我们使用以下配置:
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.RequireHttpsMetadata = false;
options.BackchannelTimeout = TimeSpan.FromMinutes(5);
options.SaveToken = true;
options.Audience = Configuration["Cognito:InterimPortalClientId"];
options.Authority = Configuration["Cognito:InterimPortalAuthUrl"];
options.TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKeyResolver = (s, securityToken, identifier, parameters) =>
{
// get JsonWebKeySet from AWS
var json = new WebClient().DownloadString(parameters.ValidIssuer + "/.well-known/jwks.json");
// serialize the result
var keys = JsonConvert.DeserializeObject<JsonWebKeySet>(json).Keys;
// cast the result to be the type expected by IssuerSigningKeyResolver
return keys;
},
ValidIssuer = Configuration["Cognito:InterimPortalAuthUrl"],
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateLifetime = true,
ValidAudience = Configuration["Cognito:InterimPortalClientId"],
ValidateAudience = false,
};
})
.AddJwtBearer("ClientPortal", options =>
{
options.RequireHttpsMetadata = false;
options.BackchannelTimeout = TimeSpan.FromMinutes(5);
options.SaveToken = true;
options.Audience = Configuration["Cognito:ClientPortalClientId"];
options.Authority = Configuration["Cognito:ClientPortalAuthUrl"];
options.TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKeyResolver = (s, securityToken, identifier, parameters) =>
{
// get JsonWebKeySet from AWS
var json = new WebClient().DownloadString(parameters.ValidIssuer + "/.well-known/jwks.json");
// serialize the result
var keys = JsonConvert.DeserializeObject<JsonWebKeySet>(json).Keys;
// cast the result to be the type expected by IssuerSigningKeyResolver
return keys;
},
ValidIssuer = Configuration["Cognito:ClientPortalAuthUrl"],
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateLifetime = true,
ValidAudience = Configuration["Cognito:ClientPortalClientId"],
ValidateAudience = false,
};
});
然后我们有了:
{
var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
JwtBearerDefaults.AuthenticationScheme,
"ClientPortal");
defaultAuthorizationPolicyBuilder =
defaultAuthorizationPolicyBuilder
.RequireAuthenticatedUser();
options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
});
从两个潜在来源进行身份验证。我们看到的是,如果第一个来源(默认)命中,则在ClaimsPrincipal-> HttpContext?.User上设置标识和声明,但是当第二个来源命中(ClientPortal)时,未设置标识和声明在ClaimsPrincipal上。
这是为什么?