問題描述
我正在使用 Visual Studio 2015 Enterprise 和 ASP.NET vNext Beta8 來構(gòu)建一個端點(diǎn),該端點(diǎn)發(fā)出并使用 JWT 令牌.我最初是通過自己生成令牌來解決這個問題的,如 所述這里.后來@Pinpoint 的一篇有用的文章顯示,AspNet.Security.OpenIdConnect.Server(又名 OIDC)可以配置為為我發(fā)放和使用令牌.
I am using Visual Studio 2015 Enterprise and ASP.NET vNext Beta8 to build an endpoint that both issues and consumes JWT tokens. I Originally approached this by generating the tokens myself, as described here. Later a helpful article by @Pinpoint revealed that AspNet.Security.OpenIdConnect.Server (a.k.a. OIDC) can be configured to issue and consume the tokens for me.
所以我按照這些說明,建立了一個端點(diǎn),并從 郵遞員 我收到了一個合法的令牌:
So I followed those instructions, stood up an endpoint, and by submitting an x-www-form-urlencoded post from postman I receive back a legit token:
{
"token_type": "bearer",
"access_token": "eyJ0eXAiO....",
"expires_in": "3599"
}
這很棒,但也是我卡住的地方.現(xiàn)在,我如何注釋控制器操作以使其需要此不記名令牌?
This is great but also where I get stuck. Now, how do I annotate a controller action so that it demands this bearer token?
我以為我要做的就是用[Authorize("Bearer")],添加認(rèn)證方案:
I thought all I would have to do is decorate my controller method with the [Authorize("Bearer")], add an authentication scheme:
services.AddAuthorization
(
options =>
{
options.AddPolicy
(
JwtBearerDefaults.AuthenticationScheme,
builder =>
{
builder.
AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme).
RequireAuthenticatedUser().
Build();
}
);
}
);
然后像我在前面的示例中所做的那樣,使用Authorization Bearer eyJ0eXAiO...."標(biāo)題調(diào)用我的控制器操作.可悲的是,所有這些方法似乎都會產(chǎn)生一個異常:
And then call my controller action with the "Authorization bearer eyJ0eXAiO...." header as I had done in my previous example. Sadly, all this approach seems to do though is generate an exception:
處理請求時發(fā)生未處理的異常.
An unhandled exception occurred while processing the request.
SocketException: 無法建立連接,因?yàn)槟繕?biāo)機(jī)器主動拒絕了它 127.0.0.1:50000
SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:50000
WebException: 無法連接到遠(yuǎn)程服務(wù)器
WebException: Unable to connect to the remote server
HttpRequestException: 發(fā)送請求時出錯.
HttpRequestException: An error occurred while sending the request.
IOException:IDX10804:無法從以下位置檢索文檔:'http://localhost:50000/.well-known/openid-configuration'.Microsoft.IdentityModel.Logging.LogHelper.Throw(String message, Type exceptionType, EventLevel logLevel, Exception innerException)
IOException: IDX10804: Unable to retrieve document from: 'http://localhost:50000/.well-known/openid-configuration'. Microsoft.IdentityModel.Logging.LogHelper.Throw(String message, Type exceptionType, EventLevel logLevel, Exception innerException)
InvalidOperationException: IDX10803: Unable to get configuration from: 'http://localhost:50000/.well-known/openid-configuration'.內(nèi)部異常:'IDX10804:無法從以下位置檢索文檔:'http://localhost:50000/.well-known/openid-configuration'.'.
InvalidOperationException: IDX10803: Unable to obtain configuration from: 'http://localhost:50000/.well-known/openid-configuration'. Inner Exception: 'IDX10804: Unable to retrieve document from: 'http://localhost:50000/.well-known/openid-configuration'.'.
考慮以下步驟來重現(xiàn)(但請不要考慮這個生產(chǎn)有價值的代碼):
Consider the following steps to reproduce (but please don't consider this production worthy code):
按照描述應(yīng)用 ASP.NET Beta8 工具 這里
打開 Visual Studio Enterprise 2015 并創(chuàng)建一個新的 Web API ASP.NET 5 Preview Template 項(xiàng)目
Open Visual Studio Enterprise 2015 and create a new Web API ASP.NET 5 Preview Template project
更改 project.json
Change project.json
{
"webroot": "wwwroot",
"版本": "1.0.0-*",
依賴":{
"Microsoft.AspNet.IISPlatformHandler": "1.0.0-beta8",
"Microsoft.AspNet.Mvc": "6.0.0-beta8",
"Microsoft.AspNet.Server.Kestrel": "1.0.0-beta8",
"Microsoft.AspNet.Authentication.JwtBearer": "1.0.0-beta8",
"AspNet.Security.OpenIdConnect.Server": "1.0.0-beta3",
"Microsoft.AspNet.Authentication.OpenIdConnect": "1.0.0-beta8",
"Microsoft.Framework.ConfigurationModel.Json": "1.0.0-beta4",
"Microsoft.AspNet.Diagnostics": "1.0.0-beta8"
},
命令":{
"web": "Microsoft.AspNet.Server.Kestrel"
},
框架":{
dnx451":{ }
},
排除":[
"wwwroot",
節(jié)點(diǎn)模塊"
],
發(fā)布排除":[
".user",
".vspscc"
]
}
{
"webroot": "wwwroot",
"version": "1.0.0-*",
"dependencies": {
"Microsoft.AspNet.IISPlatformHandler": "1.0.0-beta8",
"Microsoft.AspNet.Mvc": "6.0.0-beta8",
"Microsoft.AspNet.Server.Kestrel": "1.0.0-beta8",
"Microsoft.AspNet.Authentication.JwtBearer": "1.0.0-beta8",
"AspNet.Security.OpenIdConnect.Server": "1.0.0-beta3",
"Microsoft.AspNet.Authentication.OpenIdConnect": "1.0.0-beta8",
"Microsoft.Framework.ConfigurationModel.Json": "1.0.0-beta4",
"Microsoft.AspNet.Diagnostics": "1.0.0-beta8"
},
"commands": {
"web": "Microsoft.AspNet.Server.Kestrel"
},
"frameworks": {
"dnx451": { }
},
"exclude": [
"wwwroot",
"node_modules"
],
"publishExclude": [
".user",
".vspscc"
]
}
如下更改 Startup.cs(這是@Pinpoint 的原始文章提供的;我已刪除評論并添加了 AddAuthorization snip):
Change Startup.cs as follows (this is courtesy of @Pinpoint's original article; I have removed comments and added the AddAuthorization snip):
public class Startup
{
public Startup(IHostingEnvironment env)
{
}
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthorization
(
options =>
{
options.AddPolicy
(
JwtBearerDefaults.AuthenticationScheme,
builder =>
{
builder.
AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme).
RequireAuthenticatedUser().
Build();
}
);
}
);
services.AddAuthentication();
services.AddCaching();
services.AddMvc();
services.AddOptions();
}
// Configure is called after ConfigureServices is called.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, IOptions<AppSettings> appSettings)
{
app.UseDeveloperExceptionPage();
// Add a new middleware validating access tokens issued by the OIDC server.
app.UseJwtBearerAuthentication(options => {
options.AutomaticAuthentication = true;
options.Audience = "http://localhost:50000/";
options.Authority = "http://localhost:50000/";
options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>
(
metadataAddress : options.Authority + ".well-known/openid-configuration",
configRetriever : new OpenIdConnectConfigurationRetriever(),
docRetriever : new HttpDocumentRetriever { RequireHttps = false }
);
});
// Add a new middleware issuing tokens.
app.UseOpenIdConnectServer
(
configuration =>
{
configuration.Options.TokenEndpointPath= "/authorization/v1";
configuration.Options.AllowInsecureHttp = true;
configuration.Provider = new OpenIdConnectServerProvider {
OnValidateClientAuthentication = context =>
{
context.Skipped();
return Task.FromResult<object>(null);
},
OnGrantResourceOwnerCredentials = context =>
{
var identity = new ClaimsIdentity(OpenIdConnectDefaults.AuthenticationScheme);
identity.AddClaim( new Claim(ClaimTypes.NameIdentifier, "todo") );
identity.AddClaim( new Claim("urn:customclaim", "value", "token id_token"));
context.Validated(new ClaimsPrincipal(identity));
return Task.FromResult<object>(null);
}
};
}
);
app.UseMvc();
}
}
- 更改 Wizarded ValuesController.cs 以指定 Authorize 屬性:
[Route("api/[controller]")]
public class ValuesController : Controller
{
// GET: api/values
[Authorize("Bearer")]
[HttpGet]
public IEnumerable<string> Get()
{
return new string[] { "value1", "value2" };
}
}
運(yùn)行項(xiàng)目,并使用 postman 獲取令牌.要獲取令牌,請使用 x-www-form-urlencoded POST,其中g(shù)rant_type"為password",username"為任何內(nèi)容,password"為任何內(nèi)容,resource"為 API 端點(diǎn)的地址.例如,我的特定 URL 是 http://localhost:37734/authorization/v1.
Run the project, and acquire a token using postman. To acquire a token use x-www-form-urlencoded POST with "grant_type" of "password", "username" anything, "password" anything and "resource" the address of the API endpoint. My particular URL for example is http://localhost:37734/authorization/v1.
復(fù)制 Base64 編碼的令牌,然后使用令牌通過 郵遞員.要使用令牌,請使用標(biāo)頭 Content-Type application/json 和 Authorization Bearer eyJ0eXAiO....(您的令牌)進(jìn)行 GET.我的特定 URL 是 http://localhost:37734/api/values.
Copy the Base64 encoded token, then use the token to call the wizarded values controller using postman. To use the token make a GET with the headers Content-Type application/json and Authorization bearer eyJ0eXAiO....(your token). My particular URL is http://localhost:37734/api/values.
注意前面提到的異常.
如果我在上面嘗試的 [Authorize("Bearer")] 方法是錯誤的方法,如果有人能幫助我了解如何使用 OIDC 攝取 JWT 令牌的最佳實(shí)踐,我將非常感激.
If the [Authorize("Bearer")] approach I'm trying above is the wrong way to go I would be very appreciative if someone could help me understand best practices for how to ingest the JWT token using OIDC.
謝謝.
推薦答案
options.Authority
對應(yīng)issuer地址(即你的OIDC服務(wù)器地址).options.Authority
corresponds to the issuer address (i.e the address of your OIDC server).http://localhost:50000/
似乎不正確,因?yàn)槟院笤趩栴}中使用http://localhost:37734/
.嘗試修復(fù) URL,然后再試一次.http://localhost:50000/
doesn't seem to be correct as you're usinghttp://localhost:37734/
later in your question. Try fixing the URL and give it another try.這篇關(guān)于驗(yàn)證 AspNet.Security.OpenIdConnect.Server (ASP.NET vNext) 頒發(fā)的令牌的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網(wǎng)!
【網(wǎng)站聲明】本站部分內(nèi)容來源于互聯(lián)網(wǎng),旨在幫助大家更快的解決問題,如果有圖片或者內(nèi)容侵犯了您的權(quán)益,請聯(lián)系我們刪除處理,感謝您的支持!