我在.NET中有以下控制器:
[ApiController]
[Route("api")]
public class TestController : ControllerBase
{
public TestController() { }
[HttpGet("Test")]
public ActionResult<string> Test()
{
string? subject = User.FindFirst("sub")?.Value;
if (subject == null)
{
return NotFound("Claim 'sub' not found.");
}
return Ok($"Subject: {subject}");
}
}
默认程序.cs:
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
app.UseHttpsRedirection();
app.UseAuthorization();
app.MapControllers();
app.Run();
我将此应用程序发布到 Azure Web App,然后将其上传到 Azure API 管理 (APIM)。在 APIM 中,我有以下 XML 策略:
<policies>
<inbound>
<base />
<set-backend-service id="apim-generated-policy" backend-id="WebApp_web-app-hermie" />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" require-expiration-time="false" require-scheme="Bearer" require-signed-tokens="true">
<issuer-signing-keys>
<key><my-key></key>
</issuer-signing-keys>
<required-claims>
<claim name="sub" match="all">
<value>1234567890</value>
</claim>
</required-claims>
</validate-jwt>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
我从 jwt.io 获得了 JWT,其中:
标题
{
"alg": "HS256",
"typ": "JWT"
}
有效负载
{
"sub": "1234567890",
"name": "John",
"iat": 1516239022
}
验证签名
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
<my-key>
)
并检查秘密的base64编码。
结果如下:
Claim 'sub' not found.
身份验证有效,但无法提取声明。 APIM 正在执行所有验证,因此我认为我不需要在代码中执行此操作,我所需要做的就是提取 JWT 信息并返回它。然而,这是行不通的。谁能帮助我如何提取通过 APIM 传递的 JWT 声明?
我认为要填充 User 属性,您至少应该使用
[Authorize]此属性将帮助框架确定哪个操作需要身份验证,从而对转发到此操作的请求进行身份验证。我想这会解决你的问题