azure api gateway 提供了 JWT 验证,auth0 推荐使用 machine to machine 的OAuth 验证方式,但是配置异常复杂。其实我们可以使用 jwks 来得到 auth0 的 public key,然后再来验证 auth0 的 JWT token。Azure API Gateway 的配置如下:
<policies>
<inbound>
<base />
<cors>
<allowed-origins>
<origin>*</origin>
</allowed-origins>
<allowed-methods>
<method>GET</method>
<method>POST</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
</cors>
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" require-scheme="Bearer" require-signed-tokens="true" clock-skew="120">
<openid-config url="https://your_auth0_domain.us.auth0.com/.well-known/openid-configuration" />
</validate-jwt>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
这里的关键是使用 openid 来得到 public key 虽然一般会使用 https://your_auth0_domain.us.auth0.com/.well-known/jwks.json,但是 Azure API Gateway 要求使用 open id 的形式。Auth0 支持这种形式:https://your_auth0_domain.us.auth0.com/.well-known/openid-configuration
参考链接
https://social.msdn.microsoft.com/Forums/azure/en-US/6066631f-c4ca-4757-9190-bc363e4e242f/caching-jwks-from-identity-provider-using-azure-api-management-for-validating-jwt?forum=azureapimgmt
https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT