我已按照this tutorial中的步骤向我的Web-API添加了令牌(jwt)验证。但是,当我现在尝试将Asp.Net Identity添加到我的应用程序时,它会以某种方式跳过令牌验证。
令牌生成仍然正常。
我尝试访问的API控制器操作如下所示:
// GET api/users/5
[HttpGet("{id}")]
[Authorize]
public User Get(int id)
{
return _userService.FindById(id);
}
在我的OWIN启动文件中添加标识后,“Authorize”属性似乎没有任何区别,如下所示:
var secretKey = "secret";
var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey));
var audience = "aud";
var issuer = "iss";
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ValidateIssuer = true,
ValidIssuer = issuer,
ValidateAudience = true,
ValidAudience = audience,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero
};
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
TokenValidationParameters = tokenValidationParameters
});
app.UseStaticFiles();
app.UseIdentity(); // When adding this the token-validation above seems to stop working...
var options = new TokenProviderOptions
{
Audience = audience,
Issuer = issuer,
SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256)
};
app.UseMiddleware<TokenProviderMiddleware>(Options.Create(options));
app.UseMvc();
我尝试将身份中间件移到JwtBearerAuth之上,没有运气。
似乎总是跳过验证我的令牌,即使我遗漏了令牌,我也能够实现该操作,但是当我删除Identity中间件时,令牌验证又开始工作了。