问题
Recently, I'm trying to implement an OAuth2.0 server using JSON Web Token (JWT) as access token. I'm very confused about the self-contained feature of JWT. I notice that JWT can be verified anywhere, not mandatorily in authorization server because it is self-contained. How does this feature work? What claims should be included in JWT in order to realize self-contained feature?
Another question is that, if JWT is stateless, it means the server should not store the JWT. Then how is the JWT verified? Can't it be easily forged?
I'm the rookie in this field, I wish someone could help me out:)
回答1:
JWT contains claims that can be signed, encrypted or both.
These operations are performed using cryptographic keys. Keys can be symmetric (e.g. oct
et keys) are Asymmetric (e.g. private/public key pairs such as RSA
or EC
keys).
When you want to verify a JWT (i.e. a JWS), you have to perform the following steps:
- Check the header (algorithm is supported, critical claims are in the payload and their value are understood).
- Check the claims (especially
exp
,iat
,nbf
,aud
). - Check the signature.
To check the signature, you need the key and, depending on the algorithm, this key can be
- The symmetric key
- The public key if asymmetric
When you want to allow third party applications to verify your JWT, you will use asymmetric keys and share the public key with the third parties. As public keys cannot be used to sign, third parties cannot forge a valid token with custom claims.
The way you share the keys is up to you. The common way is to provide an URL where applications will retrieve them (e.g. Google keys at https://www.googleapis.com/oauth2/v3/certs).
来源:https://stackoverflow.com/questions/39637560/how-can-jwt-be-verified-outside-the-authorization-server