Nimbus JOSE JWT 预期观众声称是多个中的任何一个
Nimbus JOSE JWT expected audience claim to be any of a multiple
在验证 JWT 时,我有一个场景,即我有一个允许的客户端 ID 列表。我将客户 ID 作为观众声明放入 JWT,但在验证时我需要与列表进行比较。
我尝试了以下方法:
val allowedClients = listof("client1", "client2")
val validClaims= JWTClaimsSet.Builder()
.issuer("myIssuer")
.audience(allowedClients)
.build()
val jwtProcessor: ConfigurableJWTProcessor<SecurityContext> = DefaultJWTProcessor()
jwtProcessor.jwsKeySelector = keySelector
jwtProcessor.jwtClaimsSetVerifier = DefaultJWTClaimsVerifier(
//exact match claims
validClaims,
//Required claims
HashSet(listOf("exp", "iss")))
jwtProcessor.jwsKeySelector = keySelector
但是,如果现在发布的 JWT 仅包含我正在执行的一个客户端 ID,则验证失败并显示
com.nimbusds.jwt.proc.BadJWTException: JWT aud claim has value [client2], must be [client1, client2]
我该怎么做才能让 Verifier 期望任何客户 ID 出现在观众声明中,而不是完整列表中?当然,另一种方法是在观众声明的开头添加一个客户 ID,但我想避免这种情况。
您可以在验证器中定义接受的受众。 (文档来自 nimbus-jose-jwt v9.20)
/**
* Creates new default JWT claims verifier. The expiration ("exp") and
* not-before ("nbf") claims will be checked only if they are present
* and parsed successfully; add them to the required claims if they are
* mandatory.
*
* @param acceptedAudience The accepted JWT audience values,
* {@code null} if not specified. A
* {@code null} value in the set allows JWTs
* with no audience.
* @param exactMatchClaims The JWT claims that must match exactly,
* {@code null} if none.
* @param requiredClaims The names of the JWT claims that must be
* present, empty set or {@code null} if none.
* @param prohibitedClaims The names of the JWT claims that must not be
* present, empty set or {@code null} if none.
*/
public DefaultJWTClaimsVerifier(final Set<String> acceptedAudience,
final JWTClaimsSet exactMatchClaims,
final Set<String> requiredClaims,
final Set<String> prohibitedClaims) {
在验证 JWT 时,我有一个场景,即我有一个允许的客户端 ID 列表。我将客户 ID 作为观众声明放入 JWT,但在验证时我需要与列表进行比较。
我尝试了以下方法:
val allowedClients = listof("client1", "client2")
val validClaims= JWTClaimsSet.Builder()
.issuer("myIssuer")
.audience(allowedClients)
.build()
val jwtProcessor: ConfigurableJWTProcessor<SecurityContext> = DefaultJWTProcessor()
jwtProcessor.jwsKeySelector = keySelector
jwtProcessor.jwtClaimsSetVerifier = DefaultJWTClaimsVerifier(
//exact match claims
validClaims,
//Required claims
HashSet(listOf("exp", "iss")))
jwtProcessor.jwsKeySelector = keySelector
但是,如果现在发布的 JWT 仅包含我正在执行的一个客户端 ID,则验证失败并显示
com.nimbusds.jwt.proc.BadJWTException: JWT aud claim has value [client2], must be [client1, client2]
我该怎么做才能让 Verifier 期望任何客户 ID 出现在观众声明中,而不是完整列表中?当然,另一种方法是在观众声明的开头添加一个客户 ID,但我想避免这种情况。
您可以在验证器中定义接受的受众。 (文档来自 nimbus-jose-jwt v9.20)
/**
* Creates new default JWT claims verifier. The expiration ("exp") and
* not-before ("nbf") claims will be checked only if they are present
* and parsed successfully; add them to the required claims if they are
* mandatory.
*
* @param acceptedAudience The accepted JWT audience values,
* {@code null} if not specified. A
* {@code null} value in the set allows JWTs
* with no audience.
* @param exactMatchClaims The JWT claims that must match exactly,
* {@code null} if none.
* @param requiredClaims The names of the JWT claims that must be
* present, empty set or {@code null} if none.
* @param prohibitedClaims The names of the JWT claims that must not be
* present, empty set or {@code null} if none.
*/
public DefaultJWTClaimsVerifier(final Set<String> acceptedAudience,
final JWTClaimsSet exactMatchClaims,
final Set<String> requiredClaims,
final Set<String> prohibitedClaims) {