无效的承载访问令牌
Invalid Bearer Access Token
我们正在使用 hapi-auth-jwt2
和 jwks-rsa
来解码和验证 azureAD 访问令牌。
这是我们的 jwt 策略,它在每条路线上都处于活动状态。
'use strict'
const jwt = require('hapi-auth-jwt2')
const jwksRsa = require('jwks-rsa')
const userCtrl = require('./../controllers/UserController')
const authHandler = require('./auth.factory').GetAuthHandler()
// TODO: Replace with current JSON web token formatting and active directory
module.exports = {
name: 'JWT Authentication',
register: async (server, options) => {
await server.register(jwt)
// Confirm that we are getting the correct PK
// const pk = await authHandler.GetPK()
const key = jwksRsa.hapiJwt2KeyAsync({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
// jwksUri: 'https://YOUR_DOMAIN/.well-known/jwks.json'
jwksUri: 'https://login.microsoftonline.com/common/discovery/keys'
// https://login.microsoftonline.com/common/discovery/keys
// https://login.microsoftonline.com/common/.well-known/openid-configuration
})
server.auth.strategy('jwt', 'jwt', {
// Get the complete decoded token, because we need info from the header (the kid)
complete: true,
// Dynamically provide a signing key based on the kid in the header and the singing keys provided by the JWKS endpoint.
key: key,
// key: pk,
headerKey: 'authorization',
tokenType: 'Bearer',
validate: userCtrl.validate,
verifyOptions: {
algorithms: ['RS256'] // or HS256 RS256
}
})
server.auth.default('jwt')
console.log(key)
}
}
然后我们将 Authorization
header(即 'Bearer ' + accessToken
)附加到 http
并从 locahost
发出请求,即当前 client/front-end 到/sso
路由,服务器返回以下 request/response
[1569928136140] INFO (11252 on PORT230): request completed
req: {
"id": "1569928136137:PORT230:11264:k17qg99b:10001",
"method": "get",
"url": "https://port230.5874.com/api/v2/user/sso",
"headers": {
"host": "port230.5874.com",
"connection": "keep-alive",
"accept": "application/json, text/plain, */*",
"origin": "http://localhost:8080",
"authorization": "Bearer ...",
"user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",
"sec-fetch-mode": "cors",
"sec-fetch-site": "cross-site",
"referer": "http://localhost:8080/",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en-US,en;q=0.9"
}
}
res: {
"statusCode": 401,
"headers": {
"www-authenticate": "Bearer error=\"Invalid token\"",
"content-type": "application/json; charset=utf-8",
"vary": "origin",
"access-control-allow-origin": "http://localhost:8080",
"access-control-expose-headers": "WWW-Authenticate,Server-Authorization",
"strict-transport-security": "max-age=15768000",
"x-frame-options": "DENY",
"x-xss-protection": "1; mode=block",
"x-download-options": "noopen",
"x-content-type-options": "nosniff",
"cache-control": "no-cache",
"content-length": 106
}
}
responseTime: 3
响应包括 "www-authenticate": "Bearer error=\"Invalid token\""
。我们一直在努力理解为什么会出现 Invalid Token
错误,但没有取得多大成功。
有人知道什么时候会抛出这个错误,为什么会抛出这个错误,以及如何克服它?
问题是我们没有在 https://portal.azure.com 上正确定义 API 的范围。修复后,我们使用新创建的范围创建了 API 权限,因此访问令牌已成功解码
我们正在使用 hapi-auth-jwt2
和 jwks-rsa
来解码和验证 azureAD 访问令牌。
这是我们的 jwt 策略,它在每条路线上都处于活动状态。
'use strict'
const jwt = require('hapi-auth-jwt2')
const jwksRsa = require('jwks-rsa')
const userCtrl = require('./../controllers/UserController')
const authHandler = require('./auth.factory').GetAuthHandler()
// TODO: Replace with current JSON web token formatting and active directory
module.exports = {
name: 'JWT Authentication',
register: async (server, options) => {
await server.register(jwt)
// Confirm that we are getting the correct PK
// const pk = await authHandler.GetPK()
const key = jwksRsa.hapiJwt2KeyAsync({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
// jwksUri: 'https://YOUR_DOMAIN/.well-known/jwks.json'
jwksUri: 'https://login.microsoftonline.com/common/discovery/keys'
// https://login.microsoftonline.com/common/discovery/keys
// https://login.microsoftonline.com/common/.well-known/openid-configuration
})
server.auth.strategy('jwt', 'jwt', {
// Get the complete decoded token, because we need info from the header (the kid)
complete: true,
// Dynamically provide a signing key based on the kid in the header and the singing keys provided by the JWKS endpoint.
key: key,
// key: pk,
headerKey: 'authorization',
tokenType: 'Bearer',
validate: userCtrl.validate,
verifyOptions: {
algorithms: ['RS256'] // or HS256 RS256
}
})
server.auth.default('jwt')
console.log(key)
}
}
然后我们将 Authorization
header(即 'Bearer ' + accessToken
)附加到 http
并从 locahost
发出请求,即当前 client/front-end 到/sso
路由,服务器返回以下 request/response
[1569928136140] INFO (11252 on PORT230): request completed
req: {
"id": "1569928136137:PORT230:11264:k17qg99b:10001",
"method": "get",
"url": "https://port230.5874.com/api/v2/user/sso",
"headers": {
"host": "port230.5874.com",
"connection": "keep-alive",
"accept": "application/json, text/plain, */*",
"origin": "http://localhost:8080",
"authorization": "Bearer ...",
"user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",
"sec-fetch-mode": "cors",
"sec-fetch-site": "cross-site",
"referer": "http://localhost:8080/",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en-US,en;q=0.9"
}
}
res: {
"statusCode": 401,
"headers": {
"www-authenticate": "Bearer error=\"Invalid token\"",
"content-type": "application/json; charset=utf-8",
"vary": "origin",
"access-control-allow-origin": "http://localhost:8080",
"access-control-expose-headers": "WWW-Authenticate,Server-Authorization",
"strict-transport-security": "max-age=15768000",
"x-frame-options": "DENY",
"x-xss-protection": "1; mode=block",
"x-download-options": "noopen",
"x-content-type-options": "nosniff",
"cache-control": "no-cache",
"content-length": 106
}
}
responseTime: 3
响应包括 "www-authenticate": "Bearer error=\"Invalid token\""
。我们一直在努力理解为什么会出现 Invalid Token
错误,但没有取得多大成功。
有人知道什么时候会抛出这个错误,为什么会抛出这个错误,以及如何克服它?
问题是我们没有在 https://portal.azure.com 上正确定义 API 的范围。修复后,我们使用新创建的范围创建了 API 权限,因此访问令牌已成功解码