[转]How to validate JWT signed with RS256 Algorithm with validate-jwt policy in Azure API management

ASK：

==================================

I can successfully validate JWT signed with HS256 using validate-jwt policy in Azure API management by setting the <issuer-signing-keys> attribute. But how can I validate JWT signed with RS256? I tried put the public key or certificate in <issuer-signing-keys> but it does not work.

 

Answer:

==================================

At the moment the only way to validate rsa-signed tokens is with openid url.

 

I was able to validate such a token with the following policy

<issuer-signing-keys>
    <key certificate-id="my-rsa-cert" />
</issuer-signing-keys>

You can do that with the following steps:

1. Create a certificate with the commands below

   openssl.exe req -x509 -nodes -sha256 -days 3650 -subj "/CN=Local" -newkey rsa:2048 -keyout Local.key -out Local.crt
   openssl.exe pkcs12 -export -in Local.crt -inkey Local.key -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -out Local.pfx

2. Load the certificate "Local.pfx" on the API management with id "my-rsa-cert".

3. Generate the tokens from the certificate with the code below

    /////////////////////////////////////////////
    // Token Generation
    var CLIENT_ID = "Local";
    var ISSUER_GUID = "b0123cec-86bb-4eb2-8704-dcf7cb2cc279";
   
    var filePath = @"..\..\..\Cert\Local.pfx";
    var x509Certificate2 = new X509Certificate2(filePath, "<certpwd>");
   
    var signingCredentials = new X509SigningCredentials(x509Certificate2, SecurityAlgorithms.RsaSha256Signature); //, SecurityAlgorithms.Sha256Digest
    var tokenHandler = new JwtSecurityTokenHandler();
   
    var originalIssuer = $"{CLIENT_ID}";
    var issuer = originalIssuer;
   
    DateTime utcNow = DateTime.UtcNow;
   DateTime expired = utcNow + TimeSpan.FromHours(1);
   
    var claims = new List<Claim> {
            new Claim("aud", "https://login.microsoftonline.com/{YOUR_TENENT_ID}/oauth2/token", ClaimValueTypes.String, issuer, originalIssuer),
            new Claim("exp", "1460534173", ClaimValueTypes.DateTime, issuer, originalIssuer),
            new Claim("jti", $"{ISSUER_GUID}", ClaimValueTypes.String, issuer, originalIssuer),
            new Claim("nbf", "1460533573", ClaimValueTypes.String, issuer, originalIssuer),
            new Claim("sub", $"{CLIENT_ID}", ClaimValueTypes.String, issuer, originalIssuer)
        };
   
    ClaimsIdentity subject = new ClaimsIdentity(claims: claims);
   
    var tokenDescriptor = new SecurityTokenDescriptor
    {
        Subject = subject,
        Issuer = issuer,
        Expires = expired,
   
        //TokenIssuerName = "self",
        //AppliesToAddress = "https://www.mywebsite.com",
        //Lifetime = new Lifetime(now, now.AddMinutes(60)),
        SigningCredentials = signingCredentials,
    };
   
    JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken;
    jwtToken.Header.Remove("typ");
    var token = tokenHandler.WriteToken(jwtToken);
   
    this.Output = jwtToken.ToString();
    this.Output += "\r\n" + token.ToString();
   
   
    JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken;
    jwtToken.Header.Remove("typ");
    var token = tokenHandler.WriteToken(jwtToken);
   

4. send requests to the API with the generated Bearer Tokens