我有一种情况,我必须在javascript应用程序中手动创建JWT,所以我在这里使用了代码
create html <audio> element from Tone.js object
在我的asp.net核心中,我有一个简单的值控制器,其功能装饰有Authorize
[Authorize]
[Route("GetValues")]
[HttpGet]
public IEnumerable<string> GetValues()
{
return new string[] { "value1", "value2" };
}
在我的startup.cs中,我有
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(x =>
{
x.RequireHttpsMetadata = false;
x.SaveToken = false;
x.TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("My very confidential secret!!!")),
ValidateIssuerSigningKey = true,
ValidateLifetime = false, //set this to true when a reasonable lifetime has been determined based on jwt generation
ValidateIssuer = false,
ValidateAudience = false
};
});
services.AddControllers();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseAuthentication();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
如您所见,我在令牌中使用了相同的机密并试图在asp.net核心中进行验证,但是当我使用Post man调用https://codepen.io/jpetitcolas/pen/zxGxKN且授权密钥设置为“ Bearer”时,我得到了 401-未经授权。我想念什么吗?
任何想法我在这里可能做错了什么。
更新
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
// services.AddAuthorization();
services.AddControllers();
// var hmac = new HMACSHA256(System.Text.Encoding.ASCII.GetBytes("My very confidential secret!!!"));
// var symKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(hmac.Key);
var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("My very confidential secret!!!"));
var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256Signature);
services.AddAuthentication(opt =>
{
opt.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
opt.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.RequireHttpsMetadata = false;
options.SaveToken = true;
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuerSigningKey = true,
ClockSkew = System.TimeSpan.Zero,
IssuerSigningKey = signinCredentials.Key
};
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
// app.UseMiddleware<AuthenticationMiddleware>();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
// ...
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication(); // this one first
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
更新2
即使我将ValidateIssuerSigningKey设置为false,也意味着我什至不想验证密钥,否则我将获得401 Unauthorized。
要重新创建,我们只需创建一个带有示例值控制器的空白.net核心api项目,然后复制粘贴我的Startup.cs,然后复制https://localhost:44364/GetValues中的不记名令牌即可
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MTMzNywidXNlcm5hbWUiiiqqb2huLmRvZSJ9.EvTdOJS-fbffGHLyND3BMDwWE22ZEUBLsp>
最后要像这样使用邮递员
答案 0 :(得分:0)
您没有使用相同的签名密钥,在js小提琴中,您有一个String作为密钥,并且在验证中,您期望使用对称密钥。
在js中,您有以下一行,其中秘密是您的签名密钥:
签名= CryptoJS.HmacSHA256(签名,秘密);
使用秘密作为签名密钥可以解决此问题。