即使使用Microsoft.Azure.Mobile SDK,JWT令牌也未经过验证

时间:2017-07-12 15:00:34

标签: asp.net-mvc azure asp.net-web-api owin azure-mobile-services

我正在使用Microsoft.Azure.Mobile SDK来实现服务器代码。

OWIN启动中的代码如下:

public void ConfigureAuth(IAppBuilder app)
{
    HttpConfiguration config = new HttpConfiguration();
    new MobileAppConfiguration().ApplyTo(config);
    app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions
    {
        SigningKey = ConfigurationManager.AppSettings["SigningKey"],
        ValidAudiences = new[] { ConfigurationManager.AppSettings["ValidAudience"] },
        ValidIssuers = new[] { ConfigurationManager.AppSettings["ValidIssuer"] },
        TokenHandler = config.GetAppServiceTokenHandler()
    });
    app.UseWebApi(config);
}

令牌生成代码:

Claim[] claims = new Claim[]
{
    new Claim("sub", "SampleSubject"),
    new Claim("Id", Convert.ToString(Users[0].user_id)),
    new Claim("name", Users[0].name),
    new Claim("surname", Users[0].surname),
    new Claim(ClaimTypes.Role, "user")
};
var token = AppServiceLoginHandler.CreateToken(claims, ConfigurationManager.AppSettings["SigningKey"], ConfigurationManager.AppSettings["ValidAudience"], ConfigurationManager.AppSettings["ValidIssuer"], TimeSpan.FromDays(30));
return token.RawData;

示例JWT令牌是 eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJHcnViZXJBUEkiLCJJZCI6IjMyODkwIiwibmFtZSI6IkRhdmlkZSIsInN1cm5hbWUiOiJCb25ldHRhIiwicm9sZSI6InVzZXIiLCJ2ZXIiOiIzIiwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MjM1MzEvIiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MjM1MzIvIiwiZXhwIjoxNTAyNDYyNDQzLCJuYmYiOjE0OTk4NzA0NDN9.b5VhWzvkaEumutPZpLzImcAy4NotXCSgUIqLltVUQWI

该令牌在下面的屏幕截图中有效 Decrypted JWT Token

以下代码,

 [Authorize]
    public IEnumerable<string> Get()
    {
        return new string[] { "value1", "value2" };
    }

    // GET api/values/5 
    public string Get(int id)
    {

        try
        {
            ClaimsPrincipal claims;
            AppServiceTokenHandler s = new AppServiceTokenHandler(new HttpConfiguration());
            s.TryValidateLoginToken(Request.Headers.Authorization.Parameter, ConfigurationManager.AppSettings["SigningKey"], new[] { ConfigurationManager.AppSettings["ValidAudience"] }, new[] { ConfigurationManager.AppSettings["ValidIssuer"] }, out claims);

            AppServiceTokenHandler.ValidateToken(Request.Headers.Authorization.Parameter, ConfigurationManager.AppSettings["SigningKey"], ConfigurationManager.AppSettings["ValidAudience"], ConfigurationManager.AppSettings["ValidIssuer"]);
        }
        catch (Exception ex)
        {

            throw;
        }

        return "value";
    }
使用HTTP 401,

'/ Get'请求失败。 但是对于相同的JWT令牌,“Get / 5”返回HTTP 200(手动验证令牌)。

问题是,当我使用Authorize属性时,api会返回401。

1 个答案:

答案 0 :(得分:0)

根据你的描述,我在我这边检查了这个问题。

enter image description here

enter image description here

访问受保护的Web API

enter image description here

总之,您可以参考上面的屏幕截图并查看您的api端点。此外,您可以参考AppServiceTokenHandler.csHmacSigningCredentials.cs来实施自定义TokenHandler来解决此问题。此外,你可以参考adrian hall的关于Custom Authentication的书

相关问题
最新问题