APIM 是否将相同的不记名令牌转发到后端 API? | OAuth 2.0 和 Azure AAD
[英]Does APIM forward same bearer token to backend API? | OAuth 2.0 and Azure AAD
问题描述
Following below document provided by Microsoft, I have registered both apps, setup OAuth 2.0 service with client-credentials and added "validate-jwt" inbound policy.
根据 Microsoft 提供的以下文档,我已经注册了这两个应用程序,使用客户端凭据设置 OAuth 2.0 服务并添加了“validate-jwt”入站策略。 I have tested it with postman generating bearer token and calling my backend API under APIM instance passing with token.我已经使用 postman 生成承载令牌并在 APIM 实例下调用我的后端 API 进行了测试,并通过令牌传递。 It works fine.它工作正常。
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
But just along with Apim, I want to secure my backend API also and pass to same token to backend API.但是与 Apim 一起,我还想保护我的后端 API 并将相同的令牌传递给后端 API。 so I have some questions here -所以我在这里有一些问题-
- Does APIM forward same bearer token to backend API automatically or do we need to configure any policy for it? APIM 是否会自动将相同的不记名令牌转发到后端 API 还是我们需要为其配置任何策略?
- If it does, how can I check trace logs?如果是这样,我如何检查跟踪日志? Also how can I authorize that same token in backend API code?另外,如何在后端 API 代码中授权相同的令牌?
Here is my "validate-jwt" policy -这是我的“validate-jwt”政策——
<inbound>
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/{AAD Tenant ID}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>{App Id of backend App}</audience>
</audiences>
</validate-jwt>
<base />
</inbound>
Please help.请帮忙。
1 个解决方案
解决方案1
1 已采纳 2021-03-12 04:18:03
For your first question:对于你的第一个问题:
According to some test in my side, it seems APIM can forward the same bearer token to backend api automatically, without adding any policy.根据我这边的一些测试,似乎APIM可以自动将相同的不记名令牌转发到后端api,而无需添加任何策略。
I created a api in APIM to call microsoft graph api(list users) in backend.我在 APIM 中创建了一个 api 以在后端调用 microsoft graph api(list users)。 Test to run the APIM api, it shows "401 Unauthorized" error.测试运行 APIM api,它显示“401 Unauthorized”错误。 Then I test with provide the bearer token in headers of APIM api as below screenshot:然后我在 APIM api 的标头中提供不记名令牌进行测试,如下图所示:
It runs success and response the user list.它运行成功并响应用户列表。 So the bearer token can be forward to backend api automatically.因此不记名令牌可以自动转发到后端 api。
For your second question:对于你的第二个问题:
If you want to trace logs for the backend api, I think you can just do it in the backend code of your api.如果您想跟踪后端 api 的日志,我认为您可以在 api 的后端代码中执行此操作。
To validate the token in your backend api, you can decode the jwt token in your backend api code and then check the value of claim in token(below I provide a sample to decode jwt token and get the value of iss claim) To validate the token in your backend api, you can decode the jwt token in your backend api code and then check the value of claim in token(below I provide a sample to decode jwt token and get the value of iss claim)
using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace ConsoleApp5
{
class Program
{
static void Main(string[] args)
{
var stream = "your access token";
var handler = new JwtSecurityTokenHandler();
var jsonToken = handler.ReadToken(stream);
var tokenS = handler.ReadToken(stream) as JwtSecurityToken;
var iss = tokenS.Claims.First(claim => claim.Type == "iss").Value;
Console.WriteLine(iss);
//Then check if "iss" matches the value you specified.
Console.ReadLine();
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.