Authorization in Azure API management through JWT

2019-08-23 03:41发布

问题:

I have written an inbound policy which enables CORS and validates the access token against an Authorization-Server. The following policy is working fine:

<policies>
    <inbound>
        <!-- Extract Token from Authorization header parameter -->
        <set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />
        <!-- Send request to Token Server to validate token (see RFC 7662) -->
        <send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
            <set-url>https://sso-dev.shell.com/as/introspect.oauth2</set-url>
            <set-method>POST</set-method>
            <set-header name="Content-Type" exists-action="override">
                <value>application/x-www-form-urlencoded</value>
            </set-header>
            <set-body>@($"grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&client_id=UnitsOfMeasure&client_secret=somesecret&token={(string)context.Variables["token"]}")</set-body>
        </send-request>
        <cors>
            <allowed-origins>
                <origin>*</origin>
            </allowed-origins>
            <allowed-methods>
                <method>*</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
            <expose-headers>
                <header>*</header>
            </expose-headers>
        </cors>
        <choose>
            <when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
                <!-- Return 401 Unauthorized with http-problem payload -->
                <return-response response-variable-name="existing response variable">
                    <set-status code="401" reason="Unauthorized" />
                    <set-header name="WWW-Authenticate" exists-action="override">
                        <value>Bearer error="invalid_token"</value>
                    </set-header>
                </return-response>
            </when>
        </choose>
        <base />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
        <set-header name="Access-Control-Allow-Origin" exists-action="override">
            <value>*</value>
        </set-header>
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

Now I'm adding a condition which authorizes users to use PUT, POST or DELETE methods only if they belong to a certain group:

    <when condition="@(new [] {"post=""", "put=""", "delete="""}.Contains(context.Request.Method,StringComparer.OrdinalIgnoreCase))">
        <validate-jwt header-name="Authorization">
            <required-claims>
                <claim name="groups">
                    <value>UOM WriteAdmin</value>
                </claim>
            </required-claims>
        </validate-jwt>
    </when>

But I'm getting following error while saving the policy:

One or more fields contain incorrect values:
Error in element 'choose' on line 28, column 10: Syntax error, ',' expected

I'm not sure what's wrong. This is the final policy after incorporating authorization logic:

<policies>
    <inbound>
        <!-- Extract Token from Authorization header parameter -->
        <set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />
        <!-- Send request to Token Server to validate token (see RFC 7662) -->
        <send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
            <set-url>https://sso-dev.shell.com/as/introspect.oauth2</set-url>
            <set-method>POST</set-method>
            <set-header name="Content-Type" exists-action="override">
                <value>application/x-www-form-urlencoded</value>
            </set-header>
            <set-body>@($"grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&client_id=UnitsOfMeasure&client_secret=somesecret&token={(string)context.Variables["token"]}")</set-body>
        </send-request>
        <cors>
            <allowed-origins>
                <origin>*</origin>
            </allowed-origins>
            <allowed-methods>
                <method>*</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
            <expose-headers>
                <header>*</header>
            </expose-headers>
        </cors>
        <choose>
            <when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
                <!-- Return 401 Unauthorized with http-problem payload -->
                <return-response response-variable-name="existing response variable">
                    <set-status code="401" reason="Unauthorized" />
                    <set-header name="WWW-Authenticate" exists-action="override">
                        <value>Bearer error="invalid_token"</value>
                    </set-header>
                </return-response>
            </when>
            <when condition="@(new [] {"post=""", "put=""", "delete="""}.Contains(context.Request.Method,StringComparer.OrdinalIgnoreCase))">
                <validate-jwt header-name="Authorization">
                    <required-claims>
                        <claim name="groups">
                            <value>UOM WriteAdmin</value>
                        </claim>
                    </required-claims>
                </validate-jwt>
            </when>            
        </choose>
        <base />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
        <set-header name="Access-Control-Allow-Origin" exists-action="override">
            <value>*</value>
        </set-header>
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

回答1:

Try this:

<when condition="@(new [] {"post", "put", "delete"}.Contains(context.Request.Method, StringComparer.OrdinalIgnoreCase))">

You seem to have some extra symbols there.