pom文件添加
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>jwks-rsa</artifactId>
<version>0.9.0</version>
</dependency>
2.上代码
import java.security.PublicKey;
import org.apache.tomcat.util.codec.binary.Base64;
import org.springframework.web.client.RestTemplate;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject;
import com.auth0.jwk.Jwk;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import lombok.extern.slf4j.Slf4j;
@Slf4j
publ
ic class AppleUtil {
/**
* 获取苹果的公钥
* @return
* @throws Exception
*/
private static JSONArray getAuthKeys() {
String url = "https://appleid.apple.com/auth/keys";
RestTemplate restTemplate = new RestTemplate();
JSONObject json = restTemplate.getForObject(url,JSONObject.class);
JSONArray arr = json.getJSONArray("keys");
return arr;
}
public static Boolean verify(String jwt) {
JSONArray arr = getAuthKeys();
if(arr == null){
return false;
}
JSONObject authKey = null;
//先取苹果第一个key进行校验
authKey = JSONObject.parseObject(arr.getString(0));
if(verifyExc(jwt, authKey)){
return true;
}else{
//再取第二个key校验
authKey = JSONObject.parseObject(arr.getString(1));
return verifyExc(jwt, authKey);
}
}
/**
* 对前端传来的identityToken进行验证
* @param jwt 对应前端传来的 identityToken
* @param authKey 苹果的公钥 authKey
* @return
* @throws Exception
*/
public static Boolean verifyExc(String jwt, JSONObject authKey) {
Jwk jwa = Jwk.fromValues(authKey);
PublicKey publicKey = null;
try {
publicKey = jwa.getPublicKey();
} catch (Exception e) {
log.error("苹果公钥获取失败:"+e.toString());
e.printStackTrace();
}
String aud = "";
String sub = "";
if (jwt.split("\\.").length > 1) {
String claim = new String(Base64.decodeBase64(jwt.split("\\.")[1]));
aud = JSONObject.parseObject(claim).get("aud").toString();
sub = JSONObject.parseObject(claim).get("sub").toString();
}
JwtParser jwtParser = Jwts.parser().setSigningKey(publicKey);
jwtParser.requireIssuer("https://appleid.apple.com");
jwtParser.requireAudience(aud);
jwtParser.requireSubject(sub);
try {
Jws<Claims> claim = jwtParser.parseClaimsJws(jwt);
if (claim != null && claim.getBody().containsKey("auth_time")) {
System.out.println(claim);
return true;
}
return false;
} catch (ExpiredJwtException e) {
log.error("apple identityToken expired", e);
return false;
} catch (Exception e) {
log.error("apple identityToken illegal", e);
return false;
}
}
/**
* 对前端传来的JWT字符串identityToken的第二部分进行解码
* 主要获取其中的aud和sub,aud大概对应ios前端的包名,sub大概对应当前用户的授权的openID
* @param identityToken
* @return {"aud":"com.xkj.****","sub":"000***.8da764d3f9e34d2183e8da08a1057***.0***","c_hash":"UsKAuEoI-****","email_verified":"true","auth_time":1574673481,"iss":"https://appleid.apple.com","exp":1574674081,"iat":1574673481,"email":"****@qq.com"}
* sub : 用户openid
*/
public static JSONObject parserIdentityToken(String identityToken){
String[] arr = identityToken.split("\\.");
String decode = new String (Base64.decodeBase64(arr[1]));
String substring = decode.substring(0, decode.indexOf("}")+1);
JSONObject jsonObject = JSON.parseObject(substring);
return jsonObject;
}
}