通过OIDC协议调用 token_endpoint 接口获取到的结果如下:
{“scope”: “openid profile email”, “token_type”: “Bearer”, “access_token”: “eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6InBhNmtSUUdMSnVQUTN0cmFrcU9EMHVheXowODNCYkFxanBjZy1Eclp3TEEifQ.eyJzdWIiOiI2NTQyMWEzMGY0NDBhYmQ1YmU3Mzk0NzMiLCJhdWQiOiI2NTJhMWU3ZTBkNjFjZjVjYmYwNTI4ZmQiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiaWF0IjoxNjk4ODMxMjg5LCJleHAiOjE3MDAwNDA4ODksImp0aSI6IjhCdFJxTzZwYVBrRXZHSFAzMERqMERKUUNZdFRwWGJyaTRybWdfajhYdGYiLCJpc3MiOiJodHRwczovL2x3Yy1ndWFuY2UuYXV0aGluZy5jbi9vaWRjIn0.rBratvYkhIin4x3hglZfw2DVxu-QOhFuBFo5FbHAvzK2ydcVvYuqRWtTo9dNkd_VTM8_j_IzX7ugoq9wa416WKZrN7VYbLkKP-ItkhCve4LjiDY8HlBTxjcv9qQfjqvAWQ25SymWLuGE7QfVUpZW9ewFXmN7Pfc8ck1aYGGuNH5mmy0thMHQJ94NAX9ZNmA7UgL1RPd0RUvIWmtrWi8gwMjVej3_fssbQUkhlOsFhxyfO_Q8eziVYl-YPqjmt1CRHfaxiuCYiXX373BBBfV1Yj4-e8L8AJNn7GIiUY7r77zKjcCC-SWrAbDhWf1Jbh8peacBcXDlnouYv86EUcfevg”, “expires_in”: 1209600, “id_token”: “eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI2NTQyMWEzMGY0NDBhYmQ1YmU3Mzk0NzMiLCJhdWQiOiI2NTJhMWU3ZTBkNjFjZjVjYmYwNTI4ZmQiLCJpYXQiOjE2OTg4MzEyODksImV4cCI6MTcwMDA0MDg4OSwiaXNzIjoiaHR0cHM6Ly9sd2MtZ3VhbmNlLmF1dGhpbmcuY24vb2lkYyIsIm5hbWUiOm51bGwsImdpdmVuX25hbWUiOm51bGwsIm1pZGRsZV9uYW1lIjpudWxsLCJmYW1pbHlfbmFtZSI6bnVsbCwibmlja25hbWUiOm51bGwsInByZWZlcnJlZF91c2VybmFtZSI6bnVsbCwicHJvZmlsZSI6bnVsbCwicGljdHVyZSI6Imh0dHBzOi8vZmlsZXMuYXV0aGluZy5jby9hdXRoaW5nLWNvbnNvbGUvZGVmYXVsdC11c2VyLWF2YXRhci5wbmciLCJ3ZWJzaXRlIjpudWxsLCJiaXJ0aGRhdGUiOm51bGwsImdlbmRlciI6Ik0iLCJ6b25laW5mbyI6bnVsbCwibG9jYWxlIjpudWxsLCJ1cGRhdGVkX2F0IjoiMjAyMy0xMS0wMVQwOTozMjowOS4zMjNaIiwiZW1haWwiOiJsd2MwMUBsd2NxcS5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2V9.y7sHCqCcs0hOtwtM_tcvcnDWS3Kh_BH-28RHfMc8kkM”}
对其中的 id_token 进行 jwks_uri 验证时报告了这个错误;
核心验证代码如下(依赖:python3.8 Authlib==1.2.0)
from authlib.oidc.core import CodeIDToken
from authlib.jose import jwt
claims = jwt.decode(id_token, jwks, claims_cls=CodeIDToken)
claims.validate()
在 https://jwt.io/ 上对 id_token 进行解析之后,发现缺少 header 部分缺少 kid。需要确认下是否为 authing 的bug 。
你是作为服务端是吗?