为什么我得到PHP无效的JWT提供的错误?
问题说明
从以下项生成的密钥: https://web-push-codelab.glitch.me/
keys generated from: https://web-push-codelab.glitch.me/
响应已通过以下方式验证: https://jwt.io/
response validated with: https://jwt.io/
返回的令牌有效!但我在chrome开发人员控制台中收到以下错误: 提供了无效的JWT"
Token being returned is valid! and yet I get the following error in chrome developer console: "invalid JWT provided"
为什么我的代码不起作用?
Why isnt my code working?
代码:
function base64url_encode($data) {
return rtrim(strtr(base64_encode($data), ' /', '-_'), '=');
}
// Create token header as a JSON string
$header = json_encode(["alg" => "ES256","typ" => "JWT"]);
// Create token payload as a JSON string
$payload = json_encode(["aud" => "https://fcm.谷歌apis.com","exp" => time() 3600,"sub" => "mailto:push@example.com"]);
// Encode Header to Base64Url String
$base64UrlHeader = base64url_encode($header);
// Encode Payload to Base64Url String
$base64UrlPayload = base64url_encode($payload);
// Create Signature Hash
$signature = hash_hmac("SHA256", $base64UrlHeader . "." . $base64UrlPayload, "PRIVATE_KEY", true);
// Encode Signature to Base64Url String
$base64UrlSignature = base64url_encode($signature);
// Create JWT
$token = $base64UrlHeader . "." . $base64UrlPayload . "." . $base64UrlSignature;
$key = "PUBLIC_KEY";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://fcm.谷歌apis.com/fcm/send/.....');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
$headers = array();
$headers[] = "Ttl: 60";
$headers[] = "Content-Length: 0";
$headers[] = "Authorization: vapid t=".$token.",k=".$key."";
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$result = curl_exec($ch);
curl_close($ch);
echo json_encode($result);
正确答案
在您的代码中,您使用私钥对令牌进行签名,并使用公钥进行验证,这只能用于非对称签名算法,例如.但是,选择签名对称算法的HS256
作为签名算法.
In your code you use a private key to sign the token and a public key to verify, which can only be done for asymmetric signature algorithms, such as RS256
. But as signature algorithm you choose HS256
, which is a symmetric signature algorithm.
标头中的alg
声明确定使用哪种算法来验证签名.因此,标头中的算法名称必须与用于签名的算法匹配.
The alg
claim in the header determines, which algorithm is used to verify the signature. Therefore the algorithm name in the header must match with the algorithm used for signing.
对于对称算法,您必须使用相同的秘密进行签名和验证.秘密只是一个没有特殊形式的字符串,例如. 我的超级秘密"或更好的东西,例如"12z4104cntc4ta9c53434c9032trcbwuer8r".
For symmetric algorithms, you have to use the same secret for signing and verification. The secret is just a string in no special form, eg. 'my-super-secret' or better something like '12z4104cntc4ta9c53434c9032trcbwuer8r'.
现在您可以
- 为
HS256
使用一个秘密,而不是公用密钥和私有密钥. - 将算法更改为
RS256
,这将需要更多代码更改,因为现在您正在计算HMAC-SHA256(HS256
)哈希.
- use one secret for
HS256
instead of the public and private keys. - change the algorithm to
RS256
, which would require some more code changes, because right now you calculate a HMAC-SHA256 (HS256
) hash.
我强烈建议使用JWT库. 库列表用于不同的语言和环境.io"rel =" nofollow noreferrer> https://jwt.io
I highly recommend to use a JWT library. There a list of libs for different languages and environments on https://jwt.io
这篇好文章是转载于:学新通技术网
- 版权申明: 本站部分内容来自互联网,仅供学习及演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,请提供相关证据及您的身份证明,我们将在收到邮件后48小时内删除。
- 本站站名: 学新通技术网
- 本文地址: /reply/detail/tanhcfhgfh
-
YouTube API 不能在 iOS (iPhone/iPad) 工作,但在桌面浏览器工作正常?
it1352 07-30 -
iPhone,一张图像叠加到另一张图像上以创建要保存的新图像?(水印)
it1352 07-17 -
保持在后台运行的 iPhone 应用程序完全可操作
it1352 07-25 -
使用 iPhone 进行移动设备管理
it1352 07-23 -
在android同时打开手电筒和前置摄像头
it1352 09-28 -
扫描 NFC 标签时是否可以启动应用程序?
it1352 08-02 -
检查邮件是否发送成功
it1352 07-25 -
Android微调工具-删除当前选择
it1352 06-20 -
Android App 和三星 Galaxy S4 不兼容
it1352 07-20 -
希伯来语的空格句子标记化错误
it1352 06-22