我正在使用 http://jwt.io 站点中提供的 jose 库,正在尝试使用该库创建 jwt token ,但是生成的 token 在粘贴到 http://jwt.io 站点中时以及在尝试使用 curl Apple Developer connect 401 未经授权的响应时显示签名无效!我不知道是什么导致了这个问题。
// Create the Claims, which will be the content of the JWT
JwtClaims claims = new JwtClaims();
claims.setIssuer("69a6de78-7188-47e3-e053-5b8c7c11a4d1"); // who creates the token and signs it
claims.setAudience("appstoreconnect-v1"); // to whom the token is intended to be sent
claims.setExpirationTimeMinutesInTheFuture(20); // time when the token will expire (10 minutes from now)
claims.setIssuedAtToNow();
claims.setGeneratedJwtId(); // a unique identifier for the token
// Generate an EC key pair, which will be used for signing and verification of the JWT, wrapped in a JWK
EllipticCurveJsonWebKey senderJwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);
// Give the JWK a Key ID (kid), which is just the polite thing to do
senderJwk.setKeyId("-----BEGIN PRIVATE KEY-----\n" +
"*******************" +
"-----END PRIVATE KEY-----");
// So we first create a JsonWebSignature object.
JsonWebSignature jws = new JsonWebSignature();
// The payload of the JWS is JSON content of the JWT Claims
jws.setPayload(claims.toJson());
// The JWT is signed using the sender's private key
jws.setKey(senderJwk.getPrivateKey());
// Set the Key ID (kid) header because it's just the polite thing to do.
// We only have one signing key in this example but a using a Key ID helps
// facilitate a smooth key rollover process
jws.setKeyIdHeaderValue(senderJwk.getKeyId());
// Set the signature algorithm on the JWT/JWS that will integrity protect the claims
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);
jws.setHeader("typ","jwt");
// Sign the JWS and produce the compact serialization, which will be the inner JWT/JWS
// representation, which is a string consisting of three dot ('.') separated
// base64url-encoded parts in the form Header.Payload.Signature
String outJwt = jws.getCompactSerialization();
// Now you can do something with the JWT. Like send it to some other party
// over the clouds and through the interwebs.
System.out.println("JWT: " + outJwt);
curl -v -H '授权:持有者[签名 token ]' “https://api.appstoreconnect.apple.com/v1/apps”
最佳答案
我不熟悉该库,但看起来您每次运行代码时都会使用新的随机生成的 key 对 token 进行签名:
EllipticCurveJsonWebKey senderJwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);
看起来您还将 key ID 设置为 Base-64 编码的私钥(也许是您想要使用的私钥?)。 key ID 不是 key ,它只是可用于在 key 存储中查找它的东西,例如( According to Apple ,其 API 的 key ID 应该是“来自 App Store Connect 的您的私钥 ID” )。
所以我猜您收到“无效签名”错误的原因是因为您每次都使用新 key 对 token 进行签名,而不是您用于验证它的 key 。
关于java - 使用签名的 jwt token 连接开发者 Apple Store 连接,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55470098/