问题描述
我的使用api管理服务作为Azure APIM的项目。我正在尝试使用APIM产品政策来验证声明。如果声明无效,则返回错误,否则允许访问端点。以下是我的政策
<policies> <inbound> <validate-jwt header-name="Authorization" Failed-validation-httpcode="401" Failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
------------
------------
</validate-jwt>
<choose>
<when condition="@(context.Request.Method != "POST" && ((Jwt)context.Request.Headers["Authorization"].Claims["role"]!= "Owner") && (string)context.Api.Path =="/api/user">
<return-response>
<set-status code="403" reason="Forbidden" />
</return-response>
</when> </choose>
<base />
</inbound> <backend> <base /> </backend> <outbound> <base /> </outbound> <on-error> <base /> </policies>
但是,即使角色不是所有者,用户也可以访问/ api / user路径 如何正确验证?
JWT calims are
"userrole": "[Owner,Admin]","email": "test@gmail.com"
解决方法
此示例显示了如何使用Validate JWT策略授权基于令牌声明值的操作 。
<validate-jwt header-name="Authorization" require-scheme="Bearer" output-token-variable-name="jwt">
<issuer-signing-keys>
<key>{{jwt-signing-key}}</key> <!-- signing key is stored in a named value -->
</issuer-signing-keys>
<audiences>
<audience>@(context.Request.OriginalUrl.Host)</audience>
</audiences>
<issuers>
<issuer>contoso.com</issuer>
</issuers>
<required-claims>
<claim name="userrole" match="any">
<value>Owner</value>
<value>Admin</value>
</claim>
</required-claims>
</validate-jwt>
<choose>
<when condition="@(context.Request.Method == "POST" && !((Jwt)context.Variables["jwt"]).Claims["group"].Contains("Owner"))">
<return-response>
<set-status code="403" reason="Forbidden" />
</return-response>
</when>
</choose>
有关更多详细信息,您可以参考此article。