为什么我得到PHP无效的JWT提供的错误?
问题说明
从以下项生成的密钥: https://web-push-codelab.glitch.me/
keys generated from: https://web-push-codelab.glitch.me/
响应已通过以下方式验证: https://jwt.io/
response validated with: https://jwt.io/
返回的令牌有效!但我在chrome开发人员控制台中收到以下错误: 提供了无效的JWT"
Token being returned is valid! and yet I get the following error in chrome developer console: "invalid JWT provided"
为什么我的代码不起作用?
Why isnt my code working?
代码:
function base64url_encode($data) {
return rtrim(strtr(base64_encode($data), ' /', '-_'), '=');
}
// Create token header as a JSON string
$header = json_encode(["alg" => "ES256","typ" => "JWT"]);
// Create token payload as a JSON string
$payload = json_encode(["aud" => "https://fcm.谷歌apis.com","exp" => time() 3600,"sub" => "mailto:push@example.com"]);
// Encode Header to Base64Url String
$base64UrlHeader = base64url_encode($header);
// Encode Payload to Base64Url String
$base64UrlPayload = base64url_encode($payload);
// Create Signature Hash
$signature = hash_hmac("SHA256", $base64UrlHeader . "." . $base64UrlPayload, "PRIVATE_KEY", true);
// Encode Signature to Base64Url String
$base64UrlSignature = base64url_encode($signature);
// Create JWT
$token = $base64UrlHeader . "." . $base64UrlPayload . "." . $base64UrlSignature;
$key = "PUBLIC_KEY";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://fcm.谷歌apis.com/fcm/send/.....');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
$headers = array();
$headers[] = "Ttl: 60";
$headers[] = "Content-Length: 0";
$headers[] = "Authorization: vapid t=".$token.",k=".$key."";
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$result = curl_exec($ch);
curl_close($ch);
echo json_encode($result);
正确答案
在您的代码中,您使用私钥对令牌进行签名,并使用公钥进行验证,这只能用于非对称签名算法,例如.但是,选择签名对称算法的HS256作为签名算法.
In your code you use a private key to sign the token and a public key to verify, which can only be done for asymmetric signature algorithms, such as RS256. But as signature algorithm you choose HS256, which is a symmetric signature algorithm.
标头中的alg声明确定使用哪种算法来验证签名.因此,标头中的算法名称必须与用于签名的算法匹配.
The algclaim in the header determines, which algorithm is used to verify the signature. Therefore the algorithm name in the header must match with the algorithm used for signing.
对于对称算法,您必须使用相同的秘密进行签名和验证.秘密只是一个没有特殊形式的字符串,例如. 我的超级秘密"或更好的东西,例如"12z4104cntc4ta9c53434c9032trcbwuer8r".
For symmetric algorithms, you have to use the same secret for signing and verification. The secret is just a string in no special form, eg. 'my-super-secret' or better something like '12z4104cntc4ta9c53434c9032trcbwuer8r'.
现在您可以
- 为
HS256使用一个秘密,而不是公用密钥和私有密钥. - 将算法更改为
RS256,这将需要更多代码更改,因为现在您正在计算HMAC-SHA256(HS256)哈希.
- use one secret for
HS256instead of the public and private keys. - change the algorithm to
RS256, which would require some more code changes, because right now you calculate a HMAC-SHA256 (HS256) hash.
我强烈建议使用JWT库. 库列表用于不同的语言和环境.io"rel =" nofollow noreferrer> https://jwt.io
I highly recommend to use a JWT library. There a list of libs for different languages and environments on https://jwt.io
这篇好文章是转载于:学新通技术网
