我正在PHP项目中制作自己的google oauth实现.一切正常,除非我试图验证在访问令牌请求( https ://accounts.google.com/o/oauth2/token ).
I'm making my own google oauth implementation in PHP project. Everything works fine unless I'm trying to verify JWT
received after the access token request (https://accounts.google.com/o/oauth2/token).
对于JWT解码,我使用的是 firebase/php-jwt 类.
For JWT decoding I'm using firebase/php-jwt class.
方法3rd arg),则会得到:Signature verification failed
It decodes perfectly, but if I switch on $verify
option (decode()
method 3-rd arg) I get : Signature verification failed
exception thrown.
My guess is that, if I pass a wrong key to the decode()
method. It's used later for hash_hmac()
function when signature is generating done.
所以我的问题是:我应该确切地将什么密钥传递给Google OAuth JWT上下文进行签名验证?
So my question is: What key exactly should I pass for signature verification to the Google OAuth JWT context?
来自 https://developers.google. com/accounts/docs/OAuth2Login#validatinganidtoken 推荐的方法:
",我们建议您从 https://www.googleapis.com/oauth2/v1/certs中检索Google的公共密钥并在本地执行验证.
"we recommend that you retrieve Google’s public keys from https://www.googleapis.com/oauth2/v1/certs and perform the validation locally.
Since Google changes its public keys only infrequently (on the order of once per day), you can cache them and, in the vast majority of cases, perform local validation much more efficiently than by using the TokenInfo endpoint. This requires retrieving and parsing certificates, and making the appropriate crypto calls to check the signature. Fortunately, there are well-debugged libraries available in a wide variety of languages to accomplish this."
这篇关于Google OAuth JWT签名验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!