我使用ASP.NET CORE 2.1
配置:
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentity<User, Role>(options =>
{
})
.AddEntityFrameworkStores<WebSiteDataContext>()
.AddClaimsPrincipalFactory<CustomClaimsPrincipalFactory>()
.AddDefaultTokenProviders();
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(
new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile()
})
.AddInMemoryApiResources(new List<ApiResource> { new ApiResource(systemApiName) })
.AddInMemoryClients(
new List<Client>
{
new Client
{
ClientId = clientId,
ClientName = clientName,
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials
.Concat(GrantTypes.ResourceOwnerPassword).ToList(),
ClientSecrets = { new Secret(secretKey.Sha256()) },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
systemApiName
},
AllowAccessTokensViaBrowser = true,
AlwaysSendClientClaims = true,
AlwaysIncludeUserClaimsInIdToken = true,
AccessTokenLifetime = 3600 * 24
}
}
)
.AddAspNetIdentity<User>()
.AddProfileService<ProfileService>();
services.AddAuthentication(options => options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = authorityEndPoint;
options.ApiName = systemApiName;
options.RequireHttpsMetadata = false;
options.NameClaimType = "name";
options.RoleClaimType = "role";
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, IAntiforgery antiforgery)
{
app.UseIdentityServer();
app.Use(next => ctx =>
{
var tokens = antiforgery.GetAndStoreTokens(ctx);
ctx.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken,
new CookieOptions() { HttpOnly = false });
return next(ctx);
});
}
并使用与https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1中相同的防伪令牌验证
但是当我在ajax请求中发送带有令牌的标头“ Authorization”时,出现错误
AntiforgeryValidationException:提供的反伪造令牌是针对与当前用户不同的基于声明的用户
如果我删除标题“ Authorization”或属性[ValidateAntiForgeryToken],则没有错误。