我写了一个入站策略,该策略启用CORS并针对授权服务器验证访问令牌。以下政策运行良好:
<policies>
<inbound>
<!-- Extract Token from Authorization header parameter -->
<set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />
<!-- Send request to Token Server to validate token (see RFC 7662) -->
<send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
<set-url>https://sso-dev.shell.com/as/introspect.oauth2</set-url>
<set-method>POST</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body>@($"grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&client_id=UnitsOfMeasure&client_secret=somesecret&token={(string)context.Variables["token"]}")</set-body>
</send-request>
<cors>
<allowed-origins>
<origin>*</origin>
</allowed-origins>
<allowed-methods>
<method>*</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
<choose>
<when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
<!-- Return 401 Unauthorized with http-problem payload -->
<return-response response-variable-name="existing response variable">
<set-status code="401" reason="Unauthorized" />
<set-header name="WWW-Authenticate" exists-action="override">
<value>Bearer error="invalid_token"</value>
</set-header>
</return-response>
</when>
</choose>
<base />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
<set-header name="Access-Control-Allow-Origin" exists-action="override">
<value>*</value>
</set-header>
</outbound>
<on-error>
<base />
</on-error>
</policies>
现在,我要添加一个条件,该条件授权用户仅在属于某个组时才可以使用PUT,POST或DELETE方法:
<when condition="@(new [] {"post=""", "put=""", "delete="""}.Contains(context.Request.Method,StringComparer.OrdinalIgnoreCase))">
<validate-jwt header-name="Authorization">
<required-claims>
<claim name="groups">
<value>UOM WriteAdmin</value>
</claim>
</required-claims>
</validate-jwt>
</when>
但是在保存策略时出现以下错误:
One or more fields contain incorrect values:
Error in element 'choose' on line 28, column 10: Syntax error, ',' expected
我不确定这是怎么回事。这是合并授权逻辑后的最终政策:
<policies>
<inbound>
<!-- Extract Token from Authorization header parameter -->
<set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />
<!-- Send request to Token Server to validate token (see RFC 7662) -->
<send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
<set-url>https://sso-dev.shell.com/as/introspect.oauth2</set-url>
<set-method>POST</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body>@($"grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&client_id=UnitsOfMeasure&client_secret=somesecret&token={(string)context.Variables["token"]}")</set-body>
</send-request>
<cors>
<allowed-origins>
<origin>*</origin>
</allowed-origins>
<allowed-methods>
<method>*</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
<choose>
<when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
<!-- Return 401 Unauthorized with http-problem payload -->
<return-response response-variable-name="existing response variable">
<set-status code="401" reason="Unauthorized" />
<set-header name="WWW-Authenticate" exists-action="override">
<value>Bearer error="invalid_token"</value>
</set-header>
</return-response>
</when>
<when condition="@(new [] {"post=""", "put=""", "delete="""}.Contains(context.Request.Method,StringComparer.OrdinalIgnoreCase))">
<validate-jwt header-name="Authorization">
<required-claims>
<claim name="groups">
<value>UOM WriteAdmin</value>
</claim>
</required-claims>
</validate-jwt>
</when>
</choose>
<base />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
<set-header name="Access-Control-Allow-Origin" exists-action="override">
<value>*</value>
</set-header>
</outbound>
<on-error>
<base />
</on-error>
</policies>
答案 0 :(得分:1)
尝试一下:
<when condition="@(new [] {"post", "put", "delete"}.Contains(context.Request.Method, StringComparer.OrdinalIgnoreCase))">
您那里似乎还有一些其他符号。