3

I am using asp.net core with openiddict , for authorization i am using jwtmiddleware

 app.UseJwtBearerAuthentication(new JwtBearerOptions
            {
                AutomaticAuthenticate = true,
                AutomaticChallenge = true,
               RequireHttpsMetadata = false,
               Authority= "http://localhost"
            });

but for some reason its throwing this error, any help will be appreciated.

info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[7] Bearer was not authenticated. Failure message: IDX10501: Signature validat ion failed. Unable to match 'kid': '7FG4SQ4TIATESTLI-ZDHTLRYPWIEDU_RA1FVG91D', token: '{"alg":"RS256","typ":"JWT","kid":"7FG4SQ4TIATESTLI-ZDHTLRYPWIEDU_RA1FVG9 1D"}.{"unique_name":"asd","email":"asd","AspNet.Identity.SecurityStamp":"eb93ee4 4-6dbf-41b8-b1d6-157e4aa23ea7","jti":"4f0f5395-e565-4489-8baf-6361d5c4cb94","usa ge":"access_token","confidential":true,"scope":["offline_access","profile","emai l","roles"],"sub":"9125d8c5-5739-4f46-8747-e3423a464969","azp":"firebaseApp","nb f":1466997962,"exp":1466999762,"iat":1466997962,"iss":"http://localhost:5000/"}' . warn: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1] Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.A uthorization.AuthorizeFilter'. warn: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1] Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.A uthorization.AuthorizeFilter'.

4

2 回答 2

2

  1. 权限应该包含您的 OIDC 服务器的基地址。您应该使用端口指定授权 URL(在您的情况下为 5000,对应于令牌信息中的“iss”声明):

    Authority="http://localhost:5000"

  2. 您可以通过设置禁用授权验证ValidateIssuerSigningKey = false。JwtBearerOptions 包含属性 TokenValidationParameters,聚合有关验证的设置:

    app.UseJwtBearerAuthentication(new JwtBearerOptions
    {
        ...
        TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = false}
    }
于 2016-06-27T06:18:57.363 回答
2

如果您使用的是第三方 STS(例如不是 identityserver 或 Auth0),那么您可以使用 BackChannelHandler 来更轻松地从中间件调试 http 结果:

app.UseJwtBearerAuthentication(new JwtBearerOptions() {
    ...
    BackchannelHttpHandler = new BackChannelHandler()
    ...
}

然后

using System.Net.Http;
using System.Threading;
using System.Threading.Tasks;

namespace Application.API.Utilities
{
    public class BackChannelHandler : HttpMessageHandler
    {
        protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            HttpClient client = new HttpClient(new HttpClientHandler(), disposeHandler: false);
            client.DefaultRequestHeaders.Add("Accept", "application/json");
            var res = await client.GetAsync(request.RequestUri);
            return res;
        }
    }   
}

在我的例子中,jwks 和 openid-configuration 端点的默认返回类型是 text/html 而不是 application/json。通过在从自定义处理程序发出请求时添加 Accept 标头,一切正常。

于 2017-06-29T15:27:24.433 回答