我有一个场景,其中有许多单独的客户端通过JWT令牌连接。
P.S。每个客户都有不同的秘密
我可以基于每个应用程序执行此操作
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AllowedAudiences = new[] { audience },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
},
Provider = new CookieOAuthBearerProvider("authCookie")
});
但是这种方法不适用于每个请求......
答案 0 :(得分:1)
这是我们目前使用的(连接到AzureAD)的片段。
您需要实现GetSigningCertificates,返回IEnumerable<X509SecurityToken>以验证JWT是否已正确签名。
internal static ClaimsPrincipal GetClaimPrincipalFromToken(string jwtSecurityHeader)
{
var jwtSecurityHandler = new JwtSecurityTokenHandler();
var signingCertificates = GetSigningCertificates(ConfigHelper.FederationMetadataDocument);
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidAudience = ConfigHelper.AppIdURI,
ValidIssuer = ConfigHelper.Issuer,
LifetimeValidator =
(before, expires, token, parameters) =>
{
//Don't allow not-yet-active tokens
if (before.HasValue && before.Value > DateTime.Now)
return false;
//If expiration has a date, add 2 days to it
if (expires.HasValue)
return expires.Value.AddDays(2) > DateTime.Now;
//Otherwise the token is valid
return true;
},
ValidateLifetime = true,
IssuerSigningTokens = signingCertificates,
};
var headerParts = jwtSecurityHeader.Split(' ');
if (headerParts.Length != 2 || headerParts[0] != "Bearer")
throw new AuthorizationException(HttpStatusCode.Forbidden, "Invalid token type");
var jwtSecurityToken = headerParts[1];
SecurityToken jwtToken;
var claimsPrincipal = jwtSecurityHandler.ValidateToken(jwtSecurityToken, tokenValidationParameters, out jwtToken);
return claimsPrincipal;
}
您需要为您的应用程序稍微调整一下,但这应该可以帮助您完成大部分工作。请注意,此代码正在解析{HeaderType} {Token}格式(例如Bearer {token})。如果您正在简化解析{Token},则需要删除.Split(' ')