stackoom
  简体   繁体   中英

Azure API Management policy caching of JWKs for JWT validation

 原文  2021-10-20 16:48:12       azure/ validation/ jwt/ azure-api-management/ azure-policy

Question

I'm trying to implement caching of public key provided by openid-configuration/jwks endpoint of our JWT provider. I want to use cached value for validation of signature of incoming request. We want to have cache in place in order to lower requesting jwks endpoint. So we decided to create custom APIM policy in order to do that. After few hours of struggles I found myself clueless. Therefore I would like to address some questions about APIM xml policies.

  1. How can I read request JWTs kid or x5t in policy? Regarding to APIM policy expressions calling AsJwt() returns Jwt object which does not contains Header property which should contain required fields
    • I tryed Id , Claims with no successful reach of kid or x5t ( <set-variable name="requestKid" value="@(context.Request.Headers.GetValueOrDefault("Authorization","").Split(' ')[1].AsJwt()?.____)"/> )
  2. When retrieving JWKs from the provider endpoint I'm not able to store various fields of response into separate context variables, it always fails on second <set-variable . Seems like (IResponse)context.Variables["jwksResponse"]) is null when calling second time. Does context variables get destroyed after first read?
<send-request mode="new" response-variable-name="jwksResponse" timeout="10" ignore-error="true">
  <set-url>https://some.identity.server/.well-known/openid-configuration/jwks</set-url>
  <set-method>GET</set-method>
</send-request>
<set-variable name="jwksn" value="@(((IResponse)context.Variables["jwksResponse"]).Body.As<JObject>()["keys"][0]["n"])" />
<set-variable name="jwkse" value="@(((IResponse)context.Variables["jwksResponse"]).Body.As<JObject>()["keys"][0]["e"])" />
  1. How can I set key exponent and modulus attributes? When I use variables from previous step I got xml validation Error: "ValidationError" - "Error in element 'validate-jwt' on line 8, column 4: value is not a valid base64url string." while It works when when hardcoded. (I also tried hacks with Convert.ToBase64String() , with no success, to me seems like xml validator issue - can it be overriden?) 
<issuer-signing-keys>
  <key e="@((string)context.Variables["jwkse"])" n="@((string)context.Variables["jwksn"])"/>
</issuer-signing-keys>
  1. Can I use x5c value retrieved from our JWKs provider as key value? like so:
<issuer-signing-keys>
  <key>@((string)context.Variables["jwksx5c"])</key>
</issuer-signing-keys>

1 answers

solution1
 0  2021-10-22 13:29:51

After further investigation we found gitHub thread regarding caching of JWKs when using JWT validation with OpenId. It seems JKWs are cached for 1 hour and also recached when validation fails. However this behavior is not stated in documentation.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question JWT Validation: Caching JWKS derived from cached discovery document via Azure API Management Caching JWKS from Identity Provider using Azure API management for validating JWT Azure API Management caching policy Azure API management configuring external caching policy JWT Validation policy suddently not valid when changed to a different audience with Azure API Management Azure API Management JWT validation fails “JWT Validation Failed: JWT not present..” in Azure API Management Service Handle JWT Token validation failute in Azure API Management Service How to turn off SSL validation on an Azure API Management policy? How to validate JWT signed with RS256 Algorithm with validate-jwt policy in Azure API management
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM