APIM是否将相同的承载令牌转发到后端API?|OAuth 2.0和Azure AAD [英] Does APIM forward same bearer token to backend API? | OAuth 2.0 and Azure AAD
问题描述
根据Microsoft提供的以下文档,我已经注册了这两个应用程序,并使用客户端凭据设置了OAuth 2.0服务,并在其中添加了"validate-jwt"入站策略.我已经用邮递员生成承载令牌并在通过令牌传递的APIM实例下调用后端API对其进行了测试.效果很好.
它运行成功并响应用户列表.因此,承载令牌可以自动转发到后端api.
第二个问题:
如果您想跟踪后端api的日志,我认为您可以在api的后端代码中进行操作.
要验证后端api中的令牌,可以解码后端api代码中的jwt令牌,然后检查token中的Claim值(下面我提供了一个示例来解码jwt令牌并获取的值iss 声明)
使用系统;使用System.Collections.Generic;使用System.IdentityModel.Tokens.Jwt;使用System.Linq;使用System.Text;使用System.Threading.Tasks;命名空间ConsoleApp5{班级计划{静态void Main(string [] args){var stream =您的访问令牌";var handler = new JwtSecurityTokenHandler();var jsonToken = handler.ReadToken(stream);var tokenS = handler.ReadToken(stream)作为JwtSecurityToken;var iss = tokenS.Claims.First(claim => Claim.Type =="iss").Value;Console.WriteLine(iss);//然后检查"iss"是否为匹配您指定的值.Console.ReadLine();}}} Following below document provided by Microsoft, I have registered both apps, setup OAuth 2.0 service with client-credentials and added "validate-jwt" inbound policy. I have tested it with postman generating bearer token and calling my backend API under APIM instance passing with token. It works fine.
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
But just along with Apim, I want to secure my backend API also and pass to same token to backend API. so I have some questions here -
- Does APIM forward same bearer token to backend API automatically or do we need to configure any policy for it?
- If it does, how can I check trace logs? Also how can I authorize that same token in backend API code?
Here is my "validate-jwt" policy -
<inbound>
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/{AAD Tenant ID}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>{App Id of backend App}</audience>
</audiences>
</validate-jwt>
<base />
</inbound>
Please help.
For your first question:
According to some test in my side, it seems APIM can forward the same bearer token to backend api automatically, without adding any policy.
I created a api in APIM to call microsoft graph api(list users) in backend. Test to run the APIM api, it shows "401 Unauthorized" error. Then I test with provide the bearer token in headers of APIM api as below screenshot:
It runs success and response the user list. So the bearer token can be forward to backend api automatically.
For your second question:
If you want to trace logs for the backend api, I think you can just do it in the backend code of your api.
To validate the token in your backend api, you can decode the jwt token in your backend api code and then check the value of claim in token(below I provide a sample to decode jwt token and get the value of iss claim)
using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace ConsoleApp5
{
class Program
{
static void Main(string[] args)
{
var stream = "your access token";
var handler = new JwtSecurityTokenHandler();
var jsonToken = handler.ReadToken(stream);
var tokenS = handler.ReadToken(stream) as JwtSecurityToken;
var iss = tokenS.Claims.First(claim => claim.Type == "iss").Value;
Console.WriteLine(iss);
//Then check if "iss" matches the value you specified.
Console.ReadLine();
}
}
}
这篇关于APIM是否将相同的承载令牌转发到后端API?|OAuth 2.0和Azure AAD的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
