問(wèn)題描述

我正在使用 Visual Studio 2015 Enterprise Update 1 和 ASP.NET vNext rc1-update1 來(lái)發(fā)布和使用 JWT 令牌，如 這里.

I am using Visual Studio 2015 Enterprise Update 1 and ASP.NET vNext rc1-update1 to issue and consume JWT tokens as described here.

在我們的實(shí)現(xiàn)中，我們希望控制令牌生命周期驗(yàn)證.

In our implementation we want to control token lifetime validation.

我們嘗試了幾種方法，所有這些方法都有不良副作用.例如，在一次嘗試中，我們?cè)?Configure 方法中接管了 TokenValidationParameters.TokenValidationParameters.LifetimeValidator 事件:

We tried several approaches, all of which had undesirable side effects. For example in one attempt we took over the TokenValidationParameters.TokenValidationParameters.LifetimeValidator event in the Configure method:

app.UseJwtBearerAuthentication
(
    options => 
    {
        options.TokenValidationParameters = new TokenValidationParameters()
        {
            LifetimeValidator = (DateTime? notBefore, DateTime? expires, SecurityToken securityToken, TokenValidationParameters validationParameters) =>
            {
                // Pretend to do custom validation
                return false;
            }
        };
    }
);

該事件導(dǎo)致驗(yàn)證失敗，但客戶端收到 500 錯(cuò)誤，而我們希望返回 400 系列錯(cuò)誤和一個(gè)小負(fù)載.

That event causes validation to fail as we'd like but the client receives a 500 error whereas we would like to return a 400-series error and a small payload instead.

在另一次嘗試中，我們嘗試了 TokenValidationParameters.Events 的各種實(shí)現(xiàn)，例如檢查 ValidatedToken 事件中的聲明，但發(fā)現(xiàn)我們無(wú)法阻止中間件調(diào)用控制器操作，除非引發(fā)異常，導(dǎo)致我們回到 500 錯(cuò)誤問(wèn)題.

In another attempt we tried various implementations of TokenValidationParameters.Events, such as inspecting claims in the ValidatedToken event but found we were unable to prevent the middleware from invoking the controller action short of throwing an exception which got us back to the 500 error problem.

所以我的問(wèn)題是:

• 使用 OIDC 接管生命周期驗(yàn)證的最佳做法是什么?

• What what is the best practices for taking over lifetime validation with OIDC?

我們是否可以強(qiáng)制 OIDC 不在令牌中包含某些生命周期聲明，例如nbf"，因?yàn)槲覀儫o(wú)論如何都不需要它們?

Can we force OIDC not to include certain lifetime claims in the token like "nbf" since we won't need them anyway?

推薦答案

此錯(cuò)誤已在 ASP.NET Core RC2 中修復(fù).不再需要此答案中描述的解決方法.

這是一個(gè)已知錯(cuò)誤.遺憾的是，您可以在 beta8 中使用的解決方法 不再有效 在 RC1 中.

It's a known bug. Sadly, the workaround you could use in beta8 no longer works in RC1.

您唯一的選擇是編寫(xiě)一個(gè)捕獲異常的中間件，以防止服務(wù)器返回 500 響應(yīng).當(dāng)然，它很丑陋，并且可能會(huì)隱藏重要的異常，但它是唯一適用于 RC1 的已知解決方法.

Your only option is to write a middleware catching the exception to prevent the server from returning a 500 response. Of course, it's ugly and will potentially hide important exceptions, but it's the only known workaround that works with RC1.

這是一個(gè)例子(確保在 JWT 承載中間件之前注冊(cè)它):

Here's an example (make sure to register it before the JWT bearer middleware):

app.Use(next => async context => {
    try {
        await next(context);
    }

    catch {
        // If the headers have already been sent, you can't replace the status code.
        // In this case, throw an exception to close the connection.
        if (context.Response.HasStarted) {
            throw;
        }

        context.Response.StatusCode = 401;
    }
});

這篇關(guān)于使用 AspNet.Security.OpenIdConnect.Server (ASP.NET vNext) 的自定義生命周期驗(yàn)證的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！