JWT 验证失败:无法在为孩子设置的 public 密钥中找到匹配的密钥
JWT validation failed: Could not find matching key in public key set for kid
我正在使用 google-auth-library-nodejs 通过 env 变量提供凭据生成 JWT,类似于 here.
中的示例代码
const credentials = JSON.parse(JSON.stringify(env.service_account.credentials));
const client = auth.fromJSON(credentials);
const url = 'my_url';
const token = await client.fetchIdToken(url);
稍后使用该令牌进行身份验证时,请求因以下错误而失败:
JWT validation failed: Could not find matching key in public key set for kid=7da7843e8637d669bc2a12622cede2a8814d11b1
https://jwt.io/#debugger-io确认生成的JWT的kid确实是7da7843e8637d669bc2a12622cede2a8814d11b1,但是json中的私钥id是6bd5b5d36f9a4225bd814ff3d6909d95e23e0793.
这是json
'{
"type": "service_account",
"project_id": "project_id",
"private_key_id": "6bd5b5d36f9a4225bd814ff3d6909d95e23e0793",
"private_key": "-----BEGIN PRIVATE KEY-----\nXXXXXXXXXXX\n-----END PRIVATE KEY-----\n",
"client_email": "my_service_account@project_id.iam.gserviceaccount.com",
"client_id": "REDACTED",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my_service_account%40project_id.iam.gserviceaccount.com"
}
孩子应该匹配privat_key_id吗?
上面问题中提供的client_x509_cert_url不正确x-google-jwks_uri。它实际上必须是 https://www.googleapis.com/oauth2/v1/certs.
更改 URI 后,kids 匹配。
如果有人知道这是为什么,我们将不胜感激。
我正在使用 google-auth-library-nodejs 通过 env 变量提供凭据生成 JWT,类似于 here.
const credentials = JSON.parse(JSON.stringify(env.service_account.credentials));
const client = auth.fromJSON(credentials);
const url = 'my_url';
const token = await client.fetchIdToken(url);
稍后使用该令牌进行身份验证时,请求因以下错误而失败:
JWT validation failed: Could not find matching key in public key set for kid=7da7843e8637d669bc2a12622cede2a8814d11b1
https://jwt.io/#debugger-io确认生成的JWT的kid确实是7da7843e8637d669bc2a12622cede2a8814d11b1,但是json中的私钥id是6bd5b5d36f9a4225bd814ff3d6909d95e23e0793.
这是json
'{
"type": "service_account",
"project_id": "project_id",
"private_key_id": "6bd5b5d36f9a4225bd814ff3d6909d95e23e0793",
"private_key": "-----BEGIN PRIVATE KEY-----\nXXXXXXXXXXX\n-----END PRIVATE KEY-----\n",
"client_email": "my_service_account@project_id.iam.gserviceaccount.com",
"client_id": "REDACTED",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my_service_account%40project_id.iam.gserviceaccount.com"
}
孩子应该匹配privat_key_id吗?
client_x509_cert_url不正确x-google-jwks_uri。它实际上必须是 https://www.googleapis.com/oauth2/v1/certs.
更改 URI 后,kids 匹配。
如果有人知道这是为什么,我们将不胜感激。