[英]Authorization in Azure API management through JWT token
我寫了一個入站策略,該策略啟用CORS並針對授權服務器驗證訪問令牌。 以下政策運作良好:
<policies>
<inbound>
<!-- Extract Token from Authorization header parameter -->
<set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />
<!-- Send request to Token Server to validate token (see RFC 7662) -->
<send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
<set-url>https://sso-dev.shell.com/as/introspect.oauth2</set-url>
<set-method>POST</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body>@($"grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&client_id=UnitsOfMeasure&client_secret=somesecret&token={(string)context.Variables["token"]}")</set-body>
</send-request>
<cors>
<allowed-origins>
<origin>*</origin>
</allowed-origins>
<allowed-methods>
<method>*</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
<choose>
<when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
<!-- Return 401 Unauthorized with http-problem payload -->
<return-response response-variable-name="existing response variable">
<set-status code="401" reason="Unauthorized" />
<set-header name="WWW-Authenticate" exists-action="override">
<value>Bearer error="invalid_token"</value>
</set-header>
</return-response>
</when>
</choose>
<base />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
<set-header name="Access-Control-Allow-Origin" exists-action="override">
<value>*</value>
</set-header>
</outbound>
<on-error>
<base />
</on-error>
</policies>
現在,我添加了一個條件,該條件授權用戶僅在屬於某個組時才可以使用PUT,POST或DELETE方法:
<when condition="@(new [] {"post=""", "put=""", "delete="""}.Contains(context.Request.Method,StringComparer.OrdinalIgnoreCase))">
<validate-jwt header-name="Authorization">
<required-claims>
<claim name="groups">
<value>UOM WriteAdmin</value>
</claim>
</required-claims>
</validate-jwt>
</when>
但是在保存政策時出現以下錯誤:
One or more fields contain incorrect values:
Error in element 'choose' on line 28, column 10: Syntax error, ',' expected
我不知道怎么了。 這是合並授權邏輯之后的最終策略:
<policies>
<inbound>
<!-- Extract Token from Authorization header parameter -->
<set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />
<!-- Send request to Token Server to validate token (see RFC 7662) -->
<send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
<set-url>https://sso-dev.shell.com/as/introspect.oauth2</set-url>
<set-method>POST</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body>@($"grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&client_id=UnitsOfMeasure&client_secret=somesecret&token={(string)context.Variables["token"]}")</set-body>
</send-request>
<cors>
<allowed-origins>
<origin>*</origin>
</allowed-origins>
<allowed-methods>
<method>*</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
<choose>
<when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
<!-- Return 401 Unauthorized with http-problem payload -->
<return-response response-variable-name="existing response variable">
<set-status code="401" reason="Unauthorized" />
<set-header name="WWW-Authenticate" exists-action="override">
<value>Bearer error="invalid_token"</value>
</set-header>
</return-response>
</when>
<when condition="@(new [] {"post=""", "put=""", "delete="""}.Contains(context.Request.Method,StringComparer.OrdinalIgnoreCase))">
<validate-jwt header-name="Authorization">
<required-claims>
<claim name="groups">
<value>UOM WriteAdmin</value>
</claim>
</required-claims>
</validate-jwt>
</when>
</choose>
<base />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
<set-header name="Access-Control-Allow-Origin" exists-action="override">
<value>*</value>
</set-header>
</outbound>
<on-error>
<base />
</on-error>
</policies>
嘗試這個:
<when condition="@(new [] {"post", "put", "delete"}.Contains(context.Request.Method, StringComparer.OrdinalIgnoreCase))">
您似乎在那里有一些額外的符號。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.