![](/img/trans.png)
[英]How to ignore a specific URL in Azure API Manager validate-jwt policy
[英]How to validate JWT signed with RS256 Algorithm with validate-jwt policy in Azure API management
我可以通過設置<issuer-signing-keys>
屬性,在 Azure API 管理中使用validate-jwt
策略成功驗證使用 HS256 簽名的 JWT。 但是如何驗證使用 RS256 簽名的 JWT? 我嘗試將公鑰或證書放在<issuer-signing-keys>
但它不起作用。
目前,驗證 rsa 簽名令牌的唯一方法是使用 openid url。
我能夠使用以下策略驗證這樣的令牌
<issuer-signing-keys>
<key certificate-id="my-rsa-cert" />
</issuer-signing-keys>
您可以通過以下步驟做到這一點:
使用以下命令創建證書
openssl.exe req -x509 -nodes -sha256 -days 3650 -subj "/CN=Local" -newkey rsa:2048 -keyout Local.key -out Local.crt
openssl.exe pkcs12 -export -in Local.crt -inkey Local.key -CSP“Microsoft Enhanced RSA and AES Cryptographic Provider”-out Local.pfx
在 API 管理中加載證書“ Local.pfx ”,ID 為“my-rsa-cert”。
使用以下代碼從證書生成令牌
///////////////////////////////////////////// // Token Generation var CLIENT_ID = "Local"; var ISSUER_GUID = "b0123cec-86bb-4eb2-8704-dcf7cb2cc279"; var filePath = @"..\\..\\..\\Cert\\Local.pfx"; var x509Certificate2 = new X509Certificate2(filePath, "<certpwd>"); var signingCredentials = new X509SigningCredentials(x509Certificate2, SecurityAlgorithms.RsaSha256Signature); //, SecurityAlgorithms.Sha256Digest var tokenHandler = new JwtSecurityTokenHandler(); var originalIssuer = $"{CLIENT_ID}"; var issuer = originalIssuer; DateTime utcNow = DateTime.UtcNow; DateTime expired = utcNow + TimeSpan.FromHours(1); var claims = new List<Claim> { new Claim("aud", "https://login.microsoftonline.com/{YOUR_TENENT_ID}/oauth2/token", ClaimValueTypes.String, issuer, originalIssuer), new Claim("exp", "1460534173", ClaimValueTypes.DateTime, issuer, originalIssuer), new Claim("jti", $"{ISSUER_GUID}", ClaimValueTypes.String, issuer, originalIssuer), new Claim("nbf", "1460533573", ClaimValueTypes.String, issuer, originalIssuer), new Claim("sub", $"{CLIENT_ID}", ClaimValueTypes.String, issuer, originalIssuer) }; ClaimsIdentity subject = new ClaimsIdentity(claims: claims); var tokenDescriptor = new SecurityTokenDescriptor { Subject = subject, Issuer = issuer, Expires = expired, //TokenIssuerName = "self", //AppliesToAddress = "https://www.mywebsite.com", //Lifetime = new Lifetime(now, now.AddMinutes(60)), SigningCredentials = signingCredentials, }; JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken; jwtToken.Header.Remove("typ"); var token = tokenHandler.WriteToken(jwtToken); this.Output = jwtToken.ToString(); this.Output += "\\r\\n" + token.ToString(); JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken; jwtToken.Header.Remove("typ"); var token = tokenHandler.WriteToken(jwtToken);
使用生成的承載令牌向 API 發送請求
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.