我在Azure API Management中配置了一个策略,其中包括jwt令牌检查。政策如下:
<policies>
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401"
require-expiration-time="false" require-scheme="Bearer" require-signed-tokens="true">
<issuer-signing-keys>
<key>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyehkd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdgcKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbcmwIDAQAB</key>
</issuer-signing-keys>
</validate-jwt>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>我发送的测试请求包含值为Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ的授权头
当我输入这个密钥-----开始PUBLIC KEY-----和-----END PUBLIC KEY----以及jwt中的令牌时。io表示签名已验证。
但是,在API管理中,当我发送启用了跟踪的测试请求时,我得到了以下错误,我不明白:
validate-jwt (-1.088 ms)
{
"message": "JWT Validation Failed: IDX10503: Signature validation failed.
Token does not have a kid. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,
KeyId: '', InternalId: 'D3UHVKlh_cCYIRkkI3Amxvzr2mtlzxMVD-ZG6JwNQqs'. ,
KeyId: \r\n'. Number of keys in TokenValidationParameters: '1'. \n
Number of keys in Configuration: '0'. \nExceptions caught:
\n 'System.NotSupportedException: IDX10634: Unable to create the
SignatureProvider.\nAlgorithm: 'RS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,
KeyId: '', InternalId: 'D3UHVKlh_cCYIRkkI3Amxvzr2mtlzxMVD-ZG6JwNQqs'.'\n is not supported.
The list of supported algorithms is available here:
https://aka.ms/IdentityModel/supported-algorithms\r\n
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider
(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)\r\n
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying
(SecurityKey key, String algorithm, Boolean cacheProvider)\r\n
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature
(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm,
SecurityToken securityToken, TokenValidationParameters validationParameters)\r\n
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature
(String token, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters,
BaseConfiguration configuration)\r\n'.\ntoken: 'hidden'.."
}我对 * 系统感到非常困惑。NotSupportedException* 部分。MS-Docs明确支持RS 256。我也很困惑为什么它提到对称安全密钥。
有人能告诉我这个错误到底在说什么吗?我在这里做错了什么?
1条答案
按热度按时间ars1skjm1#
令牌使用rs256签名,密钥可以经由OpenID配置端点提供,或者通过提供包含公钥或公钥的模指数对的上传证书的ID(以PFX格式)来提供。请参阅www.example www.example.com 和这个 www.example.com