通過JWT令牌進行Azure API管理中的授權

Question

我寫了一個入站策略，該策略啟用CORS並針對授權服務器驗證訪問令牌。 以下政策運作良好：

<policies>
    <inbound>
        <!-- Extract Token from Authorization header parameter -->
        <set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />
        <!-- Send request to Token Server to validate token (see RFC 7662) -->
        <send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
            <set-url>https://sso-dev.shell.com/as/introspect.oauth2</set-url>
            <set-method>POST</set-method>
            <set-header name="Content-Type" exists-action="override">
                <value>application/x-www-form-urlencoded</value>
            </set-header>
            <set-body>@($"grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&client_id=UnitsOfMeasure&client_secret=somesecret&token={(string)context.Variables["token"]}")</set-body>
        </send-request>
        <cors>
            <allowed-origins>
                <origin>*</origin>
            </allowed-origins>
            <allowed-methods>
                <method>*</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
            <expose-headers>
                <header>*</header>
            </expose-headers>
        </cors>
        <choose>
            <when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
                <!-- Return 401 Unauthorized with http-problem payload -->
                <return-response response-variable-name="existing response variable">
                    <set-status code="401" reason="Unauthorized" />
                    <set-header name="WWW-Authenticate" exists-action="override">
                        <value>Bearer error="invalid_token"</value>
                    </set-header>
                </return-response>
            </when>
        </choose>
        <base />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
        <set-header name="Access-Control-Allow-Origin" exists-action="override">
            <value>*</value>
        </set-header>
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

現在，我添加了一個條件，該條件授權用戶僅在屬於某個組時才可以使用PUT，POST或DELETE方法：

    <when condition="@(new [] {"post=""", "put=""", "delete="""}.Contains(context.Request.Method,StringComparer.OrdinalIgnoreCase))">
        <validate-jwt header-name="Authorization">
            <required-claims>
                <claim name="groups">
                    <value>UOM WriteAdmin</value>
                </claim>
            </required-claims>
        </validate-jwt>
    </when>

但是在保存政策時出現以下錯誤：

One or more fields contain incorrect values:
Error in element 'choose' on line 28, column 10: Syntax error, ',' expected

我不知道怎么了。 這是合並授權邏輯之后的最終策略：

<policies>
    <inbound>
        <!-- Extract Token from Authorization header parameter -->
        <set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />
        <!-- Send request to Token Server to validate token (see RFC 7662) -->
        <send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
            <set-url>https://sso-dev.shell.com/as/introspect.oauth2</set-url>
            <set-method>POST</set-method>
            <set-header name="Content-Type" exists-action="override">
                <value>application/x-www-form-urlencoded</value>
            </set-header>
            <set-body>@($"grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&client_id=UnitsOfMeasure&client_secret=somesecret&token={(string)context.Variables["token"]}")</set-body>
        </send-request>
        <cors>
            <allowed-origins>
                <origin>*</origin>
            </allowed-origins>
            <allowed-methods>
                <method>*</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
            <expose-headers>
                <header>*</header>
            </expose-headers>
        </cors>
        <choose>
            <when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
                <!-- Return 401 Unauthorized with http-problem payload -->
                <return-response response-variable-name="existing response variable">
                    <set-status code="401" reason="Unauthorized" />
                    <set-header name="WWW-Authenticate" exists-action="override">
                        <value>Bearer error="invalid_token"</value>
                    </set-header>
                </return-response>
            </when>
            <when condition="@(new [] {"post=""", "put=""", "delete="""}.Contains(context.Request.Method,StringComparer.OrdinalIgnoreCase))">
                <validate-jwt header-name="Authorization">
                    <required-claims>
                        <claim name="groups">
                            <value>UOM WriteAdmin</value>
                        </claim>
                    </required-claims>
                </validate-jwt>
            </when>            
        </choose>
        <base />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
        <set-header name="Access-Control-Allow-Origin" exists-action="override">
            <value>*</value>
        </set-header>
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

Answer 1

嘗試這個：

<when condition="@(new [] {"post", "put", "delete"}.Contains(context.Request.Method, StringComparer.OrdinalIgnoreCase))">

您似乎在那里有一些額外的符號。

通過JWT令牌進行Azure API管理中的授權

問題描述

1 個解決方案

解決方案1
1 已采納 2019-02-22 18:35:39

通過JWT令牌進行Azure API管理中的授權

問題描述

1 個解決方案

解決方案1 1 已采納 2019-02-22 18:35:39

解決方案1
1 已采納 2019-02-22 18:35:39