【发布时间】:2021-04-01 16:04:45
【问题描述】:
我有一个 Azure APIM,它检查请求持有者 JWT 令牌:
<inbound>
<base />
<set-variable name="TenantId" value="
@{
var tenantId = context.Request.Headers.GetValueOrDefault("TenantId","");
if (tenantId != null) {
return tenantId;
}
return null;
}" />
<limit-concurrency key="@((string)context.Variables["TenantId"])" max-count="1">
<set-header name="Ocp-Apim-Subscription-Key" exists-action="delete" />
<set-header name="subscription-key" exists-action="delete" />
<set-variable name="JWTIssuer" value="
@{
var authStr = context.Request.Headers.GetValueOrDefault("Authorization","");
if (authStr.StartsWith("Bearer")) {
var jwt = authStr.Substring("Bearer ".Length).AsJwt();
if (jwt != null) {
return jwt.Issuer;
}
}
return null;
}" />
<choose>
<when condition="@(context.Variables.GetValueOrDefault("JWTIssuer", "") == "<URL of issuer>")">
<!-- Authorisation using HPCA token -->
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<openid-config url="<Open Id Url>" />
<required-claims>
<claim name="MyClaim" match="any" separator=",">
<value>X</value>
</claim>
</required-claims>
</validate-jwt>
</when>
<!-- HPCA Error handling -->
<otherwise>
<return-response>
<set-status code="401" reason="Unauthorized" />
<set-header name="WWW-Authenticate" exists-action="override">
<value>Bearer error "Invalid HPCA token"</value>
</set-header>
</return-response>
</otherwise>
</choose>
</limit-concurrency>
</inbound>
<on-error>
<base />
<return-response>
<set-status code="@(context.Response.StatusCode)" reason="@(context.Response.StatusReason)" />
</return-response>
</on-error>
这一切都按预期工作:如果颁发者不正确或 JWT 令牌无效,则调用 OnError 处理程序并向调用者返回 401 错误状态。问题是,如果我在选择策略之后添加对函数的调用:
</otherwise>
</choose>
<send-request mode="copy" response-variable-name="Response" timeout="10" ignore-error="false">
<set-url>https://myfuncApp.azurewebsites.net/api/Function1</set-url>
<set-method>POST</set-method>
</send-request>
<return-response response-variable-name="Response">
<set-status code="@(context.Response.StatusCode)" reason="@(context.Response.StatusReason)" />
</return-response>
</limit-concurrency>
</inbound>
然后,即使使用无效的不记名令牌并调用错误处理程序,APIM仍然继续调用该函数:错误处理程序中的返回响应似乎被忽略了 - 为什么?我可以通过将发送请求包装在另一个条件中来伪造它(即检查 context.Response.StatusCode 不是 401),但这对我来说似乎不正确。
【问题讨论】:
-
调查此问题的最佳方法是从 Azure 门户进行测试调用并查看那里可用的跟踪。你也可以在这里发布它,但不要担心它暴露的秘密。