使用 azure API 管理根据 JWT 令牌声明限制 api 调用
Using azure API management restrict the api call based on the JWT token claim
我的项目使用 api 管理服务作为 azure APIM.I 我正在尝试使用 APIM 产品政策验证声明。如果声明无效 return 错误,否则允许访问最后point.Following是我的政策
<policies> <inbound> <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
------------
------------
</validate-jwt>
<choose>
<when condition="@(context.Request.Method != "POST" && ((Jwt)context.Request.Headers["Authorization"].Claims["role"]!= "Owner") && (string)context.Api.Path =="/api/user">
<return-response>
<set-status code="403" reason="Forbidden" />
</return-response>
</when> </choose>
<base />
</inbound> <backend> <base /> </backend> <outbound> <base /> </outbound> <on-error> <base /> </policies>
但即使角色不是所有者用户也可以访问 /api/user 路径
如何正确验证?
JWT calims are
"userrole": "[Owner,Admin]",
"email": "test@gmail.com"
此示例展示了如何使用验证 JWT 策略来授权对操作的访问基于令牌声明值。
<validate-jwt header-name="Authorization" require-scheme="Bearer" output-token-variable-name="jwt">
<issuer-signing-keys>
<key>{{jwt-signing-key}}</key> <!-- signing key is stored in a named value -->
</issuer-signing-keys>
<audiences>
<audience>@(context.Request.OriginalUrl.Host)</audience>
</audiences>
<issuers>
<issuer>contoso.com</issuer>
</issuers>
<required-claims>
<claim name="userrole" match="any">
<value>Owner</value>
<value>Admin</value>
</claim>
</required-claims>
</validate-jwt>
<choose>
<when condition="@(context.Request.Method == "POST" && !((Jwt)context.Variables["jwt"]).Claims["group"].Contains("Owner"))">
<return-response>
<set-status code="403" reason="Forbidden" />
</return-response>
</when>
</choose>
更多详情,您可以参考这篇article。
我的项目使用 api 管理服务作为 azure APIM.I 我正在尝试使用 APIM 产品政策验证声明。如果声明无效 return 错误,否则允许访问最后point.Following是我的政策
<policies> <inbound> <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
------------
------------
</validate-jwt>
<choose>
<when condition="@(context.Request.Method != "POST" && ((Jwt)context.Request.Headers["Authorization"].Claims["role"]!= "Owner") && (string)context.Api.Path =="/api/user">
<return-response>
<set-status code="403" reason="Forbidden" />
</return-response>
</when> </choose>
<base />
</inbound> <backend> <base /> </backend> <outbound> <base /> </outbound> <on-error> <base /> </policies>
但即使角色不是所有者用户也可以访问 /api/user 路径 如何正确验证?
JWT calims are
"userrole": "[Owner,Admin]",
"email": "test@gmail.com"
此示例展示了如何使用验证 JWT 策略来授权对操作的访问基于令牌声明值。
<validate-jwt header-name="Authorization" require-scheme="Bearer" output-token-variable-name="jwt">
<issuer-signing-keys>
<key>{{jwt-signing-key}}</key> <!-- signing key is stored in a named value -->
</issuer-signing-keys>
<audiences>
<audience>@(context.Request.OriginalUrl.Host)</audience>
</audiences>
<issuers>
<issuer>contoso.com</issuer>
</issuers>
<required-claims>
<claim name="userrole" match="any">
<value>Owner</value>
<value>Admin</value>
</claim>
</required-claims>
</validate-jwt>
<choose>
<when condition="@(context.Request.Method == "POST" && !((Jwt)context.Variables["jwt"]).Claims["group"].Contains("Owner"))">
<return-response>
<set-status code="403" reason="Forbidden" />
</return-response>
</when>
</choose>
更多详情,您可以参考这篇article。