如何在 Azure API 管理中使用 validate-jwt 策略验证使用 RS256 算法签名的 JWT
How to validate JWT signed with RS256 Algorithm with validate-jwt policy in Azure API management
我可以通过设置 <issuer-signing-keys> 属性在 Azure API 管理中使用 validate-jwt 策略成功验证使用 HS256 签名的 JWT。但是我如何验证使用 RS256 签名的 JWT?我尝试将 public 密钥或证书放入 <issuer-signing-keys> 但它不起作用。
目前验证 rsa 签名令牌的唯一方法是使用 openid url。
我能够使用以下策略验证此类令牌
<issuer-signing-keys>
<key certificate-id="my-rsa-cert" />
</issuer-signing-keys>
您可以按照以下步骤进行操作:
使用以下命令创建证书
openssl.exe req -x509 -nodes -sha256 -days 3650 -subj "/CN=Local" -newkey rsa:2048 -keyout Local.key -out Local.crt
openssl.exe pkcs12 -export -in Local.crt -inkey Local.key -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -out Local.pfx
在 ID 为“my-rsa-cert”的 API 管理中加载证书“Local.pfx”。
使用以下代码从证书生成令牌
/////////////////////////////////////////////
// Token Generation
var CLIENT_ID = "Local";
var ISSUER_GUID = "b0123cec-86bb-4eb2-8704-dcf7cb2cc279";
var filePath = @"..\..\..\Cert\Local.pfx";
var x509Certificate2 = new X509Certificate2(filePath, "<certpwd>");
var signingCredentials = new X509SigningCredentials(x509Certificate2, SecurityAlgorithms.RsaSha256Signature); //, SecurityAlgorithms.Sha256Digest
var tokenHandler = new JwtSecurityTokenHandler();
var originalIssuer = $"{CLIENT_ID}";
var issuer = originalIssuer;
DateTime utcNow = DateTime.UtcNow;
DateTime expired = utcNow + TimeSpan.FromHours(1);
var claims = new List<Claim> {
new Claim("aud", "https://login.microsoftonline.com/{YOUR_TENENT_ID}/oauth2/token", ClaimValueTypes.String, issuer, originalIssuer),
new Claim("exp", "1460534173", ClaimValueTypes.DateTime, issuer, originalIssuer),
new Claim("jti", $"{ISSUER_GUID}", ClaimValueTypes.String, issuer, originalIssuer),
new Claim("nbf", "1460533573", ClaimValueTypes.String, issuer, originalIssuer),
new Claim("sub", $"{CLIENT_ID}", ClaimValueTypes.String, issuer, originalIssuer)
};
ClaimsIdentity subject = new ClaimsIdentity(claims: claims);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = subject,
Issuer = issuer,
Expires = expired,
//TokenIssuerName = "self",
//AppliesToAddress = "https://www.mywebsite.com",
//Lifetime = new Lifetime(now, now.AddMinutes(60)),
SigningCredentials = signingCredentials,
};
JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken;
jwtToken.Header.Remove("typ");
var token = tokenHandler.WriteToken(jwtToken);
this.Output = jwtToken.ToString();
this.Output += "\r\n" + token.ToString();
JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken;
jwtToken.Header.Remove("typ");
var token = tokenHandler.WriteToken(jwtToken);
使用生成的 Bearer Tokens
向 API 发送请求
我可以通过设置 <issuer-signing-keys> 属性在 Azure API 管理中使用 validate-jwt 策略成功验证使用 HS256 签名的 JWT。但是我如何验证使用 RS256 签名的 JWT?我尝试将 public 密钥或证书放入 <issuer-signing-keys> 但它不起作用。
目前验证 rsa 签名令牌的唯一方法是使用 openid url。
我能够使用以下策略验证此类令牌
<issuer-signing-keys>
<key certificate-id="my-rsa-cert" />
</issuer-signing-keys>
您可以按照以下步骤进行操作:
使用以下命令创建证书
openssl.exe req -x509 -nodes -sha256 -days 3650 -subj "/CN=Local" -newkey rsa:2048 -keyout Local.key -out Local.crt
openssl.exe pkcs12 -export -in Local.crt -inkey Local.key -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -out Local.pfx在 ID 为“my-rsa-cert”的 API 管理中加载证书“Local.pfx”。
使用以下代码从证书生成令牌
///////////////////////////////////////////// // Token Generation var CLIENT_ID = "Local"; var ISSUER_GUID = "b0123cec-86bb-4eb2-8704-dcf7cb2cc279"; var filePath = @"..\..\..\Cert\Local.pfx"; var x509Certificate2 = new X509Certificate2(filePath, "<certpwd>"); var signingCredentials = new X509SigningCredentials(x509Certificate2, SecurityAlgorithms.RsaSha256Signature); //, SecurityAlgorithms.Sha256Digest var tokenHandler = new JwtSecurityTokenHandler(); var originalIssuer = $"{CLIENT_ID}"; var issuer = originalIssuer; DateTime utcNow = DateTime.UtcNow; DateTime expired = utcNow + TimeSpan.FromHours(1); var claims = new List<Claim> { new Claim("aud", "https://login.microsoftonline.com/{YOUR_TENENT_ID}/oauth2/token", ClaimValueTypes.String, issuer, originalIssuer), new Claim("exp", "1460534173", ClaimValueTypes.DateTime, issuer, originalIssuer), new Claim("jti", $"{ISSUER_GUID}", ClaimValueTypes.String, issuer, originalIssuer), new Claim("nbf", "1460533573", ClaimValueTypes.String, issuer, originalIssuer), new Claim("sub", $"{CLIENT_ID}", ClaimValueTypes.String, issuer, originalIssuer) }; ClaimsIdentity subject = new ClaimsIdentity(claims: claims); var tokenDescriptor = new SecurityTokenDescriptor { Subject = subject, Issuer = issuer, Expires = expired, //TokenIssuerName = "self", //AppliesToAddress = "https://www.mywebsite.com", //Lifetime = new Lifetime(now, now.AddMinutes(60)), SigningCredentials = signingCredentials, }; JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken; jwtToken.Header.Remove("typ"); var token = tokenHandler.WriteToken(jwtToken); this.Output = jwtToken.ToString(); this.Output += "\r\n" + token.ToString(); JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken; jwtToken.Header.Remove("typ"); var token = tokenHandler.WriteToken(jwtToken);使用生成的 Bearer Tokens
向 API 发送请求