Jwt令牌 - soul-soft/IdentityServer GitHub Wiki
说明
Jwt、jwk、jws具体参考OpenID Connect | OpenID
流程
通过identityserver服务签发一个jwt令牌,然后api服务负责通过访问identityserver的/.well-known/openid-configuration端点来获取jwt、jwk,token端点等配置信息,来自行验证token,而不是由identityserver统一验证。这是他的优点同时也是他的缺点。
-
优点:验证快速,性能好不需要存储,适合分布式场景等。
-
缺点:jwt token 一旦签发无法撤销。
openid-configuration配置
{
"issuer":"https://demo.identityserver.io",
"jwks_uri":"https://demo.identityserver.io/.well-known/openid-configuration/jwks",
"authorization_endpoint":"https://demo.identityserver.io/connect/authorize",
"token_endpoint":"https://demo.identityserver.io/connect/token",
"userinfo_endpoint":"https://demo.identityserver.io/connect/userinfo",
"end_session_endpoint":"https://demo.identityserver.io/connect/endsession",
"check_session_iframe":"https://demo.identityserver.io/connect/checksession",
"revocation_endpoint":"https://demo.identityserver.io/connect/revocation",
"introspection_endpoint":"https://demo.identityserver.io/connect/introspect",
"device_authorization_endpoint":"https://demo.identityserver.io/connect/deviceauthorization",
"frontchannel_logout_supported":true,
"frontchannel_logout_session_supported":true,
"backchannel_logout_supported":true,
"backchannel_logout_session_supported":true,
"scopes_supported":[
"openid",
"profile",
"email",
"api",
"api.scope1",
"api.scope2",
"scope2",
"policyserver.runtime",
"policyserver.management",
"offline_access"
],
"claims_supported":[
"sub",
"name",
"family_name",
"given_name",
"middle_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"birthdate",
"zoneinfo",
"locale",
"updated_at",
"email",
"email_verified"
],
"grant_types_supported":[
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password",
"urn:ietf:params:oauth:grant-type:device_code"
],
"response_types_supported":[
"code",
"token",
"id_token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"response_modes_supported":[
"form_post",
"query",
"fragment"
],
"token_endpoint_auth_methods_supported":[
"client_secret_basic",
"client_secret_post"
],
"id_token_signing_alg_values_supported":[
"RS256"
],
"subject_types_supported":[
"public"
],
"code_challenge_methods_supported":[
"plain",
"S256"
],
"request_parameter_supported":true
}
jwk配置
{
"keys":[
{
"kty":"RSA",
"use":"sig",
"kid":"59B5019F4923D059A42B546965007F36",
"e":"AQAB",
"n":"lrRvbHeIa6ErSX1wUkUoHCLY-t7qp0ssBSjvAM2CF5B8whSr7a1uh8Mai2jmGzbHtalC7DFTxfpjoEdtXxvciu_8CjiVPZ7UBsWF3CT4Z5J9P4FjV1IIz-18iCj9v3fcSS079R1hGOu_evy0h_pusWc-KpNcypaasHZspkU7N9O5arWAB-jzGk5DM0OKgZmp_N3nNry0vzK5tsr5Y9ouPf0MY43ltEiwv95idOKTfGgXUWX0-9gGkpdXNwAaBtd2QhNzmbwbNgP9gyrEtzV7QKNXo0F_xXHqmK8HNmi_NfnEs1NAhqzu4-B9nDjHHNMwqcQfV8xFKAbhyv4h6IBrXQ",
"alg":"RS256"
}
]
}