JWT验证:缓存通过Azure API管理从缓存的发现文档派生的JWKS [英] JWT Validation: Caching JWKS derived from cached discovery document via Azure API Management

问题描述

我通过包装并通过Azure API管理对其进行缓存，从而在下面为发现终结点设置了缓存.

I setup caching for discovery endpoint below by wrapping it and caching it via Azure API Management.

https://openid-connect-eu.onelogin.com/oidc/.well-known/openid-configuration

因此下面的新链接进行了缓存:

So the new link below does the caching:

https://my.azure-api.net/sso/.known/openid-configuration?subscription-key=mykey

以下是令牌验证的政策:

Below is policy for token validation:

 <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error: expired token or invalid token" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">

        <openid-config url="https://my.azure-api.net/sso/.well-known/openid-configuration?subscription-key=mykey" />
        <audiences>
            <audience>id</audience>
        </audiences>
        <issuers>
            <issuer>https://openid-connect-eu.onelogin.com/oidc</issuer>
       </issuers>
    </validate-jwt>

我的问题是，我是否需要缓存下面的发现文档中用于验证的JWKS链接?如果是这样，我该如何缓存它?

My question is that do I need to cache the JWKS link below that is on the discovery document above and used for the validation? If so, how can I cache it?

https://openid-connect-eu.onelogin.com/oidc/certs

推荐答案

返回的html正文上的url被修改，并替换为通过APIM缓存的新url.

The url on the html body returned is modified and replaced with a new url that is cached via APIM.

这篇关于JWT验证:缓存通过Azure API管理从缓存的发现文档派生的JWKS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！