[英]Azure APIM JWT token validation fails with unclear error
我在 Azure Api 管理中配置了一個策略,其中包括一個 jwt 令牌檢查。 政策如下:
<policies>
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401"
require-expiration-time="false" require-scheme="Bearer" require-signed-tokens="true">
<issuer-signing-keys>
<key>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyehkd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdgcKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbcmwIDAQAB</key>
</issuer-signing-keys>
</validate-jwt>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
The test request I send contains the Authorization Header with value Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ
當我使用 -----BEGIN PUBLIC KEY----- 和 -----END PUBLIC KEY----- 以及jwt.io中的令牌輸入此密鑰時,它顯示簽名已驗證。
但是,在 API 管理中,當我發送啟用跟蹤的測試請求時,出現以下我不理解的錯誤:
validate-jwt (-1.088 ms)
{
"message": "JWT Validation Failed: IDX10503: Signature validation failed.
Token does not have a kid. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,
KeyId: '', InternalId: 'D3UHVKlh_cCYIRkkI3Amxvzr2mtlzxMVD-ZG6JwNQqs'. ,
KeyId: \r\n'. Number of keys in TokenValidationParameters: '1'. \n
Number of keys in Configuration: '0'. \nExceptions caught:
\n 'System.NotSupportedException: IDX10634: Unable to create the
SignatureProvider.\nAlgorithm: 'RS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,
KeyId: '', InternalId: 'D3UHVKlh_cCYIRkkI3Amxvzr2mtlzxMVD-ZG6JwNQqs'.'\n is not supported.
The list of supported algorithms is available here:
https://aka.ms/IdentityModel/supported-algorithms\r\n
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider
(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)\r\n
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying
(SecurityKey key, String algorithm, Boolean cacheProvider)\r\n
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature
(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm,
SecurityToken securityToken, TokenValidationParameters validationParameters)\r\n
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature
(String token, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters,
BaseConfiguration configuration)\r\n'.\ntoken: 'hidden'.."
}
我對System.NotSupportedException部分感到非常困惑。 根據 MS-Docs 明確支持 RS256。 我也很困惑為什么它提到了對稱安全密鑰。
有人能告訴我這個錯誤到底在說什么以及我在這里做錯了什么嗎?
令牌使用 rs256 簽名,密鑰可以通過 OpenID 配置端點提供,或者通過提供包含公鑰或公鑰模數指數對的上傳證書的 ID(PFX 格式)提供。 請參閱此https://learn.microsoft.com/en-us/azure/api-management/validate-jwt-policy#token-validation-with-rsa-certificate和此https://learn.microsoft.com/en -us/azure/api-management/validate-jwt-policy#usage-notes
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.