未经授权使用JWT?

huangapple go评论71阅读模式
英文:

Not authorized using jwt?

问题

I am trying to make a HelloWorld-ish identity server.
我正在尝试创建一个类似HelloWorld的身份验证服务器。

I am trying for the service to generate jwt tokens and use them to authenticate users as well as configuring policies to authorize users.
我正在尝试使服务生成JWT令牌并使用它们来验证用户,同时配置策略来授权用户。

I am already capable to generate tokens, but I keep getting an Unauthorized response when reaching for an endpoint that has the [Authorize] attribute.
我已经能够生成令牌,但是当访问带有[Authorize]属性的端点时,我不断收到未经授权的响应。

英文:

I am trying to make a HelloWorld-ish identity server.
I am trying for the service to generate jwt tokens and use them to authenticate users as well as configuring policies to authorize users.

I am already capable to generate tokens, but I keep getting an Unauthorized response when reaching for an endpoint that has the [Authorize] attribute.

> DISCLAIMER:
> The following secrets and tokens below are dummy generated. You should never share (or even worst, post in an internet forum, any secrets or jwt or sensitive data). I am doing it because this app won't event reach production. (I am doing it for learning purposes).

Program.cs

...
// Authorization
builder.Services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
 {
	 options.RequireHttpsMetadata = false;
	 options.TokenValidationParameters = new TokenValidationParameters
	 {
		 IssuerSigningKey = new SymmetricSecurityKey(
			 Encoding.ASCII.GetBytes("26837a75-3199-4e7d-8c31-2c3f53f42e83")),
		 ValidateIssuer = false,
		 ValidateAudience = false,
		 ValidateLifetime = false,
		 ValidateIssuerSigningKey = false,
		 ValidateActor = false,
		 ValidateSignatureLast = false,
		 ValidateTokenReplay = false,
		 ValidateWithLKG = false
	 };
 });

// HTTP request pipeline
var app = builder.Build();
if (app.Environment.IsDevelopment())
{
	app.UseSwagger();
	app.UseSwaggerUI();
}
app.UseHttpsRedirection();
app.UseAuthorization();
app.UseAuthentication();
app.MapControllers();
app.MapHealthChecks("/healthz");
app.Run();

My token factory (I omit putting the entire controller because this already generates the bearer token):

	public string CreateToken(
		MetaToken metaToken)
	{
		var tokenDuration = GetTokenDuration(metaToken);
		var expiresAt = DateTime.UtcNow.Add(tokenDuration);
		var tokenDescriptor = new SecurityTokenDescriptor
		{
			Expires = expiresAt,
			Subject = new ClaimsIdentity(new Claim[]
			{
				new Claim(JwtRegisteredClaimNames.Exp, expiresAt.Ticks.ToString()),
				new Claim(JwtRegisteredClaimNames.Nbf, DateTimeOffset.UtcNow.ToString()),
				new Claim(JwtRegisteredClaimNames.Iat, metaToken.CreatedAt.Ticks.ToString()),
				new Claim(JwtRegisteredClaimNames.Jti, metaToken.Id.ToString())
			})
		};
		return CreateTokenInternal(tokenDescriptor);
	}

	private string CreateTokenInternal(SecurityTokenDescriptor tokenDescriptor)
	{

		// Setup signing credentials
		var secretBytes = Encoding.ASCII.GetBytes("26837a75-3199-4e7d-8c31-2c3f53f42e83");
		var key = new SymmetricSecurityKey(secretBytes);
		var algorithm = SecurityAlgorithms.HmacSha256Signature;
		tokenDescriptor.SigningCredentials = new SigningCredentials(key, algorithm);

		// Create the token
		var tokenHandler = new JwtSecurityTokenHandler();
		var token = tokenHandler.CreateToken(tokenDescriptor);
		return tokenHandler.WriteToken(token);

	}

答案1

得分: 0

你需要按正确顺序排列中间件,先将Authorization中间件放在Authentication之前,否则它找不到适当的声明。请按如下方式修改:

// 首先验证令牌并检索声明
app.UseAuthentication();

// 使用在认证步骤中检索到的声明
app.UseAuthorization();
英文:

You need to order your middlewares in the right way, so already the Authorization middleware before Authentication and it couldn't find appropriate claims. make it like this:

// first validate token and retrieve the claims 
app.UseAuthentication();

// will use the claims that retrieved in the authentication step
app.UseAuthorization();

huangapple
  • 本文由 发表于 2023年5月22日 08:47:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/76302479.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定