我有一个ASP.NET Core 3.1网站,该网站使用Identity进行实际的面向客户的网站上的身份验证。它还有一个我想通过JWT保护的API后端,以供外部用户访问。
但是,同时使用两个身份验证系统会导致问题。将默认身份验证方案设置为IdentityConstants.ApplicationScheme
(或为空)会导致JWT通过通过Identity方案路由API调用而使身份验证失败。同样,将方案设置为JwtBearerDefaults.AuthenticationScheme
会导致主站点通过JWT方案路由呼叫而失败。
如何将两者分开,以便通过“ / api”路由的任何内容都使用JWT方案,而所有其他调用均由默认的Identity方案处理?
到目前为止,这是设置的一部分: startup.cs
public void ConfigureServices(IServiceCollection services)
{
...
services.AddDefaultIdentity<IdentityUser>(options => {
options.SignIn.RequireConfirmedAccount = true;
options.SignIn.RequireConfirmedEmail = false;
options.Password.RequireDigit = true;
options.Password.RequiredLength = 8;
options.Password.RequireLowercase = true;
options.Password.RequireUppercase = true;
options.Password.RequireNonAlphanumeric = true;
options.Lockout.MaxFailedAccessAttempts = 5;
options.User.RequireUniqueEmail = true;
}).AddEntityFrameworkStores<ApplicationDbContext>();
...
services.AddAuthentication(x =>
{
// ** Playing with these settings **
//x.DefaultScheme = IdentityConstants.ApplicationScheme;
////x.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme;
////x.DefaultChallengeScheme = IdentityConstants.ApplicationScheme;
//x.DefaultForbidScheme = JwtBearerDefaults.AuthenticationScheme;
//x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
//x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(x =>
{
x.RequireHttpsMetadata = true;
x.SaveToken = true;
x.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = false,
IssuerSigningKey = new SymmetricSecurityKey(_SecretKey),
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero
};
x.IncludeErrorDetails = true;
});
任何想法都将受到欢迎。我希望不必为API函数求助于纯文本许可证密钥。