1

我正在尝试在 API Gateway 上验证用户的 JWT。我可以成功验证 JWT 本身及其受众。最重要的是,如果用户没有正确的范围,我想阻止端点,例如,如果用户没有“separate-stuff”范围,则不应将对“/api/v1/separate”的请求转发给服务。

这是我的 JWT 的样子,范围错误:

{
  "exp": 1625718360,
  "iat": 1625700360,
  ...
  "scope": "ship-stuff"
}

和我的 API 网关 YML:

info:
  title: My Gateway
  version: 1.0.0
paths:
  /api/v1/separate:
    get:
      security:
        - identity_token: [separate-stuff]
      summary: Home
      description: some description
      operationId: function_api_v1__get
      responses:
        '200':
          description: Successful Response
    options:
      security:
        - identity_token: [separate-stuff]
      operationId: function_api_v1__options
      responses:
        '200':
          description: Successful response
swagger: '2.0'
x-components: {}
x-google-backend:
  address: https://...
  path_translation: APPEND_PATH_TO_ADDRESS
  jwt_audience: https://...
securityDefinitions:
  identity_token:
    type: "oauth2"
    flow: "implicit"
    authorizationUrl: "https://.../auth"
    scopes:
      separate-stuff: "separates stuff"
    x-google-issuer: "https://..."
    x-google-jwks_uri: "https://.../certs"
    x-google-audiences: "..."

但是 API Gateway 让请求传递给我的服务。关于如何在 API 网关级别执行范围验证的任何想法?我不想在我的服务中执行此操作。谢谢。

4

0 回答 0