TL; DR我想确保在HTTP正文中传递的用户标识和令牌中的声明主题匹配,否则它是欺骗请求
非常有趣的情况,看看这个HTTP帖子请求
POST /v1/details HTTP/1.1
Host: api.abc.com
Authorization: eyJraWQiOiJwV2FIVXBhXC9NMUZtbXROSTRhblwvTFBxTmhSU1pKRmJKa3NMN2dHWE51bWM9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIzYWUxMzYzZC1kY2UzLTQ5NjEtYmVkZS1jY2RmYTE3YzY0MTciLCJhdWQiOiIxa2NyNTAxamRkanJnaGNsb3FobnVxdmtmOSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiZXZlbnRfaWQiOiI2Y2JkNTk5OC1mOTgzLTExZTctOTYxNC1jMWEyMWM4YjNmOWEiLCJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTUxNTk3Mjg1MSwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tXC91cy1lYXN0LTFfZkZyNWt6anYzIiwiY29nbml0bzp1c2VybmFtZSI6InRlc3RzdnRpZDFAbG92ZWR3ZWFsdGguY29tIiwiZXhwIjoxNTE1OTc2NDUxLCJpYXQiOjE1MTU5NzI4NTEsImVtYWlsIjoidGVzdHN2dGlkMUBsb3ZlZHdlYWx0aC5jb20ifQ.V9Gl_xDPx8z4-bd3TDjWTrBo3mVBo9vyYDXOTvMZ-lQRACBvSaK26QOcVCRE1FDJiKBfv4y3ckRGRI3p1T_SnY-rusvfN8rxiRD_kG34W0WF586RpXUGmQ9bL-F7IpVO5Bg1NqlBt3SZjzPWR1xyUxujbs2V-7u6K0dt7Nnv9Tb3H09jYqfwyE6Zu_MqOO9kztFu_SzIXy83pMujE34bVmLTABcJuAFKePDyTRB4tKB_u8ago0VmCnm0ivlivGY8GQsu2tMajA02ihwmXgoX5zDHcyFpYexoY2OtM9m8J62VNgeHjKgkLjlobyC-fL4fG4DbSg42hnEshA2Mz0GYlA
Accept: application/json
Content-Type: application/json
Cache-Control: no-cache
{
"query":"{\n sprouts_detail(user_id: \"3ae1363d-dce3-4961-bede-ccdfa17c6417\") {\n sprouts_detail {\n sprout_id\n }\n } \n}","variables":null,"operationName":null
}
标题中是带有用户凭据的cogntio令牌,用户声明
我可以使用正文模板访问用户声明,就像这样,但它似乎无法在模型中工作
{
"sub" : "$context.authorizer.claims.sub"
}
问题: - 我想验证$ context.authorizer.claims.sub是否与POST正文中的graphql查询user_id字段相同
"query":"{\n sprouts_detail(user_id: \"3ae1363d-dce3-4961-bede-ccdfa17c6417\")
如果相同,让它通过,如果它不相同,否认它并抛出403禁止
无效
{
"$schema":"http://json-schema.org/draft-04/schema#",
"definitions":{
"GraphQLAuthorizationModel":{
"type":"object",
"title":"GraphQLAuthorizationModel",
"properties":{
"query":{
"oneOf":[
{
"pattern":"$context.authorizer.claims.sub"
}
],
"type":"string"
}
},
"required":[
"query"
]
}
}
}
但是,如果我用say_id更改$ context.authorizer.claims.sub,它会按预期工作并检查http正文有效负载中的user_id字符串