在.Net Core 3.1中使用两个JwtBearer进行身份验证时,未为第二个JwtBearer设置ClaimsPrincipal声明和身份

时间:2020-10-27 11:34:52

标签: c# api .net-core jwt

我们使用以下配置:

.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.RequireHttpsMetadata = false;
                    options.BackchannelTimeout = TimeSpan.FromMinutes(5);
                    options.SaveToken = true;
                    options.Audience = Configuration["Cognito:InterimPortalClientId"];
                    options.Authority = Configuration["Cognito:InterimPortalAuthUrl"];
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        IssuerSigningKeyResolver = (s, securityToken, identifier, parameters) =>
                        {
                            // get JsonWebKeySet from AWS
                            var json = new WebClient().DownloadString(parameters.ValidIssuer + "/.well-known/jwks.json");
                            // serialize the result
                            var keys = JsonConvert.DeserializeObject<JsonWebKeySet>(json).Keys;
                            // cast the result to be the type expected by IssuerSigningKeyResolver
                            return keys;
                        },

                        ValidIssuer = Configuration["Cognito:InterimPortalAuthUrl"],
                        ValidateIssuerSigningKey = true,
                        ValidateIssuer = true,
                        ValidateLifetime = true,
                        ValidAudience = Configuration["Cognito:InterimPortalClientId"],
                        ValidateAudience = false,
                    };
                })
                .AddJwtBearer("ClientPortal", options =>
                {
                    options.RequireHttpsMetadata = false;
                    options.BackchannelTimeout = TimeSpan.FromMinutes(5);
                    options.SaveToken = true;
                    options.Audience = Configuration["Cognito:ClientPortalClientId"];
                    options.Authority = Configuration["Cognito:ClientPortalAuthUrl"];
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        IssuerSigningKeyResolver = (s, securityToken, identifier, parameters) =>
                        {
                            // get JsonWebKeySet from AWS
                            var json = new WebClient().DownloadString(parameters.ValidIssuer + "/.well-known/jwks.json");
                            // serialize the result
                            var keys = JsonConvert.DeserializeObject<JsonWebKeySet>(json).Keys;
                            // cast the result to be the type expected by IssuerSigningKeyResolver
                            return keys;
                        },

                        ValidIssuer = Configuration["Cognito:ClientPortalAuthUrl"],
                        ValidateIssuerSigningKey = true,
                        ValidateIssuer = true,
                        ValidateLifetime = true,
                        ValidAudience = Configuration["Cognito:ClientPortalClientId"],
                        ValidateAudience = false,
                    };
                });

然后我们有了:

            {
                var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
                    JwtBearerDefaults.AuthenticationScheme,
                    "ClientPortal");
                defaultAuthorizationPolicyBuilder = 
                    defaultAuthorizationPolicyBuilder
                        .RequireAuthenticatedUser();
                options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
            });

从两个潜在来源进行身份验证。我们看到的是,如果第一个来源(默认)命中,则在ClaimsPrincipal-> HttpContext?.User上设置标识和声明,但是当第二个来源命中(ClientPortal)时,未设置标识和声明在ClaimsPrincipal上。

这是为什么?

0 个答案:

没有答案
相关问题
最新问题