【发布时间】:2020-11-10 12:24:58
【问题描述】:
我正在尝试在 Azure 门户中为 JWT 设置策略,并且我已经搜索并粘贴了网络中几乎所有可用的解决方案,但似乎没有一个有效。这是我设置的政策:-
<policies>
<inbound>
<validate-jwt header-name="Authorization" require-scheme="Bearer">
<issuer-signing-keys>
<key>X3IwT3A3bkVfZn40aHkueTBuX2lWd0J6OWNsMjI2Uk9WZw==</key>
</issuer-signing-keys>
<decryption-keys>
<key>X3IwT3A3bkVfZn40aHkueTBuX2lWd0J6OWNsMjI2Uk9WZw==</key>
</decryption-keys>
<audiences>
<audience>api://53cd59c4-53e7-46e6-890b-1dcac2cb2423</audience>
</audiences>
<issuers>
<issuer>https://sts.windows.net/5181d074-dbc6-49e9-9ada-051bc62d5e3e/</issuer>
</issuers>
<required-claims>
<claim name="scope" match="any" separator=" ">
<value>Files.Read</value>
</claim>
</required-claims>
</validate-jwt>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
请求:
GET https://insyncapim.azure-api.net/api/Product/api/Product HTTP/1.1
Host: insyncapim.azure-api.net
Authorization: Bearer {my JWT token}
Ocp-Apim-Subscription-Key: ••••••••••••••••••••••••••••••••
Ocp-Apim-Trace: true
回复:
content-length: 85
content-type: application/json
date: Thu, 12 Nov 2020 09:13:53 GMT
ocp-apim-trace-location: https://apimstu4tludl9hfaq8f2v6o.blob.core.windows.net/apiinspectorcontainer/wEGj7uZ8ebXmIo1P1hgGvw2-16?sv=2018-03-28&sr=b&sig=sQ98cMJe58d6bJcmZ%2BRqGHtn6jk6S13p7ORbFlWkIwI%3D&se=2020-11-13T09%3A13%3A53Z&sp=r&traceId=3f4870770f544ed28962360a04112ef8
vary: Origin
{
"statusCode": 401,
"message": "Unauthorized. Access token is missing or invalid."
}
追踪:
api-inspector
{
"request": {
"method": "GET",
"url": "https://insyncapim.azure-api.net/api/Product/api/Product",
"headers": [
{
"name": "Ocp-Apim-Subscription-Key",
"value": {My subscription key}
},
{
"name": "Sec-Fetch-Site",
"value": "cross-site"
},
{
"name": "Sec-Fetch-Mode",
"value": "cors"
},
{
"name": "Sec-Fetch-Dest",
"value": "empty"
},
{
"name": "X-Forwarded-For",
"value": "182.75.240.158"
},
{
"name": "Cache-Control",
"value": "no-cache, no-store"
},
{
"name": "Content-Type",
"value": "text/plain;charset=UTF-8"
},
{
"name": "Accept",
"value": "*/*"
},
{
"name": "Accept-Encoding",
"value": "gzip,deflate,br"
},
{
"name": "Accept-Language",
"value": "en-US,en;q=0.9"
},
{
"name": "Authorization",
"value": "Bearer {my JWT token}
},
{
"name": "Host",
"value": "insyncapim.azure-api.net"
},
{
"name": "Referer",
"value": "https://apimanagement.hosting.portal.azure.net/"
}
]
}
}
api-inspector
{
"configuration": {
"api": {
"from": "/api/Product",
"to": null,
"version": null,
"revision": "1"
},
"operation": {
"method": "GET",
"uriTemplate": "/api/Product"
},
"user": "-",
"product": "-"
}
}
我正在尝试使用邮递员生成访问令牌,正在生成访问令牌。但是每当我尝试使用访问令牌请求 API 时,结果总是 401:未授权。 我是第一次尝试,请帮助我。
【问题讨论】:
-
您能否分享一下您是如何在邮递员中生成访问令牌的详细信息?这个api只需要
Files.Read权限吗? -
您能否分享在 Ocp-Apim-Trace-Location 中提供的位置的完整跟踪。
-
嗨 @HuryShen,我从 App Registration -> Demo App -> Endpoints 获得了所有凭据。然后,在授权选项卡的 POSTMAN 中,我选择了 OAuth 2.0 -> 获取新访问令牌。此步骤中生成的访问令牌用于进一步的 API 请求。我无法获得任何提及有效范围的范围相关文档,并且在没有范围的情况下请求访问令牌会引发错误。我看了一个youtube视频他用了这个范围,所以我用了这个范围。
-
您似乎不知道访问令牌包含哪个范围。您需要知道要在 azure 广告中分配给应用的权限。如果您已经为该应用分配了权限,并且还授予了管理员同意。您可以将访问令牌复制到this 页面并解码令牌。然后检查解码后的token中是否有
scope字段。我猜它可能不存在令牌中的字段,该字段可能名为scp,但不是scope。 -
是的,我已经解码了访问令牌,它包含-“scp”:“Files.Read profile openid email”,
标签: azure-api-management jwt-auth