假设我在web api响应中向用户响应加密的访问令牌,用户使用它来访问Authorization:Bearer头中的api . 让我们假设用户现在有访问令牌“abc” . JwtAuthorizationBearer现在接受令牌未加密的令牌“def” . 但是当用户将加密的访问令牌“abc”发回时,我希望它接受授权承载验证 . 怎么可能呢?
我见过一个函数名OnRequestToken但不确定它是否用于这种情况 .
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audience },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
},
Provider = new OAuthBearerAuthenticationProvider
{
OnValidateIdentity = context =>
{
if (!string.IsNullOrEmpty(token))
{
var notPadded = token.Split('.')[1];
var padded = notPadded.PadRight(notPadded.Length + (4 - notPadded.Length % 4) % 4, '=');
var urlUnescaped = padded.Replace('-', '+').Replace('_', '/');
var claimsPart = Convert.FromBase64String(urlUnescaped);
var obj = JObject.Parse(Encoding.UTF8.GetString(claimsPart, 0, claimsPart.Length));
// simple, not handling specific types, arrays, etc.
foreach (var prop in obj.Properties().AsJEnumerable())
{
if (!context.Ticket.Identity.HasClaim(prop.Name, prop.Value.Value<string>()))
{
context.Ticket.Identity.AddClaim(new Claim(prop.Name, prop.Value.Value<string>()));
}
}
}
return Task.FromResult<object>(null);
}
}
});