AZURE API 管理 JWT 令牌验证(IDX10511:签名验证失败)

时间:2021-06-28 11:18:24

标签: jwt openid-connect azure-api-management

我创建了自己的身份服务器,它根据用户名和代码颁发/制作令牌。它在应用程序服务到应用程序服务之间本地工作,但是当我尝试在 AZURE API 管理上验证令牌时失败。 我认为错误出在 openid-config 中,但可以看出哪里出了问题。

但是得到这个错误:

IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'AanrD1WcPkqMpK3p2S0JQ7ixqWkYBAL8hRnU6Dciiew', InternalId: 'b7aZZOAAhueurq_c62cqJcTBXL69skl6hu1a1oHLu1w'. , KeyId: AanrD1WcPkqMpK3p2S0JQ7ixqWkYBAL8hRnU6Dciiew
'. 
kid: 'AanrD1WcPkqMpK3p2S0JQ7ixqWkYBAL8hRnU6Dciiew'. 
Exceptions caught:
 ''.
token: '{"alg":"RS256","kid":"AanrD1WcPkqMpK3p2S0JQ7ixqWkYBAL8hRnU6Dciiew","typ":"JWT"}.{"nbf":1624878880,"exp":1627470880,"iss":"https://login.zenbi.dk","aud":"You"}'.

令牌:eyJhbGciOiJSUzI1NiIsImtpZCI6IkFhbnJEMVdjUGtxTXBLM3AyUzBKUTdpeHFXa1lCQUw4aFJuVTZEY2lpZXciLCJ0eXAiOiJKV1QifQ.eyJuYmYiOjE2MjQ4Nzg4ODAsImV4cCI6MTYyNzQ3MDg4MCwiaXNzIjoiaHR0cHM6Ly9sb2dpbi56ZW5iaS5kayIsImF1ZCI6IllvdSJ9.Lm32InrGT5DfphZalI9oQPzm-jcNDsOTGGkhE0dpdhdL7xpcVuZ4go6-i1dDx_cri7Neh4cow9vv3JR_Q75qhmVEr9TVrbAXP1Spkz0uvJPa9pLsQIZxH6B5D1ICnC0ROjgr5PQFXbMJXAYPludai5GpJWtX7ufUvFjauW2p2l1ssuK1iB27YeuYw7IDpMbgQvzlgVvqD8E4dzFoWdq-kLF8ZP-A3qnAtEchXu5JVJg4d7o3gI--cqJ7RaF6ehzVvFHvgADw54j4Gniif-mjnLDCZU0CYDMfRGmt5kURSJSvJUXZtaJgKYa9eQ0jSib6At4LZUVGYlHxx_I5jtjd3w

<policies>
        <inbound>
            <base />
            <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="@((string)context.LastError.Message)" require-scheme="Bearer" require-signed-tokens="true">
                <openid-config url="https://zenbicertificates.blob.core.windows.net/jwt/openid-configuration.json" />
            </validate-jwt>
        </inbound>
        <backend>
            <base />
        </backend>
        <outbound>
            <base />
        </outbound>
    </policies>

1 个答案:

答案 0 :(得分:0)

如何自己编写验证逻辑?

<set-variable name="pass" value="@{
            bool isAud = false;
            bool isIss = false;
            string pass = "false";
            string authHeader = context.Request.Headers.GetValueOrDefault("Authorization", "");
            if (authHeader?.Length > 0)
            {
                string[] authHeaderParts = authHeader.Split(' ');
                if (authHeaderParts?.Length == 2 && authHeaderParts[0].Equals("Bearer", StringComparison.InvariantCultureIgnoreCase))
                {
                    Jwt jwt;
                    if (authHeaderParts[1].TryParseJwt(out jwt))
                    {
                        string tempScp = jwt.Claims.GetValueOrDefault("scp", "null");
                        if(tempScp != "null"){
                            isAud = tempScp.Contains("YOU");
                        }
                        
                        string tempIss = jwt.Claims.GetValueOrDefault("iss", "null");
                        if(tempIss != "null"){
                            isIss = tempIss.Contains("xxx");
                        }
                    }
                }
            }
            if(isAud || isIss ){
                pass = "true";
            }
            return pass;
        }" />
    <choose>
        <when condition="@(context.Variables.GetValueOrDefault("pass") == "false")">
            <return-response response-variable-name="existing response variable">
                <set-status code="401" reason="Unauthorized hhh" />
            </return-response>
        </when>
        <otherwise />
    </choose>
相关问题
最新问题