Azure APIM JWT 令牌驗證失敗，錯誤不明

Question

我在 Azure Api 管理中配置了一個策略，其中包括一個 jwt 令牌檢查。 政策如下：

<policies>
    <inbound>
        <base />
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401"
                   require-expiration-time="false" require-scheme="Bearer" require-signed-tokens="true">
            <issuer-signing-keys>
                <key>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyehkd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdgcKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbcmwIDAQAB</key>
            </issuer-signing-keys>
        </validate-jwt>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

The test request I send contains the Authorization Header with value Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ

當我使用 -----BEGIN PUBLIC KEY----- 和 -----END PUBLIC KEY----- 以及jwt.io中的令牌輸入此密鑰時，它顯示簽名已驗證。

但是，在 API 管理中，當我發送啟用跟蹤的測試請求時，出現以下我不理解的錯誤：

validate-jwt (-1.088 ms)
{
 "message": "JWT Validation Failed: IDX10503: Signature validation failed.
 Token does not have a kid. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,
 KeyId: '', InternalId: 'D3UHVKlh_cCYIRkkI3Amxvzr2mtlzxMVD-ZG6JwNQqs'. ,
 KeyId: \r\n'. Number of keys in TokenValidationParameters: '1'. \n
 Number of keys in Configuration: '0'. \nExceptions caught:
 \n 'System.NotSupportedException: IDX10634: Unable to create the 
 SignatureProvider.\nAlgorithm: 'RS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,
 KeyId: '', InternalId: 'D3UHVKlh_cCYIRkkI3Amxvzr2mtlzxMVD-ZG6JwNQqs'.'\n is not supported. 
 The list of supported algorithms is available here: 
 https://aka.ms/IdentityModel/supported-algorithms\r\n   
 at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider
 (SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)\r\n
 at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying
 (SecurityKey key, String algorithm, Boolean cacheProvider)\r\n   
 at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature
 (Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm,
 SecurityToken securityToken, TokenValidationParameters validationParameters)\r\n
 at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature
 (String token, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, 
 BaseConfiguration configuration)\r\n'.\ntoken: 'hidden'.."
}

我對System.NotSupportedException部分感到非常困惑。 根據 MS-Docs 明確支持 RS256。 我也很困惑為什么它提到了對稱安全密鑰。

有人能告訴我這個錯誤到底在說什么以及我在這里做錯了什么嗎？

Answer 1

令牌使用 rs256 簽名，密鑰可以通過 OpenID 配置端點提供，或者通過提供包含公鑰或公鑰模數指數對的上傳證書的 ID（PFX 格式）提供。 請參閱此https://learn.microsoft.com/en-us/azure/api-management/validate-jwt-policy#token-validation-with-rsa-certificate和此https://learn.microsoft.com/en -us/azure/api-management/validate-jwt-policy#usage-notes