代码:
$token = $request->getQueryParams();
$jwt_access_token = $token['access_token'];
$separator = '.';
list($header, $payload, $signature) = explode($separator, $jwt_access_token);
$decoded_signature = base64_decode($signature);
$payload_to_verify = utf8_decode($header . $separator . $payload);
$public_key = file_get_contents($_SERVER['DOCUMENT_ROOT'].'/pubkey.pem');
$verified = openssl_verify($payload_to_verify, $decoded_signature, $public_key, OPENSSL_ALGO_SHA256);
访问令牌示例:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpZCI6IjU0YmEzYmQwZDRkYzAxYmZhNmJjYjdjYTIwOTQwY2YzY2NmM2EyNjQiLCJqdGkiOiI1NGJhM2JkMGQ0ZGMwMWJmYTZiY2I3Y2EyMDk0MGNmM2NjZjNhMjY0IiwiaXNzIjoiIiwiYXVkIjoidGVzdGNsaWVudCIsInN1YiI6InNhbGxlIiwiZXhwIjoxNDgyMTIyODY4LCJpYXQiOjE0ODIxMTkyNjgsInRva2VuX3R5cGUiOiJiZWFyZXIiLCJzY29wZSI6bnVsbH0.q-xwz16YbUiaDzdeiNBoaeZIYNx8G6HXLZRMJjpiezotq0nICTokVxuf3OUur6433MhT6wVCUENUeuJfuvLg3wKZWHfXSoTMG77Gkv1Wart6hlIPFqyZ13gyTzquaKRRDoRD9WSBcKXfTF6V59cWHrwAM5nRIQeOzBdYXZPwnV-9RhXUpjUhJ0LKRJsDZ5EwJUFsIDb7oZ70b3uLJqa79h42Dc5mQWj75uIo8mVCmH9N1BPJRn-Hb9ttgpu2oRgDOqsm4zdBz2CfSkPiHa-j6qKEWHocyLQBZ8XLxyvFSAFVIwqv4OVCBHanzbkfY-ZKkKh1THeyiIcrB9ed6vwzRg
公钥:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs3k2ZkpYqCX94B+qC2yc
4atWx+C5d7kFQAgBrbv5gfFuIST0DLt5lvv0OZZI57+ydNXb2G/jyOJPH3ll2mHS
Z+PKAo9aQoL5iYIjz+yYp2Im51LBh4e0Kt1RSjuy4M5RI1JVSsM9rt3NoLMzehv8
57g+uv1T177cJabDvKeqWdD0qR4N7PE/nV0Hrumz5kP4EnYhN0A2wjbXyyyllxhL
nr3Wqii0XJxBF3AwLUlqP1NYhm2wYq0CTjQrgv3/9WCvr4fSzBitzQAP6ZIFRHO3
F8EIaK6r6cDiP2ABmtTrmPAj3ZpqGVBPnvY9yVrqUS0pMxjvvesJiPd2jGrjLQFN
LQIDAQAB
-----END PUBLIC KEY-----
我无法获取openssl_verify()
函数返回 1。它总是返回 0(它无法验证令牌)。我不明白为什么。谁能指出我正确的方向吗?
它失败,因为 JWS 部分不是 Base64 编码,而是 Base64Url Safe编码。
错误来自该行
$decoded_signature = base64_decode($signature);
它应该是
$decoded_signature = base64_decode(strtr($signature, '-_', '+/'));
注1:尾随=
可以删除(使用函数trim
)并且对解码功能没有影响。
注 2:此验证仅适用于基于 RSA 的签名。基于 EC 的签名需要额外的步骤。这可以解释其他用户在此页面的评论中报告的失败案例。
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)