我想在ASP.Net Core中实现基于JWT的安全性 . 我现在要做的就是在 Authorization
Headers 中读取持有者令牌,并根据我的标准验证它们 . 我不希望包括ASP.Net Identity . 事实上,我试图避免使用尽可能多的MVC添加的东西,除非我真的需要它们 .
我创建了一个最小的项目,它演示了这个问题 . 要查看原始代码,只需查看编辑历史记录即可 . 我希望此示例拒绝所有/ api / icons请求,除非它们为 Authorization
HTTP标头提供相应的承载令牌 . 样本 actually allows all requests .
Startup.cs
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Configuration;
using Microsoft.AspNetCore.Routing;
using Microsoft.IdentityModel.Tokens;
using System.Text;
using System;
using Newtonsoft.Json.Serialization;
namespace JWTSecurity
{
public class Startup
{
public IConfigurationRoot Configuration { get; set; }
public Startup(IHostingEnvironment env)
{
IConfigurationBuilder builder = new ConfigurationBuilder().SetBasePath(env.ContentRootPath);
Configuration = builder.Build();
}
public void ConfigureServices(IServiceCollection services)
{
services.AddOptions();
services.AddAuthentication();
services.AddMvcCore().AddJsonFormatters(options => options.ContractResolver = new CamelCasePropertyNamesContractResolver());
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole();
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("supersecretkey")),
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero
}
});
app.UseMvc(routes => routes.MapRoute("default", "{controller=Home}/{action=Index}/{id?}"));
}
}
}
控制器/ IconsController.cs
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
namespace JWTSecurity.Controllers
{
[Route("api/[controller]")]
public class IconsController : Controller
{
[Authorize]
public IActionResult Get()
{
return Ok("Some content");
}
}
}
2 回答
Found it!
主要问题在于这一行:
我注意到,从AddMvcCore()切换到AddMvc(),授权突然开始工作!在挖掘了the ASP.NET source code之后,看看
AddMvc()
做了什么,我意识到我需要第二次调用IMvcBuilder.AddAuthorization()
.您还使用身份验证,它隐式包含cookie身份验证 . 您可能使用身份方案登录并导致身份验证成功 .
如果不需要身份验证,则删除身份验证(如果只需要jwt身份验证),否则为
Authorize
属性指定Bearer
scheme,如下所示: