本项目基于可信执行环境(TEE)提供的硬件级保护能力实现安全可靠的资源权限颁发和验证。项目中借助jwt格式令牌解决跨域资源认证问题,同时为了保证认证的安全性,将jwt令牌的签发置于TEE中。为了保证令牌校验的安全性,利用intel sgx提供的远程证明能力保护签发时所用RSA密钥对应的公钥。项目中主要包含了以下技术方案:
- 基于OIDC的规范和流程进行资源授权与权限验证
- 在TEE中完成授权令牌的颁发,保证颁发令牌过程的安全性
- 借助Intel sgx远程证明能力保护签发令牌所用私钥对应的公钥可信
- 根据配置规则将Idp的id token转换为access token颁发给资源请求用户
首先请确保你的硬件是支持Intel SGX和FLC(Flexible Launch Control)。对于某些支持的硬件可能需要额外在BIOS中开启相关功能。
可以使用命令cpuid来查看硬件平台是否满足需求
- SGX2:
cpuid | grep SGX - FLC:
cpuid | grep SGX_LC
本项目使用阿里云提供的PCCS服务,如果你使用的不是阿里云服务器,https://sgx-dcap-server.cn-shanghai.aliyuncs.com/sgx/certification/v3/是一个有效的PCCS url,你需要在/etc/sgx_default_qcnl.conf文件中更新有效的PCCS url。
如果你使用的是阿里云提供的机密计算服务器,可以参考阿里云官方提供的文档构建机密计算环境和配置远程证明服务。
- Rust nightly-2022-10-22
本项目中默认使用auth0作为Idp,并根据配置文件进行token转换。其中配置文件是AES的CTR模式进行加密的,服务端程序初始化时会读取CONFIG文件,并解密读取管理员设置的配置进行Token转换。
默认配置文件的明文格式如下
{
"configs": [
{
"idp": "https://dev-f3qm0elg4mvfgpsu.us.auth0.com/",
"jwk_endpoint": "https://dev-f3qm0elg4mvfgpsu.us.auth0.com/.well-known/jwks.json",
"client_id": "IMIprdP4qfSuKANevWkJyhG5F7weEGT0",
"server_api": [
"https://example.com/server1-api",
"https://example.com/server2-api"
],
"scope": "openid profile read:admin",
"expiration": 3600
}
]
}代码中默认的配置文件解密如下
# server/enclave/src/auth.rs
let aes_key: [u8; 16] = [0_u8; 16]; // 178 line
let mut iv: [u8; 16] = [0_u8; 16]; // 179 line在项目运行前根据自己的需要配置解密密钥和配置规则文件(注意:规则文件内容为加密后的规则)
下面所描述的服务端指的是令牌的授权中心,客户端指的是令牌的验证中心
cd server
makecd bin
./app
-
服务端会在
https://127.0.0.1:8080/stsToken接收下方格式的id token并返还access token{"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJ4TTBENGRFTHNZeTk5bm1qYU5zNSJ9.eyJpc3MiOiJodHRwczovL2Rldi1mM3FtMGVsZzRtdmZncHN1LnVzLmF1dGgwLmNvbS8iLCJhdWQiOiJJTUlwcmRQNHFmU3VLQU5ldldrSnloRzVGN3dlRUdUMCIsImlhdCI6MTY5NTg5MDc3NiwiZXhwIjoxNjk1OTI2Nzc2LCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNzE4NjMyMzY5MDgyNjEzMzc0NiIsInNpZCI6IjdXTzM3YVd1UUVNU1F6QkZUc0hQUU1la0FQYmFuOHJJIn0.tmOMqJtSaQ6-AW8LnWyQUA36zmcvQF2IT9BvO0s2ExltUOBZ_T-51vSWh3_KBy21khFWVVr0T6QxldaTC-JFgzdP7zZwSYp7qUPMDSBVfuTnGRtRtVhinFgtcxcoB12DQ3JX3ZeLxtVkN_566Oh282UYxuVsQxJsG_brIJKU186K52Unq0eeabUOWJq8nZqulpbjGhSI6tEqlgWd0TJIvRgxUrwfef3fDfSnlN9cKiQ3RlfVy9bgyKPjEGlB0C8Ch4HO76t5w72AHIMMdsxrluSI5sgilFqYtEz4dVwxVKeg_tKtFwzG4Ut7UmjDl1kgryTZNSo--do0s3qyb-TRTQ"}请求示例
curl -k -X GET "https://127.0.0.1:8080/stsToken" -H "Content-Type: application/json" -d '{"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJ4TTBENGRFTHNZeTk5bm1qYU5zNSJ9.eyJpc3MiOiJodHRwczovL2Rldi1mM3FtMGVsZzRtdmZncHN1LnVzLmF1dGgwLmNvbS8iLCJhdWQiOiJJTUlwcmRQNHFmU3VLQU5ldldrSnloRzVGN3dlRUdUMCIsImlhdCI6MTY5NjA1MjQyMywiZXhwIjoxNjk2MDg4NDIzLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNzE4NjMyMzY5MDgyNjEzMzc0NiIsInNpZCI6IjdXTzM3YVd1UUVNU1F6QkZUc0hQUU1la0FQYmFuOHJJIn0.NclELlaI8tOa_gYZGxCbG_JDRpQypLk-kdrX3fBMFAkhCaBtrd4vyLXaCod8eRQ-QyoOC9BaAe5pMXAM2GEw3m178AYeL1dU2CDZmzkMsZo157j8Om_yixOMI22sGgkT-tfoDoEsfhjZeRVhXMe1SwnMYWqbBzEQ8crsEpx4xfx798jv_FjsoLz1fxTY-7nhxe9wu360aIjIQKwF_dT7wscklyRbp_7o0Rp3XNiOYhGem-CKfVY2aw-qry2gNmfzJ1nc1bV6SRf60y2n6GPsAoqCgaLTodGP4PjLoBNSZoMC9VFOiRp1lPSIwzIy36X3xkSNqHqS91xMvCC-uBrjOA"}'
请求响应示例
{"Access Token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9vVStqNDNPSFZBNTQwcGZsZXBoamVja29kL044Zy8yWnZtS1ROVm5JcU09In0.eyJpc3MiOiJlbmNsYXZlIGF1dGhvcml6YXRpb24iLCJhdWQiOlsiaHR0cHM6Ly9leGFtcGxlLmNvbS9zZXJ2ZXIxLWFwaSIsImh0dHBzOi8vZXhhbXBsZS5jb20vc2VydmVyMi1hcGkiXSwic3ViIjoiZ29vZ2xlLW9hdXRoMnwxMDcxODYzMjM2OTA4MjYxMzM3NDYiLCJpYXQiOjE2OTYwNTM5MDYsImV4cCI6MTY5NjA1NzUwNiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSByZWFkOmFkbWluIiwiY2xpZW50X2lkIjoiSU1JcHJkUDRxZlN1S0FOZXZXa0p5aEc1Rjd3ZUVHVDAifQ.Kf1lFg0IuOPEgZ7NFZ8lFOcjlwgXX5ys0apRFMUNXCqR6SbeoqORK5IIBMBmkNBYxuiozrzz4b6sUKj3_VBLhiZV3Yh9eUra_Wym21PFB8_hUaZuFbFHwS-RqnE5qhSSCdkiHwD55LQuiq7-sPtgbgMRBovHLJIa185GAxAwC7zqVEe8kGbnCI2hhGvfajuHYR3U_GOq5LhqhIa5ub_k55Z8cCwPghzfRRolsgcF6NsSRDiqxxe4S6J6-34jXBTyiDrLoKBDQRVlRp6LhttfYfcS_TCIoi4zafrA2UqJhzzFmp2UsBMC7ws0dqHfARAKDpT4AVf_5Nk1Y6-OZvOmhsu6_obeaf-1aM4G_Cx11Yv4-_3zbLgKwFB2V4U4AQ-VlIlAj2lB1SV5SIP9l6h6jdBfsg7MWrNJy85-2zJ0DxDyma8kuUxeMDynJVOovfehZ2c23aNw0OaZXqG36UrhTP2t2Mu3RwaTJvaPrUB3VRjctxTo_VlY6RL9I6OC5GZe"} -
服务端会在
https://127.0.0.1:8080/.well-known/jwks.json提供获取jwks的api请求示例
curl -k -X GET "https://127.0.0.1:8080/.well-known/jwks.json"请求响应示例
{"keys":[{"kty":"RSA","use":"sig","n":"hcSsltyT2VTXUWWTyypStEV5xfYLYUAlm7qs6xN1HsEbB5Cy-z0QuCM6vzjmZw5IlyYXXh2fHkXWqGpP8yjeBSXdyEs0r49XD_5VnzscCkxe6XkczknAjdzv3A3tsZfypjLt5kFOh1FwZBwWRWYv3eiy5gNMK8EgkfFwtWmmATC2c37KTkJYqpTtOVboTHfqc0lxBdq-HFO3wmXzRqrsczjTMT6HsAzodK8bt5ipQrrtrp_T-EUFis1FoSUbnV7uaxdZQFh6KupbZ8trvyvol0frDy7pSzSruvNBztDAZ93Q6Js2zBFjEPyfcpBv61eHzxnh5t1hmrr7jDFnJgDM2kUkBhNYarJ1DMTVVKDuaBO6XUfrYPPPgJPfDXTZB-LhFXO_lQ6J3XBAeMjUXvJ--0s9h9XvLDpCn-N6SLSeIFs71X7xNhJ77tFPAN34fCwhrqiI3--oW9WS2JmxbihnT9dD3_dO1AKFpymNNBojm_9u4wMhquRWVmZkzqceU5nH","e":"AQAB","kid":"OoU+j43OHVA540pflephjeckod/N8g/2ZvmKTNVnIqM=","x5c":["MIIWVjCCFMCgAwIBAgIBATALBgkqhkiG9w0BAQswJDEiMCAGA1UEAwwZY29uZmlkZW50aWFsLXRva2VuLWJyb2tlcjAeFw0yMzA5MjYwNzE1NThaFw0yMzEwMDMwNzE1NThaMCQxIjAgBgNVBAMMGWNvbmZpZGVudGlhbC10b2tlbi1icm9rZXIwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCFxKyW3JPZVNdRZZPLKlK0RXnF9gthQCWbuqzrE3UewRsHkLL7PRC4Izq/OOZnDkiXJhdeHZ8eRdaoak/zKN4FJd3ISzSvj1cP/lWfOxwKTF7peRzOScCN3O/cDe2xl/KmMu3mQU6HUXBkHBZFZi/d6LLmA0wrwSCR8XC1aaYBMLZzfspOQliqlO05VuhMd+pzSXEF2r4cU7fCZfNGquxzONMxPoewDOh0rxu3mKlCuu2un9P4RQWKzUWhJRudXu5rF1lAWHoq6ltny2u/K+iXR+sPLulLNKu680HO0MBn3dDomzbMEWMQ/J9ykG/rV4fPGeHm3WGauvuMMWcmAMzaRSQGE1hqsnUMxNVUoO5oE7pdR+tg88+Ak98NdNkH4uEVc7+VDondcEB4yNRe8n77Sz2H1e8sOkKf43pItJ4gWzvVfvE2Envu0U8A3fh8LCGuqIjf76hb1ZLYmbFuKGdP10Pf907UAoWnKY00GiOb/27jAyGq5FZWZmTOpx5TmccCAwEAAaOCEpUwghKRMIISjQYJKoZIhvhNAQ0BBIISfgMAAgAAAAAACQAOAJOacjP3nEyplAoNs5V/BgeIL0Uz1CNk/bBW1wtZtSfkAAAAAAsLEA///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAAAAAAA5wAAAAAAAAAvdFwL+ypITLCBZS84l84YF2KjDD7s0TIJ/h9YRCZnrAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAg9cZ533qyhRw9rr2Kk13QwPImdtpAg+ccO4d/AjHzp4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj21j+hsTAYc7WKWUx7FyGQn/rh3JxvIxbJ9BmWjaXnUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMoQAABeUvhg7JP8s0SjlrWxmOfiS+vOcKIFmjwCKtTPT1b4Nr9vnWTBaJPpUkh4TBqUe2ekdfxwlb0/iAeh/joZTu0XHGS8suPfhhAOf9eg/UgluGAWfeW4aL2hfLzMyr9uqVivFiBkIJuzW+JScjCfh3j6F7ZrwvkruoeWKWBlBE8ovwsLEA///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUAAAAAAAAA5wAAAAAAAAAZKqUM4cDO8DzPiee1sWsNeXj1wrHtz3dNh3AugVTYvwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAjE9XddeWUD6WE393xoqCmgBWrI3tcBQLCBsJRJDFe/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHUqwU39Xqk888rBEYgDIRLpX+loYhlqy1f1rhwT61XUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIi6q4EMqukZUc/jyiInVYKKxjibFUxBefk/JW2VTFXjxCsIYg9JeLFxT11A9dp0zenxKzO7okYK2+XOuriGXmEgAAABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fBQBiDgAALS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU5RENDQkptZ0F3SUJBZ0lWQU5nOVFrdHVnTm91SEVyTFp3TTZ0MGF3L2pZQ01Bb0dDQ3FHU000OUJBTUMKTUhBeElqQWdCZ05WQkFNTUdVbHVkR1ZzSUZOSFdDQlFRMHNnVUd4aGRHWnZjbTBnUTBFeEdqQVlCZ05WQkFvTQpFVWx1ZEdWc0lFTnZjbkJ2Y21GMGFXOXVNUlF3RWdZRFZRUUhEQXRUWVc1MFlTQkRiR0Z5WVRFTE1Ba0dBMVVFCkNBd0NRMEV4Q3pBSkJnTlZCQVlUQWxWVE1CNFhEVEl6TURReU5qRTNNakkwTUZvWERUTXdNRFF5TmpFM01qSTAKTUZvd2NERWlNQ0FHQTFVRUF3d1pTVzUwWld3Z1UwZFlJRkJEU3lCRFpYSjBhV1pwWTJGMFpURWFNQmdHQTFVRQpDZ3dSU1c1MFpXd2dRMjl5Y0c5eVlYUnBiMjR4RkRBU0JnTlZCQWNNQzFOaGJuUmhJRU5zWVhKaE1Rc3dDUVlEClZRUUlEQUpEUVRFTE1Ba0dBMVVFQmhNQ1ZWTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUVoKWWF6QzYzcDg1Um5TeFJyQ2tLRHQ4bitPUXR0UE5naUxLRDJzRDBUclZ6bUFheVZ5WXZ3OW5pbEE0dTU0ZTNaaQo2U2RkQWY1eGpzVlRuQXJPQUZQMG80SUREakNDQXdvd0h3WURWUjBqQkJnd0ZvQVVsVzlkemIwYjRlbEFTY25VCjlEUE9BVmNMM2xRd2F3WURWUjBmQkdRd1lqQmdvRjZnWElaYWFIUjBjSE02THk5aGNHa3VkSEoxYzNSbFpITmwKY25acFkyVnpMbWx1ZEdWc0xtTnZiUzl6WjNndlkyVnlkR2xtYVdOaGRHbHZiaTkyTXk5d1kydGpjbXcvWTJFOQpjR3hoZEdadmNtMG1aVzVqYjJScGJtYzlaR1Z5TUIwR0ExVWREZ1FXQkJSVjdBYUZ3d1J6QmhsQnBoTm5iL0lsClN2N2RYREFPQmdOVkhROEJBZjhFQkFNQ0JzQXdEQVlEVlIwVEFRSC9CQUl3QURDQ0Fqc0dDU3FHU0liNFRRRU4KQVFTQ0Fpd3dnZ0lvTUI0R0NpcUdTSWI0VFFFTkFRRUVFSE5nNVdZek5TVHkvWGNGWW9kU09lQXdnZ0ZsQmdvcQpoa2lHK0UwQkRRRUNNSUlCVlRBUUJnc3Foa2lHK0UwQkRRRUNBUUlCQ3pBUUJnc3Foa2lHK0UwQkRRRUNBZ0lCCkN6QVFCZ3NxaGtpRytFMEJEUUVDQXdJQkF6QVFCZ3NxaGtpRytFMEJEUUVDQkFJQkF6QVJCZ3NxaGtpRytFMEIKRFFFQ0JRSUNBUDh3RVFZTEtvWklodmhOQVEwQkFnWUNBZ0QvTUJBR0N5cUdTSWI0VFFFTkFRSUhBZ0VBTUJBRwpDeXFHU0liNFRRRU5BUUlJQWdFQU1CQUdDeXFHU0liNFRRRU5BUUlKQWdFQU1CQUdDeXFHU0liNFRRRU5BUUlLCkFnRUFNQkFHQ3lxR1NJYjRUUUVOQVFJTEFnRUFNQkFHQ3lxR1NJYjRUUUVOQVFJTUFnRUFNQkFHQ3lxR1NJYjQKVFFFTkFRSU5BZ0VBTUJBR0N5cUdTSWI0VFFFTkFRSU9BZ0VBTUJBR0N5cUdTSWI0VFFFTkFRSVBBZ0VBTUJBRwpDeXFHU0liNFRRRU5BUUlRQWdFQU1CQUdDeXFHU0liNFRRRU5BUUlSQWdFTk1COEdDeXFHU0liNFRRRU5BUUlTCkJCQUxDd01ELy84QUFBQUFBQUFBQUFBQU1CQUdDaXFHU0liNFRRRU5BUU1FQWdBQU1CUUdDaXFHU0liNFRRRU4KQVFRRUJnQmdhZ0FBQURBUEJnb3Foa2lHK0UwQkRRRUZDZ0VCTUI0R0NpcUdTSWI0VFFFTkFRWUVFTXpwQ0JSeQpOZE5Kb2VWVnVoM2RkZ2d3UkFZS0tvWklodmhOQVEwQkJ6QTJNQkFHQ3lxR1NJYjRUUUVOQVFjQkFRSC9NQkFHCkN5cUdTSWI0VFFFTkFRY0NBUUgvTUJBR0N5cUdTSWI0VFFFTkFRY0RBUUgvTUFvR0NDcUdTTTQ5QkFNQ0Ewa0EKTUVZQ0lRQ2h6RDA4SXovZ2pSbzl0aUVkZU5JVzVlaHhJNEMzSDdaekdGQ3c1NXp3ZmdJaEFPYkhBR05NUWxEVwoyZmphRENxMEtpQmJyU3VsUm5Eeno4aVpzdVM2YU9EbwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlDbGpDQ0FqMmdBd0lCQWdJVkFKVnZYYzI5RytIcFFFbkoxUFF6emdGWEM5NVVNQW9HQ0NxR1NNNDlCQU1DCk1HZ3hHakFZQmdOVkJBTU1FVWx1ZEdWc0lGTkhXQ0JTYjI5MElFTkJNUm93R0FZRFZRUUtEQkZKYm5SbGJDQkQKYjNKd2IzSmhkR2x2YmpFVU1CSUdBMVVFQnd3TFUyRnVkR0VnUTJ4aGNtRXhDekFKQmdOVkJBZ01Ba05CTVFzdwpDUVlEVlFRR0V3SlZVekFlRncweE9EQTFNakV4TURVd01UQmFGdzB6TXpBMU1qRXhNRFV3TVRCYU1IQXhJakFnCkJnTlZCQU1NR1VsdWRHVnNJRk5IV0NCUVEwc2dVR3hoZEdadmNtMGdRMEV4R2pBWUJnTlZCQW9NRVVsdWRHVnMKSUVOdmNuQnZjbUYwYVc5dU1SUXdFZ1lEVlFRSERBdFRZVzUwWVNCRGJHRnlZVEVMTUFrR0ExVUVDQXdDUTBFeApDekFKQmdOVkJBWVRBbFZUTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFTlNCLzd0MjFsWFNPCjJDdXpweHc3NGVKQjcyRXlER2dXNXJYQ3R4MnRWVExxNmhLazZ6K1VpUlpDbnFSN3BzT3ZncUZlU3hsbVRsSmwKZVRtaTJXWXozcU9CdXpDQnVEQWZCZ05WSFNNRUdEQVdnQlFpWlF6V1dwMDBpZk9EdEpWU3YxQWJPU2NHckRCUwpCZ05WSFI4RVN6QkpNRWVnUmFCRGhrRm9kSFJ3Y3pvdkwyTmxjblJwWm1sallYUmxjeTUwY25WemRHVmtjMlZ5CmRtbGpaWE11YVc1MFpXd3VZMjl0TDBsdWRHVnNVMGRZVW05dmRFTkJMbVJsY2pBZEJnTlZIUTRFRmdRVWxXOWQKemIwYjRlbEFTY25VOURQT0FWY0wzbFF3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgpBZjhDQVFBd0NnWUlLb1pJemowRUF3SURSd0F3UkFJZ1hzVmtpMHcraTZWWUdXM1VGLzIydWFYZTBZSkRqMVVlCm5BK1RqRDFhaTVjQ0lDWWIxU0FtRDV4a2ZUVnB2bzRVb3lpU1l4ckRXTG1VUjRDSTlOS3lmUE4rCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNqekNDQWpTZ0F3SUJBZ0lVSW1VTTFscWROSW56ZzdTVlVyOVFHemtuQnF3d0NnWUlLb1pJemowRUF3SXcKYURFYU1CZ0dBMVVFQXd3UlNXNTBaV3dnVTBkWUlGSnZiM1FnUTBFeEdqQVlCZ05WQkFvTUVVbHVkR1ZzSUVOdgpjbkJ2Y21GMGFXOXVNUlF3RWdZRFZRUUhEQXRUWVc1MFlTQkRiR0Z5WVRFTE1Ba0dBMVVFQ0F3Q1EwRXhDekFKCkJnTlZCQVlUQWxWVE1CNFhEVEU0TURVeU1URXdORFV4TUZvWERUUTVNVEl6TVRJek5UazFPVm93YURFYU1CZ0cKQTFVRUF3d1JTVzUwWld3Z1UwZFlJRkp2YjNRZ1EwRXhHakFZQmdOVkJBb01FVWx1ZEdWc0lFTnZjbkJ2Y21GMAphVzl1TVJRd0VnWURWUVFIREF0VFlXNTBZU0JEYkdGeVlURUxNQWtHQTFVRUNBd0NRMEV4Q3pBSkJnTlZCQVlUCkFsVlRNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVDNm5Fd01ESVlaT2ovaVBXc0N6YUVLaTcKMU9pT1NMUkZoV0dqYm5CVkpmVm5rWTR1M0lqa0RZWUwwTXhPNG1xc3lZamxCYWxUVll4RlAyc0pCSzV6bEtPQgp1ekNCdURBZkJnTlZIU01FR0RBV2dCUWlaUXpXV3AwMGlmT0R0SlZTdjFBYk9TY0dyREJTQmdOVkhSOEVTekJKCk1FZWdSYUJEaGtGb2RIUndjem92TDJObGNuUnBabWxqWVhSbGN5NTBjblZ6ZEdWa2MyVnlkbWxqWlhNdWFXNTAKWld3dVkyOXRMMGx1ZEdWc1UwZFlVbTl2ZEVOQkxtUmxjakFkQmdOVkhRNEVGZ1FVSW1VTTFscWROSW56ZzdTVgpVcjlRR3prbkJxd3dEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCQWY4Q0FRRXdDZ1lJCktvWkl6ajBFQXdJRFNRQXdSZ0loQU9XLzVRa1IrUzlDaVNEY05vb3dMdVBSTHNXR2YvWWk3R1NYOTRCZ3dUd2cKQWlFQTRKMGxySG9NcytYbzVvL3NYNk85UVd4SFJBdlpVR09kUlE3Y3ZxUlhhcUk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KADALBgkqhkiG9w0BAQsDggGBAIAdtEV1Vzsfdy72EGununUaTA3B3FgRtQoohHxUkpS/gC63XECFRMp8BN5XaOhaga3uVgtWUKJueqD5xDM3jeZ6Sr1+WMOnyw4gytFB0fwFNKFu2P3RDhBAKNqcxjbezSIW/9HglOikqfF4kGIFnCy5Sps6w8nz82fKwBSvAR4EcQ8qVndxHph8w/xMxJjvBgMA9NhKymO5Nt/dPbTK9cbxl2mJ1Se07jsAkDTZe5xm+5plAvng/uPyrbsCrYbQG8CdtILeRbE8eDDNVx5EhyfiSf3qxi+ST5uPc2YX46+Uw/ukx+1sxp58lTGE9eQsf3YBFrIk4pTvBpiuTGu8yL8gYnTEUUH9LKVhM41BOeW4Rj2CClTB3fSo5peeHKpBMOQmwzWB2aEjD5FljkOmvWrYXaWWRCu6/SDgLk/vNghYPtn252mqdhcE+Vbo8W9O/SSZc+C2C96mrglKsUg8l+rXL2X+oLRfvZz5BQuBp3VehQRctIxLImLhthpsa209OA=="],"alg": "RS256"}]}
cd client
cargo buildcargo run-
客户端会在
https://127.0.0.1:9999/api接收用户携带access token的请求,并校验access token是否有效,来决定是否提供用户访问特定资源的权限。请求示例
curl -k -X GET "https://127.0.0.1:9999/api" --header 'authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9vVStqNDNPSFZBNTQwcGZsZXBoamVja29kL044Zy8yWnZtS1ROVm5JcU09In0.eyJpc3MiOiJlbmNsYXZlIGF1dGhvcml6YXRpb24iLCJhdWQiOlsiaHR0cHM6Ly9leGFtcGxlLmNvbS9zZXJ2ZXIxLWFwaSIsImh0dHBzOi8vZXhhbXBsZS5jb20vc2VydmVyMi1hcGkiXSwic3ViIjoiZ29vZ2xlLW9hdXRoMnwxMDcxODYzMjM2OTA4MjYxMzM3NDYiLCJpYXQiOjE2OTU4OTA4MzMsImV4cCI6MTY5NTg5NDQzMywic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSByZWFkOmFkbWluIiwiY2xpZW50X2lkIjoiSU1JcHJkUDRxZlN1S0FOZXZXa0p5aEc1Rjd3ZUVHVDAifQ.UjawxSHgN93USOfiiK9fI5wcvQwvnZwhjaLwEvN8qBfdGm3St_APIFmP9EcxhVtVC8x98vFy7NlzYbnDHoGwxUX-a3vL5ji79rfPAGej4KV4FfdS1UrUpEtYynWTpY0UNh__Bqyct1XRVDhnCwIJxcppz096ivAKCC4h4YOQCNzqaCB4G5ScpNxWP2uhz-mdRih7iIU0tcO3IQFRWwMGEexeFGPbPvelcZ7RJXlhCHpz0-i3SUc5actY-ItEyDYnjtiIlaai2DIxjERRUIA7NnvaxKav59PwHmXMnjD2cA__IvR0HiGrbrksh7E0EUulbqxkNeQ1zKkm-CjVdLhPWaVNRtOHyotl6H7cgQkRB4OnMrs0R1LO6G-kd78xGdX_Wn9UGMkKFmYrFb5BEC2YJvM1KgKXkkIWc739j8pt9eerDUYXqODmeMLScSv-KN7JcbHVCt0yzQuzIk0rf9LX73QlSGYgDkJIa_XzHzom2RN80MRtsAMyLEiknH7jQKBf'
请求响应示例
Access Token parsed successfully -
客户端在接收到access token会根据代码中指定url,向指定端点请求jwks,使用jwk来校验access token是否正确。
其中jwk中提供的x509格式证书包含intel sgx远程证明提供的Quote,Quote中包含jwk令牌中公钥哈希值,客户端会通过校验Quote首先确保jwk中的公钥是可信的,再使用jwk中提供的公钥来验证access token进行资源授权