具有多个公钥的 MicroProfile JWT
我想通过请求中作为授权标头提供的 JWT 来保护 REST API 的安全。我有一个 quarkus 应用程序,想使用他们的官方指南 - https://quarkus.io/guides /security-jwt
该指南指定:
mp.jwt.verify.publickey.location=publicKey.pem
mp.jwt.verify.issuer=https://example.com/issuer
到目前为止一切顺利,现在我们可以检查 JWT 是否由与该公钥对应的私钥签名。我遇到的问题是我有不同的 API 和不同的 OAuth 集成,比方说 3。因此不同的 API 端点需要不同的 JWT,因此也有不同的公钥。 mp 是否支持此功能?
Spring Security 允许多个具有不同 @Order 的 WebSecurity 并在那里集成多个 oAuth 服务器。如何在 Quarkus/MP JAX-RS 中完成此操作?
I want to secure a REST API via JWTs provided as Authorization Header in the requests. I am have a quarkus application and would like to use their official guide - https://quarkus.io/guides/security-jwt
The guide specifies:
mp.jwt.verify.publickey.location=publicKey.pem
mp.jwt.verify.issuer=https://example.com/issuer
So far so good, now we can check if JWTs are signed by a private key that corresponds to this public key. The problem I have is that I have different APIs and different OAuth integrations, let's say 3. So different API Endpoints expect different JWTs and hence also have different public keys. Is this even supported in mp?
Spring Security allows multiple WebSecurity with different @Order and integrating multiple oAuth Servers works there. How can this be done in Quarkus/MP JAX-RS?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
是的。但是使用 JSON Jwt 密钥集:
Jwt Ket 集允许连续提供多个公钥。您也可以提供 URL。
另外,请忘记 mp.jwt.verify.issuer:该属性需要一个表示单个颁发者的字符串。此属性不是强制性的,因此如果您确实想控制颁发者,则必须在请求过滤器中自行控制它。
如果您的公钥只有 PEM 文件,您可以使用 PEM 到 JWT 转换器将它们转换为 Jwt 密钥集,例如 这个(在线)。然后您只需提供 .json 文件即可。
Yes. But using a JSON Jwt Key Set:
The Jwt Ket Set allows to provide several public keys in row. You can also provide an URL instead.
Also, forget about
mp.jwt.verify.issuer: the property expects a string representing a single issuer. This property is not mandatory, so if you really want to control the issuer you will have to control it by yourself in your request filter.If you only have PEM files for your pubkeys, you can turn them into Jwt Key Set using PEM to JWT convertor like this one (online). Then you just have to serve the .json file.