問題描述
在APIM中配置對傳入的Token進行預驗證,確保傳入後端被保護的API的Authorization資訊正確有效,可以使用validate-jwt策略。validate-jwt 策略強制要求從指定 HTTP 標頭或指定查詢引數提取的 JSON Web 令牌 (JWT) 必須存在且有效。validate-jwt 策略支援 HS256 和 RS256 簽名演算法。
- 對於 HS256,必須在策略中以 base64 編碼形式提供內聯方式的金鑰。
- 對於 RS256,金鑰可以通過 Open ID 配置終結點來提供,或者通過提供包含公鑰或公鑰的模數指數對的已上傳證書的 ID 來提供。
HS256配置
- <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unvalid authorization" require-expiration-time="true" require-signed-tokens="true">
- <issuer-signing-keys>
- <key>在HS256演算法中使用的金鑰,進行base64編碼後的值</key>
- </issuer-signing-keys>
- <audiences>
- <audience>在生成JWT Token時設定的aud值</audience>
- </audiences>
- </validate-jwt>
RS256配置(附帶錯誤訊息)
- <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unvalid authorization" require-expiration-time="true" require-signed-tokens="true">
- <issuer-signing-keys>
- <key><RS256 公鑰內容通過base64編碼後的值></key>
- </issuer-signing-keys>
- <audiences>
- <audience>在生成JWT Token時設定的aud值</audience>
- </audiences>
- </validate-jwt>
在進行驗證時錯誤訊息(文末附錄中包含如何在APIM門戶中通過Test功能檢測策略的執行結果及錯誤)
- validate-jwt (-0.132 ms)
- {
- "message": "JWT Validation Failed: IDX10503: Signature validation failed.
Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: '', InternalId: 'HuvkEY3HBhujvk2qeDfgPFD2iYc-GYrnlDX6Yd1LsYQ'. ,
KeyId: \r\n'.\nExceptions caught:\n 'System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.\nAlgorithm: 'RS256',
SecurityKey: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: '',
InternalId: 'HuvkEY3HBhujvk2qeDfgPFD2iYc-GYrnlDX6Yd1LsYQ'.'\n is not supported.
The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms\r\n
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)\r\n
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)\r\n
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)\r\n
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token,
TokenValidationParameters validationParameters)\r\n'.
\ntoken: '{\"typ\":\"jwt\",\"alg\":\"RS256\"}.{\"aud\":\"xxxxx.azure-api.cn\",\"user_id\":123456,\"username\":\"lutpython\",\"exp\":1631786725}'.."- }
那麼, 如何來解決RS256 JWT的驗證問題呢?
解決方案
正如APIM官網中特別提醒的一句話“對於 RS256,金鑰可以通過 Open ID 配置終結點來提供,或者通過提供包含公鑰或公鑰的模數指數對的已上傳證書的 ID 來提供 (英文原文:For RS256 the key may be provided either via an Open ID configuration endpoint, or by providing the ID of an uploaded certificate that contains the public key or modulus-exponent pair of the public key.)” , 所以APIM 中的validate-jwt是不支援使用直接配置公鑰(Public Key)。 目前的方案有兩種:
1) 使用openid configuration, OpenID Configuration中包含了公鑰的內容,是有提供Token的許可權伺服器管理提供(如 Azure AD中就自動包含OpenID Configuration Endpoint). 注:這部分的詳細介紹可以參考官網:https://docs.azure.cn/zh-cn/api-management/api-management-access-restriction-policies#azure-active-directory-token-validation
2) 把有證書機構(CA)頒發的包含公鑰(Publick Key)的 .pfx證書上傳到APIM中,然後配置 key certificate-id="<上傳在APIM證書中的ID值>"
- <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unvalid authorization" require-expiration-time="true" require-signed-tokens="true">
- <issuer-signing-keys>
- <key certificate-id="<上傳在APIM證書中的ID值>" />
- </issuer-signing-keys>
- <audiences>
- <audience>在生成JWT Token時設定的aud值</audience>
- </audiences>
- </validate-jwt>
方案步驟
可以使用以下的步驟來驗證RS256 JWT:
1) 使用 openssl 指令建立 證書 (Local.pfx)
- openssl.exe req -x509 -nodes -sha256 -days 3650 -subj "/CN=Local" -newkey rsa:2048 -keyout Local.key -out Local.crt
- openssl.exe pkcs12 -export -in Local.crt -inkey Local.key -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -out Local.pfx
openssl.exe 下載地址:https://slproweb.com/products/Win32OpenSSL.html, 使用時需要 cd到 openssl.exe所在的bin目錄中
2)上傳 Local.pfx 檔案到APIM,並自定義證書ID, 如:apim-rs256-01
3)在APIM的策略中(API級,單個操作級別,或者一組API[產品], 或者全部的APIs)。validate-jwt 內容如下:
- <policies>
- <inbound>
- <base />
- <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="401 unauthorized">
- <issuer-signing-keys>
- <key certificate-id="apim-rs256-01" />
- </issuer-signing-keys>
- </validate-jwt>
- </inbound>
- <backend>
- <base />
- </backend>
- <outbound>
- <base />
- </outbound>
- <on-error>
- <base />
- </on-error>
- </policies>
4) 使用以下的C#程式碼生成 Token
- using Microsoft.IdentityModel.Tokens;
- using System;
- using System.Collections.Generic;
- using System.IdentityModel.Tokens.Jwt;
- using System.Linq;
- using System.Security.Claims;
- using System.Security.Cryptography;
- using System.Security.Cryptography.X509Certificates;
- using System.Text;
- using System.Threading.Tasks;
- namespace ConsoleAppjwt
- {
- class Program
- {
- static void Main(string[] args)
- { // Token Generation
- var CLIENT_ID = "Local";
- var ISSUER_GUID = "b0123cec-86bb-4eb2-8704-dcf7cb2cc279";
- var filePath = @"C:\Users\xxxx\source\repos\ConsoleAppjwt\ConsoleAppjwt\Cert\Local.pfx";
- var x509Certificate2 = new X509Certificate2(filePath, "123456789");
- var signingCredentials = new X509SigningCredentials(x509Certificate2, SecurityAlgorithms.RsaSha256Signature); //, SecurityAlgorithms.Sha256Digest
- var tokenHandler = new JwtSecurityTokenHandler();
- var originalIssuer = $"{CLIENT_ID}";
- var issuer = originalIssuer;
- DateTime utcNow = DateTime.UtcNow;
- DateTime expired = utcNow + TimeSpan.FromHours(1);
- var claims = new List<Claim> {
- new Claim("aud", "https://login.microsoftonline.com/{YOUR_TENENT_ID}/oauth2/token", ClaimValueTypes.String, issuer, originalIssuer),
- new Claim("exp", "1460534173", ClaimValueTypes.DateTime, issuer, originalIssuer),
- new Claim("jti", $"{ISSUER_GUID}", ClaimValueTypes.String, issuer, originalIssuer),
- new Claim("nbf", "1460533573", ClaimValueTypes.String, issuer, originalIssuer),
- new Claim("sub", $"{CLIENT_ID}", ClaimValueTypes.String, issuer, originalIssuer)
- };
- ClaimsIdentity subject = new ClaimsIdentity(claims: claims);
- var tokenDescriptor = new SecurityTokenDescriptor
- {
- Subject = subject,
- Issuer = issuer,
- Expires = expired,
- SigningCredentials = signingCredentials,
- };
- JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken;
- jwtToken.Header.Remove("typ");
- var token = tokenHandler.WriteToken(jwtToken);
- Console.WriteLine(token);
- //Start to Verify Token
- Console.WriteLine("Start to Verify Token");
- ValidationToken(token);
- Console.ReadLine();
- }
- static void ValidationToken(string token)
- {
- try
- {
- JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
- var filePath = @"C:\Users\xxxx\source\repos\ConsoleAppjwt\ConsoleAppjwt\Cert\Local.pfx";
- TokenValidationParameters tvParameter = new TokenValidationParameters
- {
- ValidateIssuerSigningKey = true,
- IssuerSigningKey = new X509SecurityKey(new X509Certificate2(filePath, "123456789")),
- ValidateIssuer = false,
- ValidateAudience = false,
- // set clockskew to zero so tokens expire exactly at token expiration time (instead of 5 minutes later)
- ClockSkew = TimeSpan.Zero
- };
- SecurityToken stoken;
- jwtHandler.ValidateToken(token, tvParameter, out stoken);
- Console.WriteLine(stoken);
- Console.WriteLine("Validate Token Success");
- }
- catch (Exception ex)
- {
- Console.WriteLine(ex);
- }
- }
- }
- }
5) 呼叫APIM介面對Authorization驗證
當然,也可以直接在呼叫APIM的客戶端中進行驗證。
附錄一:在APIM的介面配置頁中,Test頁面點選Send按鈕,傳送API的請求,通過頁面中的Trace部分檢視每一部分的耗時,處理結果,或錯誤詳情。
參考資料
驗證 JWT:https://docs.azure.cn/zh-cn/api-management/api-management-access-restriction-policies#validate-jwt
How to validate JWT signed with RS256 Algorithm with validate-jwt policy in Azure API management :https://stackoverflow.com/questions/37050233/how-to-validate-jwt-signed-with-rs256-algorithm-with-validate-jwt-policy-in-azur