwt.WithKeySet(keyset),
        jwt.WithValidate(true),
        jwt.WithIssuer(...),
        jwt.WithClaimValue("key", value),
    )

    //check err as usual
    //here you can call methods on the parsedToken to get the claim values
    ...

令牌索取方法

于 2021-01-29T00:13:52.267 回答
4

由于这个重构,eugenioy 的回答不再为我工作。我最终解决了这样的问题

token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
    token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
    if _, ok := token.Method.(*jwt.SigningMethodRS256); !ok {
        return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
    }
    kid, ok := token.Header["kid"].(string)
    if !ok {
        return nil, errors.New("kid header not found")
    }
    keys := keySet.LookupKeyID(kid);
    if len(keys) == 0 {
         return nil, fmt.Errorf("key %v not found", kid)
    }
    // keys[0].Materialize() doesn't exist anymore
    var raw interface{}
    return raw, keys[0].Raw(&raw)
})
于 2020-05-10T20:11:29.703 回答
0

这对我有用:

import (
    "errors"
    "fmt"
    "github.com/dgrijalva/jwt-go"
    "github.com/gin-gonic/gin"
    "github.com/lestrrat-go/jwx/jwk"
    "net/http"
    "os"
)

func verifyToken(token *jwt.Token) (interface{}, error) {
    // make sure to replace this with your actual URL
    // https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-step-2
    jwksURL := "COGNITO_JWKS_URL" 
    set, err := jwk.FetchHTTP(jwksURL)
    if err != nil {
        return nil, err
    }

    keyID, ok := token.Header["kid"].(string)
    if !ok {
        return nil, errors.New("expecting JWT header to have string kid")
    }

    keys := set.LookupKeyID(keyID)
    if len(keys) == 0 {
        return nil, fmt.Errorf("key %v not found", keyID)
    }

    if key := set.LookupKeyID(keyID); len(key) == 1 {
        return key[0].Materialize()
    }

    return nil, fmt.Errorf("unable to find key %q", keyID)
}

在我的情况下,我这样称呼它(使用 AWS Lambda gin)。如果您使用不同的方式来管理请求,请确保将其替换为http.Request您可能正在使用的任何其他框架:

func JWTVerify() gin.HandlerFunc {
    return func(c *gin.Context) {
        tokenString := c.GetHeader("AccessToken")
        _, err := jwt.Parse(tokenString, verifyToken)
        if err != nil {
            c.AbortWithStatus(http.StatusUnauthorized)
        }
    }
}

这是我的go.mod

module MY_MODULE_NAME
go 1.12

require (
    github.com/aws/aws-lambda-go v1.20.0
    github.com/aws/aws-sdk-go v1.36.0
    github.com/awslabs/aws-lambda-go-api-proxy v0.9.0
    github.com/dgrijalva/jwt-go v3.2.0+incompatible
    github.com/gin-gonic/gin v1.6.3
    github.com/google/uuid v1.1.2
    github.com/lestrrat-go/jwx v0.9.2
    github.com/onsi/ginkgo v1.14.2 // indirect
    github.com/onsi/gomega v1.10.3 // indirect
    golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
)
于 2020-12-02T22:41:05.323 回答
0

这是一个使用github.com/golang-jwt/jwt,(正式名称为github.com/dgrijalva/jwt-go,)和 JWK 的示例,例如 AWS Cognito 提供的 JWK。

它将每小时刷新一次 AWS Cognito JWK,当使用未知签名的 JWTkid进入时刷新,并且具有 1 个 HTTP 请求的全局速率限制,以每 5 分钟刷新一次 JWK。

package main

import (
    "fmt"
    "log"
    "time"

    "github.com/golang-jwt/jwt"

    "github.com/MicahParks/keyfunc"
)

func main() {

    // Get the JWKs URL from your AWS region and userPoolId.
    //
    // See the AWS docs here:
    // https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
    regionID := ""   // TODO Get the region ID for your AWS Cognito instance.
    userPoolID := "" // TODO Get the user pool ID of your AWS Cognito instance.
    jwksURL := fmt.Sprintf("https://cognito-idp.%s.amazonaws.com/%s/.well-known/jwks.json", regionID, userPoolID)

    // Create the keyfunc options. Use an error handler that logs. Refresh the JWKs when a JWT signed by an unknown KID
    // is found or at the specified interval. Rate limit these refreshes. Timeout the initial JWKs refresh request after
    // 10 seconds. This timeout is also used to create the initial context.Context for keyfunc.Get.
    refreshInterval := time.Hour
    refreshRateLimit := time.Minute * 5
    refreshTimeout := time.Second * 10
    refreshUnknownKID := true
    options := keyfunc.Options{
        RefreshErrorHandler: func(err error) {
            log.Printf("There was an error with the jwt.KeyFunc\nError:%s\n", err.Error())
        },
        RefreshInterval:   &refreshInterval,
        RefreshRateLimit:  &refreshRateLimit,
        RefreshTimeout:    &refreshTimeout,
        RefreshUnknownKID: &refreshUnknownKID,
    }

    // Create the JWKs from the resource at the given URL.
    jwks, err := keyfunc.Get(jwksURL, options)
    if err != nil {
        log.Fatalf("Failed to create JWKs from resource at the given URL.\nError:%s\n", err.Error())
    }

    // Get a JWT to parse.
    jwtB64 := "eyJraWQiOiJmNTVkOWE0ZSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJLZXNoYSIsImF1ZCI6IlRhc2h1YW4iLCJpc3MiOiJqd2tzLXNlcnZpY2UuYXBwc3BvdC5jb20iLCJleHAiOjE2MTkwMjUyMTEsImlhdCI6MTYxOTAyNTE3NywianRpIjoiMWY3MTgwNzAtZTBiOC00OGNmLTlmMDItMGE1M2ZiZWNhYWQwIn0.vetsI8W0c4Z-bs2YCVcPb9HsBm1BrMhxTBSQto1koG_lV-2nHwksz8vMuk7J7Q1sMa7WUkXxgthqu9RGVgtGO2xor6Ub0WBhZfIlFeaRGd6ZZKiapb-ASNK7EyRIeX20htRf9MzFGwpWjtrS5NIGvn1a7_x9WcXU9hlnkXaAWBTUJ2H73UbjDdVtlKFZGWM5VGANY4VG7gSMaJqCIKMxRPn2jnYbvPIYz81sjjbd-sc2-ePRjso7Rk6s382YdOm-lDUDl2APE-gqkLWdOJcj68fc6EBIociradX_ADytj-JYEI6v0-zI-8jSckYIGTUF5wjamcDfF5qyKpjsmdrZJA"

    // Parse the JWT.
    token, err := jwt.Parse(jwtB64, jwks.KeyFunc)
    if err != nil {
        log.Fatalf("Failed to parse the JWT.\nError:%s\n", err.Error())
    }

    // Check if the token is valid.
    if !token.Valid {
        log.Fatalf("The token is not valid.")
    }

    log.Println("The token is valid.")
}
于 2021-08-01T16:25:55.790 回答