来自 Android 应用程序的 JWT 身份验证

【问题标题】:JWT auth from android apps来自 Android 应用程序的 JWT 身份验证
【发布时间】:2015-01-08 06:07:42
【问题描述】:

我是 Android 开发的新手,需要调用 HTTP 服务器来上传图像。在此之前,用户使用用户名和密码登录,并返回一个 JWT 令牌和用户 ID。在图像上传功能中,我需要在验证会话后提供令牌和 id 以供服务器接受图像,这就是我遇到问题的地方。

我不确定问题出在图像上传还是会话验证中,尽管从错误消息来看,它似乎是第二种情况。

函数如下:

public String sendPostMult(String myurl, String token, List<ValuePair> params, Bitmap bm) throws Exception {

    try {

        HttpClient client = new DefaultHttpClient();

        HttpPost post = new HttpPost(myurl);
        post.addHeader("Authorization", "Token token=\"" + token + "\"");
        MultipartEntityBuilder postEntity = MultipartEntityBuilder.create();

        ByteArrayOutputStream bao = new ByteArrayOutputStream();

        bm.compress(Bitmap.CompressFormat.PNG, 90, bao);

        byte[] ba = bao.toByteArray();

        String ba1 = Base64.encodeToString(ba, Base64.DEFAULT);

        // File file = new File("Your File path on SD card");
        // postEntity.addPart("fileupload", new FileBody(file, "image/jpeg"));
        for (ValuePair param : params) {
            postEntity.addTextBody(param.getValue(), param.getName());
            Log.d(param.getValue(), param.getName());
        }

        postEntity.addTextBody("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");


        postEntity.addTextBody("client_assertion", token);

        postEntity.addTextBody("picture", ba1);
        // Log.d("YY", getBytesFromBitmap(bm).toString());
        post.setEntity(postEntity.build());

        HttpResponse response = client.execute(post);

        int responseCode = response.getStatusLine().getStatusCode();


        BufferedReader reader = new BufferedReader(new InputStreamReader(
                response.getEntity().getContent(), "UTF-8"));

        String sResponse = reader.readLine();

        return sResponse;

    }catch(Exception e)
    {
        e.printStackTrace();
        return "ERROR";
    }
}

给出的错误如下(请看最后一个):

11-11 10:51:09.780  11762-12135/team13.foods I/APACHE HTTP (thCr=686) - NafHttpAuthStrategyDefault﹕ (thUse=686) NafHttpAuthStrategyDefault()

11-11 10:51:09.780  11762-12135/team13.foods I/APACHE HTTP (thCr=686) - KeeperManager﹕ (thUse=686) INITIALIZATION of shared resources

11-11 10:51:09.780  11762-12135/team13.foods I/APACHE HTTP (thCr=686) - AndroidContextProviderImpl﹕ (thUse=686)    currentActivityThread=android.app.ActivityThread@420899a8
11-11 10:51:09.830  11762-12135/team13.foods I/APACHE HTTP (thCr=686) - GbaSupportIndicatorRequestUpdaterDefault﹕ (thUse=686) GbaSupportIndicatorRequestUpdaterAbstract()   userHeaderPredefined=Apache-HttpClient/UNAVAILABLE (java 1.4)

11-11 10:51:09.940  11762-11769/team13.foods I/dalvikvm﹕ Total arena pages for JIT: 11
11-11 10:51:09.940  11762-11769/team13.foods I/dalvikvm﹕ Total arena pages for JIT: 12
11-11 10:51:09.940  11762-11769/team13.foods I/dalvikvm﹕ Total arena pages for JIT: 13
11-11 10:51:09.940  11762-11769/team13.foods I/dalvikvm﹕ Total arena pages for JIT: 14
11-11 10:51:09.950  11762-11769/team13.foods I/dalvikvm﹕ Total arena pages for JIT: 15

11-11 10:51:09.960  11762-12135/team13.foods D/dalvikvm﹕ DexOpt: couldn't find static field Lorg/apache/http/message/BasicHeaderValueParser;.INSTANCE

11-11 10:51:09.960  11762-12135/team13.foods W/dalvikvm﹕ VFY: unable to resolve static field 1921 (INSTANCE) in Lorg/apache/http/message/BasicHeaderValueParser;

11-11 10:51:09.960  11762-12135/team13.foods D/dalvikvm﹕ VFY: replacing opcode 0x62 at 0x001b

11-11 10:51:09.960  11762-12135/team13.foods D/dalvikvm﹕ DexOpt: couldn't find static field Lorg/apache/http/message/BasicHeaderValueFormatter;.INSTANCE

11-11 10:51:09.960  11762-12135/team13.foods W/dalvikvm﹕ VFY: unable to resolve static field 1915 (INSTANCE) in Lorg/apache/http/message/BasicHeaderValueFormatter;

11-11 10:51:09.960  11762-12135/team13.foods D/dalvikvm﹕ VFY: replacing opcode 0x62 at 0x0015
11-11 10:51:09.970  11762-12135/team13.foods D/name﹕ djt
11-11 10:51:09.970  11762-12135/team13.foods D/description﹕ test
11-11 10:51:09.970  11762-12135/team13.foods D/tags﹕ hft
11-11 10:51:09.970  11762-12135/team13.foods D/id﹕ 545a7b69ed2f9c0200dfc995
11-11 10:51:10.000  11762-12135/team13.foods D/dalvikvm﹕ GC_FOR_ALLOC freed 799K, 16% free 7878K/9336K, paused 27ms, total 27ms

11-11 10:51:10.020  11762-12135/team13.foods I/APACHE HTTP (thCr=686) - NafHttpAuthStrategyDefault﹕ (thUse=686)    cached value : gbaSupportIsPossible=null

11-11 10:51:10.020  11762-12135/team13.foods I/APACHE HTTP (thCr=686) - NafHttpAuthStrategyDefault﹕ (thUse=686)    The current context is NOT a context of GBA service.

11-11 10:51:10.020  11762-12135/team13.foods I/APACHE HTTP (thCr=686) - GbaSupportPermissionRequestCheckerImpl﹕ (thUse=686) isCurrentProcessRequestedGba()#finished   result=false

11-11 10:51:10.020  11762-12135/team13.foods I/APACHE HTTP (thCr=686) - GbaSupportPermissionRequestCheckerImpl﹕ (thUse=686) isCurrentProcessAllowedToUseGba()#started   result=false

11-11 10:51:10.020  11762-12135/team13.foods I/APACHE HTTP (thCr=686) - NafHttpAuthStrategyDefault﹕ (thUse=686)    The GBA permission wasn't requested for this process.

11-11 10:51:10.020  11762-12135/team13.foods I/APACHE HTTP (thCr=686) - NafHttpAuthStrategyDefault﹕ (thUse=686) It is impossible to support GBA now (many possible reasons: no Android Context, current client is GBA service, etc.), then it will be just usual HTTP.

11-11 10:51:10.020  11762-12135/team13.foods I/APACHE HTTP (thCr=686) - NafRequestExecutorWrapperRedirectionHandler﹕ (thUse=686)    It isn't GBA flow, redirection responses are not handled.

11-11 10:51:11.280  11762-12135/team13.foods W/DefaultRequestDirector﹕ Authentication error: Unable to respond to any of these challenges: {}

11-11 10:51:11.280  11762-12135/team13.foods I/APACHE HTTP (thCr=686) - NafHttpAuthStrategyDefault﹕ (thUse=686)    cached value : gbaSupportIsPossible=false

11-11 10:51:11.280  11762-11762/team13.foods I/System.out﹕ UnauthorizedError: jwt must be provided

所以看来确实是jwt错误。如果我删除 

post.addHeader("Authorization", "Token token=\"" + token + "\"");

行,错误提示:必须提供授权标头。

所以我的问题是:

1) 授权标头是否正确?还是应该采用其他格式?

2) 我如何通过 JWT?我收到了作为字符串的令牌,我认为这是我需要传递的。然而,当我收到令牌时,它确实包含几个字段,我将这些字段解析为不同的字符串,令牌就是其中之一。所以也许我应该保存整个事情并将其完全发送到客户端断言字段中?但是我还是应该只在授权标头中发送令牌吗?

3) 虽然有点不相关,但可能是我发送的图片格式错误?

非常感谢您抽出宝贵时间。我真的很感激!

【问题讨论】:

  • 如果你想知道什么是智威汤逊的样子:{ “令牌”: “eyJ0eXAiOiJKV1QiLCJhbGiOiJIUzI1NiJ9.eyJlbWFpbCI6Im9saUBvbGkuY29tIiwicGFzc3dvcmQiOiIkMmEkMDUkZEVpYmhRUzlNLlMwRW9wTU5XWndrLi5rR1VIMWNFUk9HaW1mMDRYcFpnQWdtSTBBbTFPRk8iLCJfaWQiOiI1NDVhN2I2OWVkMmY5YzAyMDBkZmM5OTUiLCJfX3YiOjB9.voPftTnS4Wfg_S6_87N6DUpBxCcu9S_dyJpUj_rsxlk”, “ID”: “545a7b69ed2f9c0200dfc995”} SPAN>

标签: java android apache oauth-2.0 jwt


【解决方案1】:

查看 JWT,您的问题就在那里。它不是 JWT 令牌。

一个 JWT 由三部分组成:&lt;header&gt;.&lt;claims/payload&gt;.&lt;signature&gt;。你的只包含&lt;payload&gt;.&lt;signature&gt;。我怀疑您有 JWS(JSON Web 签名)而不是 JWT(JSON Web 令牌)。

您可以阅读规范中的格式:http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#ExampleJWT

如果您需要对令牌进行故障排除,这是一个有用的工具:http://kjur.github.io/jsjws/mobile/tool_jwt.html

此外,像您一样在声明中发送密码似乎是一种倒退的做法,即使它是加密的。 JWT 不是向每个服务发送密码。服务通过验证签名来信任内容。

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2019-06-30
    • 2015-12-26
    • 1970-01-01
    • 2014-01-26
    • 2021-11-19
    • 2018-03-06
    • 2019-10-30
    • 2018-07-13
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode