<ph type="x-smartling-placeholder"></ph>
您正在查看 Apigee Edge 文档。
转到
Apigee X 文档。 信息
内容
对 JWS 标头进行解码,而不验证 JWS 的签名,并将每个标头写入流变量。与 VerifyJWS 政策搭配使用时,当必须在验证 JWS 签名之前知道 JWS 中的标头值时,此政策最为有用。
JWS 可以附加载荷,格式如下:
header.payload.signature
或者,JWS 可以省略载荷(称为分离载荷),格式如下:
header..signature
DecodeJWS 政策适用于这两种格式,因为它仅解码 JWS 的标头部分。无论用于签署 JWS 的算法是哪个,DecodeJWS 政策也可正常工作。
如需详细了解 JWS 和 JWS 的格式,请参阅 JWS 和 JWT 政策概览。
视频
观看视频短片,了解如何解码 JWT。虽然此视频专用于 JWT,但其中的许多概念同样适用于 JWS。
示例:解码 JWS
下面所示的政策将对在流变量 var.JWS 中找到的 JWS 进行解码。此变量必须存在,并且包含可行(可声明)JWS。该政策可以从任何流变量获取 JWS。
<DecodeJWS name="JWS-Decode-HS256"> <DisplayName>JWS Verify HS256</DisplayName> <Source>var.JWS</Source> </DecodeJWS>
对于 JWS 的标头部分中的每个标头,该策略将设置一个如下名称的流变量:
jws.policy-name.header.header-name
如果 JWS 附加了载荷,则它将 jws.policy-name.header.payload 流变量设置为载荷。对于分离载荷,payload 为空。如需查看此政策设置的变量的完整列表,请参阅流变量。
解码 JWS 的元素参考
政策参考介绍了“解码 JWS 政策”的元素和属性。
适用于顶级元素的属性
<DecodeJWS name="JWS" continueOnError="false" enabled="true" async="false">
以下属性是所有政策的父级元素都具有的属性。
| 属性 | 说明 | 默认 | 状态 |
|---|---|---|---|
| name |
政策的内部名称。您可以在名称中使用的字符仅限于 A-Z0-9._\-$ %。不过,Edge 管理界面会强制实施
限制,例如自动移除非字母数字字符。
(可选)使用 |
不适用 | 必填 |
| continueOnError |
设置为 false 可在政策失败时返回错误。对于大多数政策来说,这一行为符合预期。设置为 |
false | 可选 |
| 已启用 | 设置为 true 可实施政策。设置为 |
true | 可选 |
| 异步 | 此属性已弃用。 | false | 已弃用 |
<DisplayName>
<DisplayName>Policy Display Name</DisplayName>
除了用于名称属性之外,还可以用于在管理界面代理编辑器中给政策添加不同的自然语言名称标签。
| 默认 | 如果省略此元素,则会使用政策的名称属性的值。 |
| 状态 | 可选 |
| 类型 | 字符串 |
<Source>
<Source>JWS-variable</Source>
如果存在,请指定政策在其中查找要解码的 JWS 的流变量。
| 默认 | request.header.authorization(请参阅上述“注意”部分,了解有关默认值的重要信息。) |
| 状态 | 可选 |
| 类型 | 字符串 |
| 有效值 | Edge 流变量名称 |
Flow variables
Upon success, the Verify JWS and Decode JWS policies set context variables according to this pattern:
jws.{policy_name}.{variable_name}
For example, if the policy name is verify-jws, then the policy will store
the algorithm specified in the JWS to this context variable:
jws.verify-jws.header.algorithm
| Variable name | Description |
|---|---|
decoded.header.name |
The JSON-parsable value of a header in the payload. One variable is set for
every header in the payload. While you can also use the header.name flow variables,
this is the recommended variable to use to access a header. |
header.algorithm |
The signing algorithm used on the JWS. For example, RS256, HS384, and so on. See (Algorithm) Header Parameter for more. |
header.kid |
The Key ID, if added when the JWS was generated. See also "Using a JSON Web Key Set (JWKS)" at JWT and JWS policies overview to verify a JWS. See (Key ID) Header Parameter for more. |
header.type |
The header type value. See (Type) Header Parameter for more. |
header.name |
The value of the named header (standard or additional). One of these will be set for every additional header in the header portion of the JWS. |
header-json |
The header in JSON format. |
payload |
The JWS payload if the JWS has an attached payload. For a detached payload, this variable is empty. |
valid |
In the case of VerifyJWS, this variable will be true when the signature is verified, and
the current time is before the token expiry, and after the token notBefore value, if they
are present. Otherwise false.
In the case of DecodeJWS, this variable is not set. |
错误参考信息
This section describes the fault codes and error messages that are returned and fault variables that are set by Edge when this policy triggers an error. This information is important to know if you are developing fault rules to handle faults. To learn more, see What you need to know about policy errors and Handling faults.
Runtime errors
These errors can occur when the policy executes.
| Fault code | HTTP status | Occurs when |
|---|---|---|
steps.jws.FailedToDecode |
401 | The policy was unable to decode the JWS. The JWS is possibly corrupted. |
steps.jws.FailedToResolveVariable |
401 | Occurs when the flow variable specified in the <Source> element of
the policy does not exist. |
steps.jws.InvalidClaim |
401 | For a missing claim or claim mismatch, or a missing header or header mismatch. |
steps.jws.InvalidJsonFormat |
401 | Invalid JSON found in the JWS header. |
steps.jws.InvalidJws |
401 | This error occurs when the JWS signature verification fails. |
steps.jws.InvalidPayload |
401 | The JWS payload is invalid. |
steps.jws.InvalidSignature |
401 | <DetachedContent> is omitted and the JWS has a detached content payload. |
steps.jws.MissingPayload |
401 | The JWS payload is missing. |
steps.jws.NoAlgorithmFoundInHeader |
401 | Occurs when the JWS omits the algorithm header. |
steps.jws.UnknownException |
401 | An unknown exception occurred. |
Deployment errors
These errors can occur when you deploy a proxy containing this policy.
| Error name | Occurs when |
|---|---|
InvalidAlgorithm |
The only valid values are: RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, HS256, HS384, HS512. |
|
|
Other possible deployment errors. |
Fault variables
These variables are set when a runtime error occurs. For more information, see What you need to know about policy errors.
| Variables | Where | Example |
|---|---|---|
fault.name="fault_name" |
fault_name is the name of the fault, as listed in the Runtime errors table above. The fault name is the last part of the fault code. | fault.name Matches "TokenExpired" |
JWS.failed |
All JWS policies set the same variable in the case of a failure. | jws.JWS-Policy.failed = true |
Example error response
For error handling, the best practice is to trap the errorcode part of the error
response. Do not rely on the text in the faultstring, because it could change.
Example fault rule
<FaultRules>
<FaultRule name="JWS Policy Errors">
<Step>
<Name>JavaScript-1</Name>
<Condition>(fault.name Matches "TokenExpired")</Condition>
</Step>
<Condition>JWS.failed=true</Condition>
</FaultRule>
</FaultRules>