我创建了自己的身份服务器,它根据用户名和代码颁发/制作令牌。它在应用程序服务到应用程序服务之间本地工作,但是当我尝试在 AZURE API 管理上验证令牌时失败。 我认为错误出在 openid-config 中,但可以看出哪里出了问题。
但是得到这个错误:
IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'AanrD1WcPkqMpK3p2S0JQ7ixqWkYBAL8hRnU6Dciiew', InternalId: 'b7aZZOAAhueurq_c62cqJcTBXL69skl6hu1a1oHLu1w'. , KeyId: AanrD1WcPkqMpK3p2S0JQ7ixqWkYBAL8hRnU6Dciiew
'.
kid: 'AanrD1WcPkqMpK3p2S0JQ7ixqWkYBAL8hRnU6Dciiew'.
Exceptions caught:
''.
token: '{"alg":"RS256","kid":"AanrD1WcPkqMpK3p2S0JQ7ixqWkYBAL8hRnU6Dciiew","typ":"JWT"}.{"nbf":1624878880,"exp":1627470880,"iss":"https://login.zenbi.dk","aud":"You"}'.
令牌:eyJhbGciOiJSUzI1NiIsImtpZCI6IkFhbnJEMVdjUGtxTXBLM3AyUzBKUTdpeHFXa1lCQUw4aFJuVTZEY2lpZXciLCJ0eXAiOiJKV1QifQ.eyJuYmYiOjE2MjQ4Nzg4ODAsImV4cCI6MTYyNzQ3MDg4MCwiaXNzIjoiaHR0cHM6Ly9sb2dpbi56ZW5iaS5kayIsImF1ZCI6IllvdSJ9.Lm32InrGT5DfphZalI9oQPzm-jcNDsOTGGkhE0dpdhdL7xpcVuZ4go6-i1dDx_cri7Neh4cow9vv3JR_Q75qhmVEr9TVrbAXP1Spkz0uvJPa9pLsQIZxH6B5D1ICnC0ROjgr5PQFXbMJXAYPludai5GpJWtX7ufUvFjauW2p2l1ssuK1iB27YeuYw7IDpMbgQvzlgVvqD8E4dzFoWdq-kLF8ZP-A3qnAtEchXu5JVJg4d7o3gI--cqJ7RaF6ehzVvFHvgADw54j4Gniif-mjnLDCZU0CYDMfRGmt5kURSJSvJUXZtaJgKYa9eQ0jSib6At4LZUVGYlHxx_I5jtjd3w
<policies>
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="@((string)context.LastError.Message)" require-scheme="Bearer" require-signed-tokens="true">
<openid-config url="https://zenbicertificates.blob.core.windows.net/jwt/openid-configuration.json" />
</validate-jwt>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
</policies>
答案 0 :(得分:0)
如何自己编写验证逻辑?
<set-variable name="pass" value="@{
bool isAud = false;
bool isIss = false;
string pass = "false";
string authHeader = context.Request.Headers.GetValueOrDefault("Authorization", "");
if (authHeader?.Length > 0)
{
string[] authHeaderParts = authHeader.Split(' ');
if (authHeaderParts?.Length == 2 && authHeaderParts[0].Equals("Bearer", StringComparison.InvariantCultureIgnoreCase))
{
Jwt jwt;
if (authHeaderParts[1].TryParseJwt(out jwt))
{
string tempScp = jwt.Claims.GetValueOrDefault("scp", "null");
if(tempScp != "null"){
isAud = tempScp.Contains("YOU");
}
string tempIss = jwt.Claims.GetValueOrDefault("iss", "null");
if(tempIss != "null"){
isIss = tempIss.Contains("xxx");
}
}
}
}
if(isAud || isIss ){
pass = "true";
}
return pass;
}" />
<choose>
<when condition="@(context.Variables.GetValueOrDefault("pass") == "false")">
<return-response response-variable-name="existing response variable">
<set-status code="401" reason="Unauthorized hhh" />
</return-response>
</when>
<otherwise />
</choose>