在我的解决方案中,我有两个项目。 1)Web API和2)MVC。我正在使用ASP.NET Core。 API问题JWT令牌和MVC使用它来获取受保护的资源。我正在使用openiddict库来发布JWT。在MVC项目中,在AccountController Login方法中,我想检索ClaimsPrincipal(使用JwtSecurityTokenHandler ValidateToken方法)并分配给HttpContext.User.Claims和HttpContext.User.Identity。我想在会话中存储令牌,并在成功登录后为每个请求存储令牌,将其传递到Web API。我可以成功发出JWT并在MVC项目中使用它,但是当我尝试检索ClaimsPrincipal时它会抛出一个错误。首先,我甚至不确定从JWT检索ClaimsPrinciapal是否是正确的方法。如果是的话,前进的方向是什么。
WebAPI.Startup.CS
public class Startup
{
public static string SecretKey => "MySecretKey";
public static SymmetricSecurityKey SigningKey => new SymmetricSecurityKey(Encoding.ASCII.GetBytes(SecretKey));
public Startup(IHostingEnvironment env)
{
var builder = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
.AddEnvironmentVariables();
Configuration = builder.Build();
}
public IContainer ApplicationContainer { get; private set; }
public IConfigurationRoot Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public IServiceProvider ConfigureServices(IServiceCollection services)
{
// Add framework services.
services.AddCors();
services.AddMvc().AddJsonOptions(options => { options.SerializerSettings.ContractResolver = new Newtonsoft.Json.Serialization.DefaultContractResolver(); });
services.AddAutoMapper();
services.AddDbContext<MyDbContext>(options =>
{
options.UseMySql(Configuration.GetConnectionString("MyDbContext"));
options.UseOpenIddict();
});
services.AddOpenIddict(options =>
{
options.AddEntityFrameworkCoreStores<TelescopeContext>();
options.AddMvcBinders();
options.EnableTokenEndpoint("/Authorization/Token");
options.AllowPasswordFlow();
options.AllowRefreshTokenFlow();
options.DisableHttpsRequirement();
options.UseJsonWebTokens();
options.AddEphemeralSigningKey();
options.SetAccessTokenLifetime(TimeSpan.FromMinutes(30));
});
var config = new MapperConfiguration(cfg => { cfg.AddProfile(new MappingProfile()); });
services.AddSingleton(sp => config.CreateMapper());
// Create the Autofac container builder.
var builder = new ContainerBuilder();
// Add any Autofac modules or registrations.
builder.RegisterModule(new AutofacModule());
// Populate the services.
builder.Populate(services);
// Build the container.
var container = builder.Build();
// Create and return the service provider.
return container.Resolve<IServiceProvider>();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IApplicationLifetime applicationLifetime)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseCors(builder => builder.WithOrigins("http://localhost:9001/")
.AllowAnyOrigin());
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = "http://localhost:9001/",
AutomaticAuthenticate = true,
AutomaticChallenge = true,
Audience = "http://localhost:9000/",
RequireHttpsMetadata = false,
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
ValidIssuer = "http://localhost:9001/",
ValidateAudience = true,
ValidAudience = "http://localhost:9000",
ValidateLifetime = true,
IssuerSigningKey = SigningKey
}
});
app.UseOpenIddict();
app.UseMvcWithDefaultRoute();
applicationLifetime.ApplicationStopped.Register(() => this.ApplicationContainer.Dispose());
}
}
发布JWT的WebAPI.AuthorizationController.cs。
[Route("[controller]")]
public class AuthorizationController : Controller
{
private IUsersService UserService { get; set; }
public AuthorizationController(IUsersService userService)
{
UserService = userService;
}
[HttpPost("Token"), Produces("application/json")]
public async Task<IActionResult> Exchange(OpenIdConnectRequest request)
{
if (request.IsPasswordGrantType())
{
if (await UserService.AuthenticateUserAsync(new ViewModels.AuthenticateUserVm() { UserName = request.Username, Password = request.Password }) == false)
return Forbid(OpenIdConnectServerDefaults.AuthenticationScheme);
var user = await UserService.FindByNameAsync(request.Username);
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme, OpenIdConnectConstants.Claims.Name, null);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, user.UserId.ToString(), OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Username, user.UserName, OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Email, user.EmailAddress, OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIdConnectConstants.Claims.GivenName, user.FirstName, OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIdConnectConstants.Claims.MiddleName, user.MiddleName, OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIdConnectConstants.Claims.FamilyName, user.LastName, OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIdConnectConstants.Claims.EmailVerified, user.IsEmailConfirmed.ToString(), OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Audience, "http://localhost:9000", OpenIdConnectConstants.Destinations.AccessToken);
var principal = new ClaimsPrincipal(identity);
return SignIn(principal, OpenIdConnectServerDefaults.AuthenticationScheme);
}
throw new InvalidOperationException("The specified grant type is not supported.");
}
}
MVC.AccountController.cs包含Login,GetTokenAsync方法。
public class AccountController : Controller
{
public static string SecretKey => "MySecretKey";
public static SymmetricSecurityKey SigningKey => new SymmetricSecurityKey(Encoding.ASCII.GetBytes(SecretKey));
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(LoginVm vm, string returnUrl = null)
{
ViewData["ReturnUrl"] = returnUrl;
if (ModelState.IsValid)
{
var token = await GetTokenAsync(vm);
SecurityToken validatedToken = null;
TokenValidationParameters validationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
ValidIssuer = "http://localhost:9001/",
ValidateAudience = true,
ValidAudience = "http://localhost:9000",
ValidateLifetime = true,
IssuerSigningKey = SigningKey
};
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
try
{
ClaimsPrincipal principal = handler.ValidateToken(token.AccessToken, validationParameters, out validatedToken);
}
catch (Exception e)
{
throw;
}
}
return View(vm);
}
private async Task<TokenVm> GetTokenAsync(LoginVm vm)
{
using (var client = new HttpClient())
{
var request = new HttpRequestMessage(HttpMethod.Post, $"http://localhost:9001/Authorization/Token");
request.Content = new FormUrlEncodedContent(new Dictionary<string, string>
{
["grant_type"] = "password",
["username"] = vm.EmailAddress,
["password"] = vm.Password
});
var response = await client.SendAsync(request, HttpCompletionOption.ResponseContentRead);
response.EnsureSuccessStatusCode();
var payload = await response.Content.ReadAsStringAsync();
//if (payload["error"] != null)
// throw new Exception("An error occurred while retriving an access tocken.");
return JsonConvert.DeserializeObject<TokenVm>(payload);
}
}
}
我得到的错误:&#34; IDX10501:签名验证失败。无法匹配&#39;:&#39; 0-AY7TPAUE2-ZVLUVQMMUJFJ54IMIB70E-XUSYIB&#39;,\ ntoken:&#39; {\&#34; alg \&#34;:\&# 34; RS256 \&#34; \&#34;典型值\&#34;:\&#34; JWT \&#34; \&#34;小子\&#34;:\&#34; 0-AY7TPAUE2-ZVLUVQMMUJFJ54IMIB70E-XUSYIB \&#34;} {\&#34;子\&#34;:\&#34; 10 \&#34; \&#34;用户名\&#34; :\&#34; ...
答案 0 :(得分:7)
请参阅此线程,因为我正在寻找完全相同的东西(尽管不是例外),并且接受的答案确实有助于 OP,但是,它对我没有帮助:如何从JWT 令牌。
经过一些研究和挖掘,我找到了一种手动完成的方法(这是我的情况,我必须在特定情况下手动完成)。
为此,首先,使用 ClaimsPrincipal 类解析令牌:
JwtSecurityTokenHandler之后,您只需创建一个新的 ClaimsPrincipal :
var token = new JwtSecurityTokenHandler().ReadJwtToken(n.TokenEndpointResponse.AccessToken);
在我的特定情况下,我只需要更新我已经通过身份验证的用户的声明,所以我使用以下代码:
var identity = new ClaimsPrincipal(new ClaimsIdentity(token.Claims));
希望有一天,如果关注标题的答案,它会对某人有所帮助。
答案 1 :(得分:2)
首先,我甚至不确定从JWT检索ClaimsPrinciapal是否是正确的方法。
这可能不是我个人使用的方法。相反,我只是依靠JWT中间件从我的访问令牌中提取ClaimsPrincipal(不需要手动使用JwtSecurityTokenHandler)。
IdentityModel引发的异常实际上是由一个非常简单的根本原因引起的:您已配置OpenIddict以使用短暂的RSA非对称签名密钥(通过AddEphemeralSigningKey())并注册对称签名密钥< / J>在JWT承载选项中,这种情况显然不起作用。
您有两种方法可以解决这个问题:
使用AddSigningKey(SigningKey)在OpenIddict选项中注册对称签名密钥,以便OpenIddict可以使用它。
使用非对称签名密钥(通过在生产中调用AddEphemeralSigningKey()或AddSigningCertificate() / AddSigningKey())并让JWT承载中间件使用它而不是对称签名密钥。为此,请删除整个TokenValidationParameters配置,以允许IdentityModel从OpenIddict的发现端点下载公共签名密钥。