无法解码AWS认知身份池的JWK

Question

我找到了一些解决方案来验证认知JWT，但是解决方案使用的是认知用户池，我使用自定义提供程序，所以我没有用户池ID，我无法找到获取解决方案的方法，最后我发现这个文章有一个关于OpenID的JWK，所以我尝试使用这个URL，而不是运气，我得到了错误消息。

2020/02/24 19:01:58未能解析JWK:未能从地图中提取密钥:未能获得必需的密钥n:未能解析base64解码密钥n:输入字节64处的非法base64数据

下面是我的密码。

package main

import(
    "log"
    "github.com/lestrrat-go/jwx/jwk"
)

func main() {
    set, err := jwk.FetchHTTP("https://cognito-identity.amazonaws.com/.well-known/jwks_uri")
    if err != nil {
      log.Printf("failed to parse JWK: %s", err)
      return
    }

    log.Println(set)
}

Answer 1

如果您切换到github.com/golang-jwt/jwt/v4，您可以跟踪这个例子。

package main

import (
    "fmt"
    "log"
    "time"

    "github.com/golang-jwt/jwt/v4"

    "github.com/MicahParks/keyfunc"
)

func main() {

    // Get the JWKs URL from your AWS region and userPoolId.
    //
    // See the AWS docs here:
    // https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
    regionID := ""   // TODO Get the region ID for your AWS Cognito instance.
    userPoolID := "" // TODO Get the user pool ID of your AWS Cognito instance.
    jwksURL := fmt.Sprintf("https://cognito-idp.%s.amazonaws.com/%s/.well-known/jwks.json", regionID, userPoolID)

    // Create the keyfunc options. Use an error handler that logs. Refresh the JWKs when a JWT signed by an unknown KID
    // is found or at the specified interval. Rate limit these refreshes. Timeout the initial JWKs refresh request after
    // 10 seconds. This timeout is also used to create the initial context.Context for keyfunc.Get.
    refreshInterval := time.Hour
    refreshRateLimit := time.Minute * 5
    refreshTimeout := time.Second * 10
    refreshUnknownKID := true
    options := keyfunc.Options{
        RefreshErrorHandler: func(err error) {
            log.Printf("There was an error with the jwt.KeyFunc\nError:%s\n", err.Error())
        },
        RefreshInterval:   &refreshInterval,
        RefreshRateLimit:  &refreshRateLimit,
        RefreshTimeout:    &refreshTimeout,
        RefreshUnknownKID: &refreshUnknownKID,
    }

    // Create the JWKs from the resource at the given URL.
    jwks, err := keyfunc.Get(jwksURL, options)
    if err != nil {
        log.Fatalf("Failed to create JWKs from resource at the given URL.\nError:%s\n", err.Error())
    }

    // Get a JWT to parse.
    jwtB64 := "eyJraWQiOiJmNTVkOWE0ZSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJLZXNoYSIsImF1ZCI6IlRhc2h1YW4iLCJpc3MiOiJqd2tzLXNlcnZpY2UuYXBwc3BvdC5jb20iLCJleHAiOjE2MTkwMjUyMTEsImlhdCI6MTYxOTAyNTE3NywianRpIjoiMWY3MTgwNzAtZTBiOC00OGNmLTlmMDItMGE1M2ZiZWNhYWQwIn0.vetsI8W0c4Z-bs2YCVcPb9HsBm1BrMhxTBSQto1koG_lV-2nHwksz8vMuk7J7Q1sMa7WUkXxgthqu9RGVgtGO2xor6Ub0WBhZfIlFeaRGd6ZZKiapb-ASNK7EyRIeX20htRf9MzFGwpWjtrS5NIGvn1a7_x9WcXU9hlnkXaAWBTUJ2H73UbjDdVtlKFZGWM5VGANY4VG7gSMaJqCIKMxRPn2jnYbvPIYz81sjjbd-sc2-ePRjso7Rk6s382YdOm-lDUDl2APE-gqkLWdOJcj68fc6EBIociradX_ADytj-JYEI6v0-zI-8jSckYIGTUF5wjamcDfF5qyKpjsmdrZJA"

    // Parse the JWT.
    token, err := jwt.Parse(jwtB64, jwks.KeyFunc)
    if err != nil {
        log.Fatalf("Failed to parse the JWT.\nError:%s\n", err.Error())
    }

    // Check if the token is valid.
    if !token.Valid {
        log.Fatalf("The token is not valid.")
    }

    log.Println("The token is valid.")
}