问题描述
我正在尝试使用JWT身份验证连接到JHipster生成的微服务应用程序。我已经在jwt.io上验证了令牌和公钥,但是当我将公钥插入application-XXX.yml中服务的 base64-secret 参数时,会收到以下消息:
inventory-app_1 | 2020-09-02 17:40:07.351 INFO 1 --- [ XNIO-1 task-1] xxxx.security.jwt.TokenProvider : Invalid JWT token.
inventory-app_1 | 2020-09-02 17:40:07.384 WARN 1 --- [ XNIO-1 task-1] o.z.problem.spring.common.AdviceTraits : Unauthorized: Full authentication is required to access this resource
我的令牌/密钥是由Keycloak v7.0服务器使用RS256生成的。我正在使用在 https://myUrl.com/auth/realms/realmName/protocol/openid-connect/certs 中找到的公钥,密钥值x5c
如果已知我的JWT /密钥对有效-哪些因素可以阻止我的JHipster / spring服务器识别令牌?
The parsed JWT indicates it was signed with the RS256 signature algorithm,but the specified signing key of type j
avax.crypto.spec.SecretKeySpec may not be used to validate RS256 signatures. Because the specified signing key reflects a specific and expected algorithm,and the JWT does not reflect this algorithm,it is likely that the JWT was n
ot expected and therefore should not be trusted. Another possibility is that the parser was configured with the incorrect signing key,but this cannot be assumed for security reasons.
对我来说,此错误似乎表明无法使用RS256签名令牌,但尚不完全清楚。
解决方法
JHipster生成的JWT安全性仅允许HMAC签名