AZURE API 管理 JWT 令牌验证（IDX10511：签名验证失败）答案

【问题标题】：AZURE API management JWT-token validation (IDX10511: Signature validation failed)AZURE API 管理 JWT 令牌验证（IDX10511：签名验证失败）
【发布时间】：2021-09-10 16:52:25
【问题描述】：

我创建了自己的身份服务器，它根据用户名和代码发布/制作令牌。它在应用服务到应用服务之间本地工作，但是当我尝试在 AZURE API 管理上验证令牌时失败。我认为错误在 openid-config 中，但可以查看问题所在。

但是得到这个错误：

IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'AanrD1WcPkqMpK3p2S0JQ7ixqWkYBAL8hRnU6Dciiew', InternalId: 'b7aZZOAAhueurq_c62cqJcTBXL69skl6hu1a1oHLu1w'. , KeyId: AanrD1WcPkqMpK3p2S0JQ7ixqWkYBAL8hRnU6Dciiew
'. 
kid: 'AanrD1WcPkqMpK3p2S0JQ7ixqWkYBAL8hRnU6Dciiew'. 
Exceptions caught:
 ''.
token: '{"alg":"RS256","kid":"AanrD1WcPkqMpK3p2S0JQ7ixqWkYBAL8hRnU6Dciiew","typ":"JWT"}.{"nbf":1624878880,"exp":1627470880,"iss":"https://login.zenbi.dk","aud":"You"}'.

令牌：eyJhbGciOiJSUzI1NiIsImtpZCI6IkFhbnJEMVdjUGtxTXBLM3AyUzBKUTdpeHFXa1lCQUw4aFJuVTZEY2lpZXciLCJ0eXAiOiJKV1QifQ.eyJuYmYiOjE2MjQ4Nzg4ODAsImV4cCI6MTYyNzQ3MDg4MCwiaXNzIjoiaHR0cHM6Ly9sb2dpbi56ZW5iaS5kayIsImF1ZCI6IllvdSJ9.Lm32InrGT5DfphZalI9oQPzm-jcNDsOTGGkhE0dpdhdL7xpcVuZ4go6-i1dDx_cri7Neh4cow9vv3JR_Q75qhmVEr9TVrbAXP1Spkz0uvJPa9pLsQIZxH6B5D1ICnC0ROjgr5PQFXbMJXAYPludai5GpJWtX7ufUvFjauW2p2l1ssuK1iB27YeuYw7IDpMbgQvzlgVvqD8E4dzFoWdq-kLF8ZP-A3qnAtEchXu5JVJg4d7o3gI--cqJ7RaF6ehzVvFHvgADw54j4Gniif-mjnLDCZU0CYDMfRGmt5kURSJSvJUXZtaJgKYa9eQ0jSib6At4LZUVGYlHxx_I5jtjd3w

<policies>
        <inbound>
            <base />
            <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="@((string)context.LastError.Message)" require-scheme="Bearer" require-signed-tokens="true">
                <openid-config url="https://zenbicertificates.blob.core.windows.net/jwt/openid-configuration.json" />
            </validate-jwt>
        </inbound>
        <backend>
            <base />
        </backend>
        <outbound>
            <base />
        </outbound>
    </policies>

【问题讨论】：

标签： jwt openid-connect azure-api-management

【解决方案1】：

自己写验证逻辑怎么样？

<set-variable name="pass" value="@{
            bool isAud = false;
            bool isIss = false;
            string pass = "false";
            string authHeader = context.Request.Headers.GetValueOrDefault("Authorization", "");
            if (authHeader?.Length > 0)
            {
                string[] authHeaderParts = authHeader.Split(' ');
                if (authHeaderParts?.Length == 2 && authHeaderParts[0].Equals("Bearer", StringComparison.InvariantCultureIgnoreCase))
                {
                    Jwt jwt;
                    if (authHeaderParts[1].TryParseJwt(out jwt))
                    {
                        string tempScp = jwt.Claims.GetValueOrDefault("scp", "null");
                        if(tempScp != "null"){
                            isAud = tempScp.Contains("YOU");
                        }
                        
                        string tempIss = jwt.Claims.GetValueOrDefault("iss", "null");
                        if(tempIss != "null"){
                            isIss = tempIss.Contains("xxx");
                        }
                    }
                }
            }
            if(isAud || isIss ){
                pass = "true";
            }
            return pass;
        }" />
    <choose>
        <when condition="@(context.Variables.GetValueOrDefault("pass") == "false")">
            <return-response response-variable-name="existing response variable">
                <set-status code="401" reason="Unauthorized hhh" />
            </return-response>
        </when>
        <otherwise />
    </choose>

【讨论】：

是啊，我怎么没想到，太完美了！
感谢您的回复和您的标记：D