19

我试图让一个简单的端点工作,使用 AspNew.Security.OpenIdConnect.Server 发布和使用 JWT 令牌来发布令牌并使用 Microsoft.AspNetCore.Authentication.JwtBearer 进行验证。

我可以很好地生成令牌,但尝试验证令牌失败并出现错误Bearer was not authenticated. Failure message: No SecurityTokenValidator available for token: {token}

在这一点上,我已经剥离了所有内容并拥有以下内容:

项目.json

{
  "dependencies": {
    "Microsoft.AspNetCore.Mvc": "1.0.0-rc2-final",
    "Microsoft.AspNetCore.Server.IISIntegration": "1.0.0-rc2-final",
    "Microsoft.AspNetCore.Server.Kestrel": "1.0.0-rc2-final",
    "Microsoft.Extensions.Configuration.EnvironmentVariables": "1.0.0-rc2-final",
    "Microsoft.Extensions.Configuration.FileExtensions": "1.0.0-rc2-final",
    "Microsoft.Extensions.Configuration.Json": "1.0.0-rc2-final",
    "Microsoft.Extensions.Logging": "1.0.0-rc2-final",
    "Microsoft.Extensions.Logging.Console": "1.0.0-rc2-final",
    "Microsoft.Extensions.Logging.Debug": "1.0.0-rc2-final",
    "AspNet.Security.OAuth.Validation": "1.0.0-alpha1-final",
    "AspNet.Security.OpenIdConnect.Server": "1.0.0-beta5-final",
    "Microsoft.AspNetCore.Authentication": "1.0.0-rc2-final",
    "Microsoft.AspNetCore.Authentication.JwtBearer": "1.0.0-rc2-final"
  },

  "tools": {
    "Microsoft.AspNetCore.Server.IISIntegration.Tools": {
      "version": "1.0.0-preview1-final",
      "imports": "portable-net45+win8+dnxcore50"
    }
  },

  "frameworks": {
    "net461": { }
  },

  "buildOptions": {
    "emitEntryPoint": true,
    "preserveCompilationContext": true
  },

  "publishOptions": {
    "include": [
      "wwwroot",
      "Views",
      "appsettings.json",
      "web.config"
    ]
  },

  "scripts": {
    "postpublish": [ "dotnet publish-iis --publish-folder %publish:OutputPath% --framework %publish:FullTargetFramework%" ]
  }
}

Startup.cs 方法:

// This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddAuthorization(options =>
                {
                    options.AddPolicy(JwtBearerDefaults.AuthenticationScheme,
                        builder =>
                        {
                            builder.
                            AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme).
                            RequireAuthenticatedUser().
                            Build();
                        }
                    );
                }
            );

            services.AddAuthentication();
            services.AddDistributedMemoryCache();
            services.AddMvc();
            services.AddOptions();
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
        {
            loggerFactory.AddConsole(Configuration.GetSection("Logging"));
            loggerFactory.AddDebug();

            var jwtOptions = new JwtBearerOptions()
            {
                AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme,
                AutomaticAuthenticate = true,
                Authority = "http://localhost:5000/",
                Audience = "http://localhost:5000/",
                RequireHttpsMetadata = false
            };

            jwtOptions.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>
                (
                    metadataAddress: jwtOptions.Authority + ".well-known/openid-configuration",
                    configRetriever: new OpenIdConnectConfigurationRetriever(),
                    docRetriever: new HttpDocumentRetriever { RequireHttps = false }
                );


            app.UseJwtBearerAuthentication(jwtOptions);

            app.UseOpenIdConnectServer(options =>
            {
                options.AllowInsecureHttp = true;
                options.AuthorizationEndpointPath = Microsoft.AspNetCore.Http.PathString.Empty;
                options.Provider = new OpenIdConnectServerProvider
                {
                    OnValidateTokenRequest = context =>
                    {
                        context.Skip();
                        return Task.FromResult(0);
                    },

                    OnGrantResourceOwnerCredentials = context =>
                    {
                        var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
                        identity.AddClaim(ClaimTypes.NameIdentifier, "[unique id]");

                        identity.AddClaim("urn:customclaim", "value", OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken);

                        var ticket = new AuthenticationTicket(
                            new ClaimsPrincipal(identity),
                            new Microsoft.AspNetCore.Http.Authentication.AuthenticationProperties(),
                            context.Options.AuthenticationScheme);

                        ticket.SetScopes("profile", "offline_access");

                        context.Validate(ticket);

                        return Task.FromResult(0);
                    }
                };
            });            

            app.UseMvc();
        }

使用 grant_type=password、username=foo、password=bar将 x-url 编码的 POST 发送到http://localhost:5000会生成预期的 access_token。

我已将该[Authorize("Bearer")]属性添加到 ValuesController 中,这在调用 JwtBearerMiddlewear 时按预期工作,但我无法获取要验证的令牌。

有没有人在.net core RC2 上工作过?我在 RC1 上也有同样的工作,但一直无法做到这一点。

谢谢。

4

2 回答 2

14

从 beta5(针对 ASP.NET Core RC2)开始,OpenID Connect 服务器中间件不再使用 JWT 作为访问令牌的默认格式。相反,它使用不透明的令牌,由坚如磐石的 ASP.NET Core 数据保护堆栈加密(就像身份验证 cookie)。

您有 3 个选项来修复您看到的错误:

  • 使用为支持不透明令牌而开发的新 OAuth2 验证中间件(推荐选项,如果您的 API 和授权服务器属于同一应用程序)。为此,请保留AspNet.Security.OAuth.Validation您的参考资料project.json并替换app.UseJwtBearerAuthentication(...)app.UseOAuthValidation(). 您也可以Microsoft.AspNetCore.Authentication.JwtBearerproject.json.
  • options.AccessTokenHandler = new JwtSecurityTokenHandler();通过调用选项强制 OpenID Connect 服务器中间件使用 JWT 令牌。请注意,您还必须调用ticket.SetResources(...)以使用 JWT 令牌附加适当的受众(有关更多信息,请参阅此其他SO 帖子)。
  • 使用新的自省中间件。此选项更复杂,需要实现ValidateIntrospectionRequest事件以验证客户端凭据。仅当您知道自己在做什么时才使用它。
于 2016-05-19T23:49:35.037 回答
0

旁注如果有人有同样的错误(没有 SecurityTokenValidator 可用于 token):

仔细检查客户端发送的身份验证标头是否确实格式正确:

Authorize: Bearer [ey....]

No SecurityTokenValidator available for token 错误表示没有为请求中找到的授权标头格式注册处理程序。例如,如果收到的请求包含标头值“Bearer Bearer ey82383...”,或者“Bearer”关键字被省略或拼写错误,则会出现此错误。

于 2021-06-21T18:09:15.350 回答