我在更改下面用于 APIM 中 JWT 验证的受众元素的值时遇到了一个奇怪的问题,参考下面的链接
https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT
1个新链接: https://new.onelogin.com/oidc/token
我只在 2 中更改了旧版本的受众元素的值。但是当我尝试保存策略时,我从 APIM 门户收到以下验证错误:
The element 'validate-jwt' has invalid child element 'openid-config'. List of possible elements expected: 'required-claims'.
请注意,2 中的旧版本不需要"必需声明"元素。
client_id=新 xxx
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error: expired token or invalid token" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<audiences>
<audience>new xxx</audience>
</audiences>
<issuers>
<issuer>https://openid-connect-eu.onelogin.com/oidc</issuer>
</issuers>
<openid-config url="https://openid-connect-eu.onelogin.com/oidc/.well-known/openid-configuration" />
</validate-jwt>
2 旧的网址和 jwt 验证,它可以工作。
https://old.onelogin.com/oidc/token
client_id=old xxx
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error: expired token or invalid token" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<audiences>
<audience>old xxx</audience>
</audiences>
<issuers>
<issuer>https://openid-connect-eu.onelogin.com/oidc</issuer>
</issuers>
<openid-config url="https://openid-connect-eu.onelogin.com/oidc/.well-known/openid-configuration" />
</validate-jwt>
知道吗?
更新:
现在,即使是有效的原始策略也存在问题,甚至没有任何更改:
The element 'validate-jwt' has invalid child element 'openid-config'. List of possible elements expected: 'required-claims'.
在xml中向上移动openid-config
并将其保留在validate-jwt
开始标记的正下方。请看下面:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<openid-config url="" />
<issuer-signing-keys>
<key>Base64 Encoded Key</key>
</issuer-signing-keys>
<audiences>
<audience></audience>
</audiences>
<issuers>
<issuer></issuer>
</issuers>
</validate-jwt>