在ajax请求上出现400错误。与当前用户不同的基于声明的用户的反伪造令牌

Question

我使用ASP.NET CORE 2.1

配置：

public void ConfigureServices(IServiceCollection services)
{
    services.AddIdentity<User, Role>(options =>
    {
    })
    .AddEntityFrameworkStores<WebSiteDataContext>()
    .AddClaimsPrincipalFactory<CustomClaimsPrincipalFactory>()
    .AddDefaultTokenProviders();

   services.AddIdentityServer()
        .AddDeveloperSigningCredential() 
        .AddInMemoryPersistedGrants()
        .AddInMemoryIdentityResources(
            new List<IdentityResource>
            {
                   new IdentityResources.OpenId(),
                   new IdentityResources.Profile()
            })
        .AddInMemoryApiResources(new List<ApiResource> { new ApiResource(systemApiName) })
        .AddInMemoryClients(
            new List<Client>
            {
                   new Client
                   {
                       ClientId = clientId,                                           
                       ClientName = clientName,                                     
                       AllowedGrantTypes = GrantTypes.HybridAndClientCredentials
                           .Concat(GrantTypes.ResourceOwnerPassword).ToList(), 
                       ClientSecrets = { new Secret(secretKey.Sha256()) },                       
                       AllowedScopes =
                       {
                           IdentityServerConstants.StandardScopes.OpenId,
                           IdentityServerConstants.StandardScopes.Profile,
                           systemApiName
                       },
                       AllowAccessTokensViaBrowser = true,
                       AlwaysSendClientClaims = true,
                       AlwaysIncludeUserClaimsInIdToken = true,
                       AccessTokenLifetime = 3600 * 24          
                   }
            }
        )
        .AddAspNetIdentity<User>()            
        .AddProfileService<ProfileService>();

    services.AddAuthentication(options => options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme)
        .AddIdentityServerAuthentication(options =>
        {
            options.Authority = authorityEndPoint;
            options.ApiName = systemApiName;
            options.RequireHttpsMetadata = false;
            options.NameClaimType = "name";
            options.RoleClaimType = "role";
        });
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, IAntiforgery antiforgery)
{
    app.UseIdentityServer();
    app.Use(next => ctx =>
    {
        var tokens = antiforgery.GetAndStoreTokens(ctx);
        ctx.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken,
            new CookieOptions() { HttpOnly = false });
        return next(ctx);
    });
}

并使用与https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1中相同的防伪令牌验证

但是当我在ajax请求中发送带有令牌的标头“ Authorization”时，出现错误

AntiforgeryValidationException：提供的反伪造令牌是针对与当前用户不同的基于声明的用户

如果我删除标题“ Authorization”或属性[ValidateAntiForgeryToken]，则没有错误。