`
sillycat
  • 浏览: 2551233 次
  • 性别: Icon_minigender_1
  • 来自: 成都
社区版块
存档分类
最新评论

Auth Solution(3)JWT in Java and PHP Sample

 
阅读更多
Auth Solution(3)JWT in Java and PHP Sample

Here is my Example in JAVA which can generate the RSA 512 private key and public key.

In side the java example, we can use the private key to sign our content, time and etc to generate a token.

https://github.com/luohuazju/sillycat-authcenter

RSACoder class, when we run it, it will generate the private key and public key pair in strings as follow for example:

privateKey:MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALLl3YRnsI8ZMlBF9F/naLo7KjZP6VRwU+KtqDyRwHBUNn2PUhU1RaoODiLrWcFJ7awF6LzNZ3K5rfCrrt31LJ6pEgMt1g+09ShlFoycU9DGk2URBDc3ZWiGm3iR19UyFzpjVuGfbQvsr3rYfvpHKsnamk3WEu3ZGzm64bY905JtAgMBAAECgYAuF2UkOObXZ4F8Bxn4H5Hu8VFl3t7Z33rtWxqOSGsRRdEoNmXKiwgg0TA5NPPSBe8TNA6Lnkw51bcH2+PY0dMlu0CpsomEFOMZo016jf+rMmldXZiRccSdNrmMrSU1HXBQGgcIZ09BvGjV1Xcvukqu4hcw2Cx2tR1arfz8LhJMwQJBAN8qKn9Fnc1huDIR6U0043nWLioMTp/l0M+CyYPe69A7FuS+vyF83ZSYDh50bByPGpIpBimTP8/der0/M7RDshECQQDNOFLlEPGG61nn7Ah9KZzeDW/NsgOS7xb5iYYfm1Tlot2r0ZMe5Yl7+EePxV76GcOeKfJXC2TQIJgFU6NI+36dAkEAtrG6YL8JVN4vAS6QpFgr8c5ZtKqmo1hs/bTAbGjO/IWjVFij+DJU5BUnWd9NsoOk6QsUtGyLzQwwM0XOekEBQQJAYPWflMKwmsJPtBf82sXya6eFj3Xv4lg8TqH/UKefMPAGM8vM6uggUQY5KWBjQ18w4WWILkAf3YXIzZt6plzMsQJBAK3EmpqWbr6uzMUKG9NKdpPHpbjSFpY1IZ5pe9HBcJloEAdqJTx3uvdyLHYwBOfkZrpIA5glBjpgeEuOgJMOixE=

publicKey:MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCy5d2EZ7CPGTJQRfRf52i6Oyo2T+lUcFPirag8kcBwVDZ9j1IVNUWqDg4i61nBSe2sBei8zWdyua3wq67d9SyeqRIDLdYPtPUoZRaMnFPQxpNlEQQ3N2Vohpt4kdfVMhc6Y1bhn20L7K962H76RyrJ2ppN1hLt2Rs5uuG2PdOSbQIDAQAB

In my sample, copy the keys to the second class  JWTJavaWithPublicPrivateKey

Run the class JWTJavaWithPublicPrivateKey, it will use the private key to generate a token:
eyJhbGciOiJSUzUxMiJ9.eyJyb2xlIjoidXNlciIsImNyZWF0ZWQiOjE1NTY4MzgxNjUyNTksImlkIjoieWl5aWthbmciLCJlbWFpbCI6InlpeWlrYW5ncmFjaGVsQGdtYWlsLmNvbSJ9.lYFXMoaqK3BRSyvMdu7HqSv6RwkNNvW3cIhyQ3sL47RjKjo5P2exQ6X43SJXl0bexn4BqXRCcWwjk2vhk8WbfqIxj0nK01WODuU6LD8SmxJVx81pX3wPhZBlyDt8DaQ1Eh0nl50mvzc6nJP4cm6-Hlen_B3XSCH_kUHk60DL3vg

Actually, the content in the token is
yiyikang
user
1556838165259

These JAVA code can easily use public key to decode that contents from the token.

Image we have 2 separate servers,
  Auth Server will host the private key and sign the contents (username, email, profiles, expiration date and etc) to generate a token string and response back.
  Resource Server will host the public key and verify the token, #1, if this token is from Auth Server, expiration data passed? #2 get other contents if #1 pass

In this case, resource server do not need to talk to Auth Server to verify anything, once it has the public key, it can do the decode and verify.

Token and all these methods they are standard, so go to this website

https://jwt.io/

Paste the token in that window
eyJhbGciOiJSUzUxMiJ9.eyJyb2xlIjoidXNlciIsImNyZWF0ZWQiOjE1NTY4MzgxNjUyNTksImlkIjoieWl5aWthbmciLCJlbWFpbCI6InlpeWlrYW5ncmFjaGVsQGdtYWlsLmNvbSJ9.lYFXMoaqK3BRSyvMdu7HqSv6RwkNNvW3cIhyQ3sL47RjKjo5P2exQ6X43SJXl0bexn4BqXRCcWwjk2vhk8WbfqIxj0nK01WODuU6LD8SmxJVx81pX3wPhZBlyDt8DaQ1Eh0nl50mvzc6nJP4cm6-Hlen_B3XSCH_kUHk60DL3vg

Put our public key there in the window as well
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCy5d2EZ7CPGTJQRfRf52i6Oyo2T+lUcFPirag8kcBwVDZ9j1IVNUWqDg4i61nBSe2sBei8zWdyua3wq67d9SyeqRIDLdYPtPUoZRaMnFPQxpNlEQQ3N2Vohpt4kdfVMhc6Y1bhn20L7K962H76RyrJ2ppN1hLt2Rs5uuG2PdOSbQIDAQAB
-----END PUBLIC KEY-----

It will share with us, the Signature Verified and all the contents we have.

That is to say, our token is standard. Other codes/SDK/library can decode and verify as well.



There is a list of libraries in that website.

I only pick up a PHP as an example to verify. The example is  https://github.com/luohuazju/sillycat-jwtphp

I used to be a PHP developer, but I haven’t use that for some time. So first of all, check my PHP ENV.

> php --version
PHP 7.2.12 (cli) (built: Nov 17 2018 22:16:25) ( ZTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

Make sure I have composer if I am not in that directory
> curl -sS https://getcomposer.org/installer | php

In my project directory, install the PHP dependency
> php composer.phar install

Copy the token and public key in jwtphpdecodejava.php

Run this command
> php src/jwtphpdecodejava.php

The PHP code will use the token and public key to verify token and get the contents.

If we do not have the public key, we will only get
Fatal error: Uncaught Firebase\JWT\SignatureInvalidException: Signature verification failed in /Users/hluo/work/php/sillycat-jwtphp/vendor/firebase/php-jwt/src/JWT.php:112
Stack trace:
#0 /Users/hluo/work/php/sillycat-jwtphp/src/jwtphpdecodejava.php(18): Firebase\JWT\JWT::decode('eyJhbGciOiJSUzU...', '-----BEGIN PUBL...', Array)
#1 {main}
  thrown in /Users/hluo/work/php/sillycat-jwtphp/vendor/firebase/php-jwt/src/JWT.php on line 112

If the token is signed by other private key, we will get the same error as well.

In the PHP project, we have the examples to do the same thing as sillycat-authcenter does. So no matter which language, we can do the similar things.

The purpose is that resource server will not talk to auth server; no matter our Microservices are written in which language;

References:
https://jwt.io/
https://github.com/luohuazju/sillycat-jwtphp
https://github.com/luohuazju/sillycat-authcenter
分享到:
评论

相关推荐

    java-jwt.jar

    实现Java web token JWT所需的jar包,java-jwt.3.3.0.jar,可用于登录验证

    java-jwt-3.8.1.jar

    java-jwt-3.8.1.jar 包 下载

    java-jwt-3.1.0.jar

    java-jwt-3.1.0.jar

    PyPI 官网下载 | py-auth0-jwt-rest-0.1.2.tar.gz

    《PyPI官网下载:深入解析py-auth0-jwt-rest-0.1.2》 PyPI(Python Package Index)是Python开发者广泛使用的软件仓库,它提供了丰富的Python库供用户下载和使用。今天我们要关注的是一个名为`py-auth0-jwt-rest-...

    ktor-auth-jwt-sample,关于如何在ktor应用程序流中包含jwt的一个简单但略为详细的示例。.zip

    3. **ktor-auth模块**:ktor提供了一套认证和授权机制,ktor-auth模块可以用来实现JWT验证。它支持多种认证策略,如Basic Auth、OAuth2等,同时也支持自定义验证逻辑。 4. **ktor-server-jwt**:ktor的这个插件专门...

    BasicAuth的Java服务端实现

    3. **src**:源代码目录,通常包含Java源文件,是实现BasicAuth服务端的主要部分。 4. **build**:可能是编译后的目标文件或构建过程的输出目录,通常包含.class文件。 5. **.settings**:Eclipse项目的特定配置...

    Laravel开发-jwt-auth

    在`config/app.php`中,添加`Tymon\JWTAuth\Providers\LaravelServiceProvider`到`providers`数组,并在`aliases`数组中添加`'JWTAuth' => Tymon\JWTAuth\Facades\JWTAuth::class,`和`'JWTFactory' => Tymon\JWTAuth...

    Spring Boot Auth with JWT TOKEN and ROLES

    and Create a JAR file and make that aviable in the project directory $ mvn clean install = JAR FILE = /target/demo-0.0.1-SNAPSHOT.jar Run JAR FILE : $ java -jar target/demo-0.0.1-SNAPSHOT....

    Laravel开发-laravel-jwt-auth

    Laravel是一个优雅且强大的PHP web应用框架,而JWT Auth则是一个流行的身份验证解决方案,尤其适用于API开发,因为它提供了轻量级的授权和身份验证机制。 首先,JWT是一种安全的令牌标准(RFC 7519),它允许我们在...

    Basic Auth认证get请求的java代码片段

    通过base64加密方式将用户名和密码进行封装,生成basic auth的认证信息,再将该信息塞进请求头里,最后通过认证进行get请求。

    某宝购买springClode一整套实战项目源代码+视频、auth2.0+jwt、认证权限

    某宝购买springClode一整套实战项目源代码+视频,包含技术:Eureka、Feign、Zuul、Config、Ribbon、...权限认证:auth2.0+jwt;消息中间件:rebbitMQ, 注:当中的视频是整个项目的难点和技术点的介绍,通俗易懂值得收藏

    jwt工具类,包含引入的包

    3. **JWT解析**:解析JWT以获取Payload中的信息,工具类应包含一个方法来验证签名并提取有效载荷。这需要公钥或秘钥对来进行解码和验证。 4. **MD5加密**:MD5是一种广泛使用的哈希函数,可以将任意长度的信息映射...

    jwt_auth:使用JWT的Auth API

    jwt_auth:使用JWT的Auth API

    Laravel开发-jwt-auth-multiple-keys

    Tymon/jwt-auth是一个非常流行的Laravel扩展,它为Laravel添加了JWT支持。然而,原版的jwt-auth只支持单一的JWT密钥,这在某些场景下可能无法满足需求,比如需要对不同类型的用户或者不同的API端点使用不同的密钥...

    httpie-jwt-auth, HTTPie的JWTAuth ( JSON网络令牌) 认证插件.zip

    httpie-jwt-auth, HTTPie的JWTAuth ( JSON网络令牌) 认证插件 httpie-jwt-auth JWTAuth ( 。JSON网络令牌) 用于 HTTPie的认证插件。安装最新稳定版本:$ pip install -U httpie-jwt-auth最新开发版

    java实现oauth2.0服务端+客户端(含JWT)

    3. **刷新令牌端点(Refresh Token Endpoint)**:当访问令牌过期时,客户端使用刷新令牌来获取新的访问令牌。 4. **资源端点(Resource Endpoint)**:客户端使用访问令牌向资源服务器请求资源。 使用MAVEN作为...

    基于Thinkphp的JWT认证库JWT-AUTH设计源码

    该JWT-AUTH认证库是基于Thinkphp框架构建,旨在为Thinkphp提供JSON Web Token认证支持。项目源码包含50个文件,其中包括44个PHP文件、2个Markdown文件、1个.gitignore文件、1个YAML文件、1个LICENSE文件和1个JSON...

    dropwizard-auth-jwt, 使用JSON网络令牌( JWT )的Dropwizard身份验证筛选器.zip

    dropwizard-auth-jwt, 使用JSON网络令牌( JWT )的Dropwizard身份验证筛选器 dropwizard-auth-jwt使用JSON网络令牌( JWT )的Dropwizard身份验证过滤器。是什么?JSON网络令牌( JWT ) 是一个 compact url安全方法,...

Global site tag (gtag.js) - Google Analytics