如何在 Go 中验证来自 AWS Cognito 的 JWT 令牌?
How to verify a JWT Token from AWS Cognito in Go?
我如何验证从 Amazon Cognito 收到的 JWT 并从中获取信息?
我在 Cognito 中设置了 Google 身份验证,并将重定向 uri 设置为命中 API 网关,然后我收到一个代码,我 POST 到此端点:
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
以 RS256 格式接收 JWT 令牌。我现在正在努力验证和解析 Golang 中的令牌。我尝试使用 jwt-go 解析它,但它似乎默认支持 HMAC,并在某处阅读了他们推荐使用前端验证的信息。我尝试了其他几个软件包并遇到了类似的问题。
我在这里遇到了这个答案: 但假设代码已经过时,因为它只是说 panic: unable to find key。
jwt.io 可以轻松解码密钥,并且可能也可以验证。我不确定亚马逊生成令牌时 public/secret 密钥在哪里,但据我了解,我也需要使用 JWK URL 来验证吗?我找到了一些 AWS 特定的解决方案,但它们似乎都长达数百行。在 Golang 中肯定没那么复杂吧?
Public Amazon Cognito 密钥
正如您已经猜到的那样,您将需要 public 密钥来验证 JWT 令牌。
Download and store the corresponding public JSON Web Key (JWK) for your user pool. It is available as part of a JSON Web Key Set (JWKS).
You can locate it at
https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
解析密钥并验证令牌
网络上记录了 JSON 文件结构,因此您可以手动解析它,生成 public 键等。
但是使用一个库可能会更容易,例如这个库:
https://github.com/lestrrat-go/jwx
然后jwt-go处理JWT部分:https://github.com/dgrijalva/jwt-go
然后您可以:
使用第一个库
下载并解析public键JSON
keySet, err := jwk.Fetch(THE_COGNITO_URL_DESCRIBED_ABOVE)
当使用 jwt-go 解析令牌时,使用 JWT header 中的“kid”字段找到要使用的正确密钥
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodRS256); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
kid, ok := token.Header["kid"].(string)
if !ok {
return nil, errors.New("kid header not found")
}
keys := keySet.LookupKeyID(kid);
if !ok {
return nil, fmt.Errorf("key with specified kid is not present in jwks")
}
var publickey interface{}
err = keys.Raw(&publickey)
if err != nil {
return nil, fmt.Errorf("could not parse pubkey")
}
return publickey, nil
eugenioy 的回答因为 this refactor 对我不起作用。我最终用这样的东西修复了
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodRS256); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
kid, ok := token.Header["kid"].(string)
if !ok {
return nil, errors.New("kid header not found")
}
keys := keySet.LookupKeyID(kid);
if len(keys) == 0 {
return nil, fmt.Errorf("key %v not found", kid)
}
// keys[0].Materialize() doesn't exist anymore
var raw interface{}
return raw, keys[0].Raw(&raw)
})
eugenioy 和 Kevin Wydler 提供的代码中的类型断言对我不起作用:*jwt.SigningMethodRS256 is not a type。
*jwt.SigningMethodRS256 是初始提交中的一种类型。从第二次提交开始(回到 2014 年 7 月),它被抽象并替换为全局变量(参见 here)。
以下代码对我有用:
func verify(tokenString string, keySet *jwk.Set) {
tkn, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
if token.Method.Alg() != "RSA256" { // jwa.RS256.String() works as well
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
kid, ok := token.Header["kid"].(string)
if !ok {
return nil, errors.New("kid header not found")
}
keys := keySet.LookupKeyID(kid)
if len(keys) == 0 {
return nil, fmt.Errorf("key %v not found", kid)
}
var raw interface{}
return raw, keys[0].Raw(&raw)
})
}
使用以下依赖版本:
github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1
github.com/lestrrat-go/jwx v1.0.4
这对我有用:
import (
"errors"
"fmt"
"github.com/dgrijalva/jwt-go"
"github.com/gin-gonic/gin"
"github.com/lestrrat-go/jwx/jwk"
"net/http"
"os"
)
func verifyToken(token *jwt.Token) (interface{}, error) {
// make sure to replace this with your actual URL
// https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-step-2
jwksURL := "COGNITO_JWKS_URL"
set, err := jwk.FetchHTTP(jwksURL)
if err != nil {
return nil, err
}
keyID, ok := token.Header["kid"].(string)
if !ok {
return nil, errors.New("expecting JWT header to have string kid")
}
keys := set.LookupKeyID(keyID)
if len(keys) == 0 {
return nil, fmt.Errorf("key %v not found", keyID)
}
if key := set.LookupKeyID(keyID); len(key) == 1 {
return key[0].Materialize()
}
return nil, fmt.Errorf("unable to find key %q", keyID)
}
在我的案例中,我是这样称呼它的(使用 AWS Lambda gin)。如果您使用不同的方式来管理请求,请确保将其替换为 http.Request 或您可能正在使用的任何其他框架:
func JWTVerify() gin.HandlerFunc {
return func(c *gin.Context) {
tokenString := c.GetHeader("AccessToken")
_, err := jwt.Parse(tokenString, verifyToken)
if err != nil {
c.AbortWithStatus(http.StatusUnauthorized)
}
}
}
这是我的 go.mod:
module MY_MODULE_NAME
go 1.12
require (
github.com/aws/aws-lambda-go v1.20.0
github.com/aws/aws-sdk-go v1.36.0
github.com/awslabs/aws-lambda-go-api-proxy v0.9.0
github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/gin-gonic/gin v1.6.3
github.com/google/uuid v1.1.2
github.com/lestrrat-go/jwx v0.9.2
github.com/onsi/ginkgo v1.14.2 // indirect
github.com/onsi/gomega v1.10.3 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
)
这是我用最新的 (v1.0.8) github.com/lestrrat-go/jwx 所做的。请注意 github.com/dgrijalva/jwt-go 似乎不再维护,人们正在分叉它以进行他们需要的更新。
package main
import (
...
"github.com/lestrrat-go/jwx/jwk"
"github.com/lestrrat-go/jwx/jwt"
)
...
keyset, err := jwk.Fetch("https://cognito-idp." + region + ".amazonaws.com/" + userPoolID + "/.well-known/jwks.json")
parsedToken, err := jwt.Parse(
bytes.NewReader(token), //token is a []byte
jwt.WithKeySet(keyset),
jwt.WithValidate(true),
jwt.WithIssuer(...),
jwt.WithClaimValue("key", value),
)
//check err as usual
//here you can call methods on the parsedToken to get the claim values
...
这里的 an example 使用 github.com/golang-jwt/jwt(正式名称为 github.com/dgrijalva/jwt-go)和一个类似于 AWS Cognito 提供的 JWK。
它将每小时刷新一次 AWS Cognito JWK,当使用未知 kid 签名的 JWT 进入时刷新,并且全局速率限制为 1 个 HTTP 请求,每 5 分钟刷新一次 JWK .
package main
import (
"fmt"
"log"
"time"
"github.com/golang-jwt/jwt"
"github.com/MicahParks/keyfunc"
)
func main() {
// Get the JWKs URL from your AWS region and userPoolId.
//
// See the AWS docs here:
// https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
regionID := "" // TODO Get the region ID for your AWS Cognito instance.
userPoolID := "" // TODO Get the user pool ID of your AWS Cognito instance.
jwksURL := fmt.Sprintf("https://cognito-idp.%s.amazonaws.com/%s/.well-known/jwks.json", regionID, userPoolID)
// Create the keyfunc options. Use an error handler that logs. Refresh the JWKs when a JWT signed by an unknown KID
// is found or at the specified interval. Rate limit these refreshes. Timeout the initial JWKs refresh request after
// 10 seconds. This timeout is also used to create the initial context.Context for keyfunc.Get.
refreshInterval := time.Hour
refreshRateLimit := time.Minute * 5
refreshTimeout := time.Second * 10
refreshUnknownKID := true
options := keyfunc.Options{
RefreshErrorHandler: func(err error) {
log.Printf("There was an error with the jwt.KeyFunc\nError:%s\n", err.Error())
},
RefreshInterval: &refreshInterval,
RefreshRateLimit: &refreshRateLimit,
RefreshTimeout: &refreshTimeout,
RefreshUnknownKID: &refreshUnknownKID,
}
// Create the JWKs from the resource at the given URL.
jwks, err := keyfunc.Get(jwksURL, options)
if err != nil {
log.Fatalf("Failed to create JWKs from resource at the given URL.\nError:%s\n", err.Error())
}
// Get a JWT to parse.
jwtB64 := "eyJraWQiOiJmNTVkOWE0ZSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJLZXNoYSIsImF1ZCI6IlRhc2h1YW4iLCJpc3MiOiJqd2tzLXNlcnZpY2UuYXBwc3BvdC5jb20iLCJleHAiOjE2MTkwMjUyMTEsImlhdCI6MTYxOTAyNTE3NywianRpIjoiMWY3MTgwNzAtZTBiOC00OGNmLTlmMDItMGE1M2ZiZWNhYWQwIn0.vetsI8W0c4Z-bs2YCVcPb9HsBm1BrMhxTBSQto1koG_lV-2nHwksz8vMuk7J7Q1sMa7WUkXxgthqu9RGVgtGO2xor6Ub0WBhZfIlFeaRGd6ZZKiapb-ASNK7EyRIeX20htRf9MzFGwpWjtrS5NIGvn1a7_x9WcXU9hlnkXaAWBTUJ2H73UbjDdVtlKFZGWM5VGANY4VG7gSMaJqCIKMxRPn2jnYbvPIYz81sjjbd-sc2-ePRjso7Rk6s382YdOm-lDUDl2APE-gqkLWdOJcj68fc6EBIociradX_ADytj-JYEI6v0-zI-8jSckYIGTUF5wjamcDfF5qyKpjsmdrZJA"
// Parse the JWT.
token, err := jwt.Parse(jwtB64, jwks.KeyFunc)
if err != nil {
log.Fatalf("Failed to parse the JWT.\nError:%s\n", err.Error())
}
// Check if the token is valid.
if !token.Valid {
log.Fatalf("The token is not valid.")
}
log.Println("The token is valid.")
}
我如何验证从 Amazon Cognito 收到的 JWT 并从中获取信息?
我在 Cognito 中设置了 Google 身份验证,并将重定向 uri 设置为命中 API 网关,然后我收到一个代码,我 POST 到此端点:
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
以 RS256 格式接收 JWT 令牌。我现在正在努力验证和解析 Golang 中的令牌。我尝试使用 jwt-go 解析它,但它似乎默认支持 HMAC,并在某处阅读了他们推荐使用前端验证的信息。我尝试了其他几个软件包并遇到了类似的问题。
我在这里遇到了这个答案:panic: unable to find key。
jwt.io 可以轻松解码密钥,并且可能也可以验证。我不确定亚马逊生成令牌时 public/secret 密钥在哪里,但据我了解,我也需要使用 JWK URL 来验证吗?我找到了一些 AWS 特定的解决方案,但它们似乎都长达数百行。在 Golang 中肯定没那么复杂吧?
Public Amazon Cognito 密钥
正如您已经猜到的那样,您将需要 public 密钥来验证 JWT 令牌。
Download and store the corresponding public JSON Web Key (JWK) for your user pool. It is available as part of a JSON Web Key Set (JWKS). You can locate it at https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
解析密钥并验证令牌
网络上记录了 JSON 文件结构,因此您可以手动解析它,生成 public 键等。
但是使用一个库可能会更容易,例如这个库: https://github.com/lestrrat-go/jwx
然后jwt-go处理JWT部分:https://github.com/dgrijalva/jwt-go
然后您可以:
使用第一个库
下载并解析public键JSONkeySet, err := jwk.Fetch(THE_COGNITO_URL_DESCRIBED_ABOVE)当使用 jwt-go 解析令牌时,使用 JWT header 中的“kid”字段找到要使用的正确密钥
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { if _, ok := token.Method.(*jwt.SigningMethodRS256); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } kid, ok := token.Header["kid"].(string) if !ok { return nil, errors.New("kid header not found") } keys := keySet.LookupKeyID(kid); if !ok { return nil, fmt.Errorf("key with specified kid is not present in jwks") } var publickey interface{} err = keys.Raw(&publickey) if err != nil { return nil, fmt.Errorf("could not parse pubkey") } return publickey, nil
eugenioy 的回答因为 this refactor 对我不起作用。我最终用这样的东西修复了
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodRS256); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
kid, ok := token.Header["kid"].(string)
if !ok {
return nil, errors.New("kid header not found")
}
keys := keySet.LookupKeyID(kid);
if len(keys) == 0 {
return nil, fmt.Errorf("key %v not found", kid)
}
// keys[0].Materialize() doesn't exist anymore
var raw interface{}
return raw, keys[0].Raw(&raw)
})
eugenioy 和 Kevin Wydler 提供的代码中的类型断言对我不起作用:*jwt.SigningMethodRS256 is not a type。
*jwt.SigningMethodRS256 是初始提交中的一种类型。从第二次提交开始(回到 2014 年 7 月),它被抽象并替换为全局变量(参见 here)。
以下代码对我有用:
func verify(tokenString string, keySet *jwk.Set) {
tkn, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
if token.Method.Alg() != "RSA256" { // jwa.RS256.String() works as well
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
kid, ok := token.Header["kid"].(string)
if !ok {
return nil, errors.New("kid header not found")
}
keys := keySet.LookupKeyID(kid)
if len(keys) == 0 {
return nil, fmt.Errorf("key %v not found", kid)
}
var raw interface{}
return raw, keys[0].Raw(&raw)
})
}
使用以下依赖版本:
github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1
github.com/lestrrat-go/jwx v1.0.4
这对我有用:
import (
"errors"
"fmt"
"github.com/dgrijalva/jwt-go"
"github.com/gin-gonic/gin"
"github.com/lestrrat-go/jwx/jwk"
"net/http"
"os"
)
func verifyToken(token *jwt.Token) (interface{}, error) {
// make sure to replace this with your actual URL
// https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-step-2
jwksURL := "COGNITO_JWKS_URL"
set, err := jwk.FetchHTTP(jwksURL)
if err != nil {
return nil, err
}
keyID, ok := token.Header["kid"].(string)
if !ok {
return nil, errors.New("expecting JWT header to have string kid")
}
keys := set.LookupKeyID(keyID)
if len(keys) == 0 {
return nil, fmt.Errorf("key %v not found", keyID)
}
if key := set.LookupKeyID(keyID); len(key) == 1 {
return key[0].Materialize()
}
return nil, fmt.Errorf("unable to find key %q", keyID)
}
在我的案例中,我是这样称呼它的(使用 AWS Lambda gin)。如果您使用不同的方式来管理请求,请确保将其替换为 http.Request 或您可能正在使用的任何其他框架:
func JWTVerify() gin.HandlerFunc {
return func(c *gin.Context) {
tokenString := c.GetHeader("AccessToken")
_, err := jwt.Parse(tokenString, verifyToken)
if err != nil {
c.AbortWithStatus(http.StatusUnauthorized)
}
}
}
这是我的 go.mod:
module MY_MODULE_NAME
go 1.12
require (
github.com/aws/aws-lambda-go v1.20.0
github.com/aws/aws-sdk-go v1.36.0
github.com/awslabs/aws-lambda-go-api-proxy v0.9.0
github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/gin-gonic/gin v1.6.3
github.com/google/uuid v1.1.2
github.com/lestrrat-go/jwx v0.9.2
github.com/onsi/ginkgo v1.14.2 // indirect
github.com/onsi/gomega v1.10.3 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
)
这是我用最新的 (v1.0.8) github.com/lestrrat-go/jwx 所做的。请注意 github.com/dgrijalva/jwt-go 似乎不再维护,人们正在分叉它以进行他们需要的更新。
package main
import (
...
"github.com/lestrrat-go/jwx/jwk"
"github.com/lestrrat-go/jwx/jwt"
)
...
keyset, err := jwk.Fetch("https://cognito-idp." + region + ".amazonaws.com/" + userPoolID + "/.well-known/jwks.json")
parsedToken, err := jwt.Parse(
bytes.NewReader(token), //token is a []byte
jwt.WithKeySet(keyset),
jwt.WithValidate(true),
jwt.WithIssuer(...),
jwt.WithClaimValue("key", value),
)
//check err as usual
//here you can call methods on the parsedToken to get the claim values
...
这里的 an example 使用 github.com/golang-jwt/jwt(正式名称为 github.com/dgrijalva/jwt-go)和一个类似于 AWS Cognito 提供的 JWK。
它将每小时刷新一次 AWS Cognito JWK,当使用未知 kid 签名的 JWT 进入时刷新,并且全局速率限制为 1 个 HTTP 请求,每 5 分钟刷新一次 JWK .
package main
import (
"fmt"
"log"
"time"
"github.com/golang-jwt/jwt"
"github.com/MicahParks/keyfunc"
)
func main() {
// Get the JWKs URL from your AWS region and userPoolId.
//
// See the AWS docs here:
// https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
regionID := "" // TODO Get the region ID for your AWS Cognito instance.
userPoolID := "" // TODO Get the user pool ID of your AWS Cognito instance.
jwksURL := fmt.Sprintf("https://cognito-idp.%s.amazonaws.com/%s/.well-known/jwks.json", regionID, userPoolID)
// Create the keyfunc options. Use an error handler that logs. Refresh the JWKs when a JWT signed by an unknown KID
// is found or at the specified interval. Rate limit these refreshes. Timeout the initial JWKs refresh request after
// 10 seconds. This timeout is also used to create the initial context.Context for keyfunc.Get.
refreshInterval := time.Hour
refreshRateLimit := time.Minute * 5
refreshTimeout := time.Second * 10
refreshUnknownKID := true
options := keyfunc.Options{
RefreshErrorHandler: func(err error) {
log.Printf("There was an error with the jwt.KeyFunc\nError:%s\n", err.Error())
},
RefreshInterval: &refreshInterval,
RefreshRateLimit: &refreshRateLimit,
RefreshTimeout: &refreshTimeout,
RefreshUnknownKID: &refreshUnknownKID,
}
// Create the JWKs from the resource at the given URL.
jwks, err := keyfunc.Get(jwksURL, options)
if err != nil {
log.Fatalf("Failed to create JWKs from resource at the given URL.\nError:%s\n", err.Error())
}
// Get a JWT to parse.
jwtB64 := "eyJraWQiOiJmNTVkOWE0ZSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJLZXNoYSIsImF1ZCI6IlRhc2h1YW4iLCJpc3MiOiJqd2tzLXNlcnZpY2UuYXBwc3BvdC5jb20iLCJleHAiOjE2MTkwMjUyMTEsImlhdCI6MTYxOTAyNTE3NywianRpIjoiMWY3MTgwNzAtZTBiOC00OGNmLTlmMDItMGE1M2ZiZWNhYWQwIn0.vetsI8W0c4Z-bs2YCVcPb9HsBm1BrMhxTBSQto1koG_lV-2nHwksz8vMuk7J7Q1sMa7WUkXxgthqu9RGVgtGO2xor6Ub0WBhZfIlFeaRGd6ZZKiapb-ASNK7EyRIeX20htRf9MzFGwpWjtrS5NIGvn1a7_x9WcXU9hlnkXaAWBTUJ2H73UbjDdVtlKFZGWM5VGANY4VG7gSMaJqCIKMxRPn2jnYbvPIYz81sjjbd-sc2-ePRjso7Rk6s382YdOm-lDUDl2APE-gqkLWdOJcj68fc6EBIociradX_ADytj-JYEI6v0-zI-8jSckYIGTUF5wjamcDfF5qyKpjsmdrZJA"
// Parse the JWT.
token, err := jwt.Parse(jwtB64, jwks.KeyFunc)
if err != nil {
log.Fatalf("Failed to parse the JWT.\nError:%s\n", err.Error())
}
// Check if the token is valid.
if !token.Valid {
log.Fatalf("The token is not valid.")
}
log.Println("The token is valid.")
}