問(wèn)題描述

我正在將 ASP.NET Web API 4.6 OWIN 應(yīng)用程序移植到 ASP.NET Core 2.1.該應(yīng)用程序基于 JWT 令牌工作.但是通過(guò) cookie 而不是標(biāo)頭傳遞的令牌.我不確定為什么不使用標(biāo)題，這只是我必須處理的情況.

I am porting an ASP.NET Web API 4.6 OWIN application to ASP.NET Core 2.1. The application is working based on JWT token. But the token in passed via cookie instead of header. I'm not sure why headers are not used, it is just the situation that I have to deal with.

考慮到身份驗(yàn)證不是通過(guò) cookie 完成的.cookie 僅用作傳輸媒體.在遺留應(yīng)用程序中，CookieOAuthBearerProvider 用于從 cookie 中提取 JWT 令牌.配置代碼如下:

Consider that authentication is not done via cookie. The cookie is just used as a transfering media. In the legacy application CookieOAuthBearerProvider is employed to extract JWT token from cookie. Configuration code is as like this:

    app.UseJwtBearerAuthentication(
        new JwtBearerAuthenticationOptions
        {
            AuthenticationMode = AuthenticationMode.Active,
            AllowedAudiences = new[] { audienceId },
            IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
            {
                new SymmetricKeyIssuerSecurityTokenProvider(issuer, audienceSecret)
            },
            Provider = new CookieOAuthBearerProvider("token")
        });
}

CookieOAuthBearerProvider類源碼如下:

public class CookieOAuthBearerProvider : OAuthBearerAuthenticationProvider
{
    readonly string _name;
    public CookieOAuthBearerProvider(string name)
    {
        _name = name;
    }

    public override Task RequestToken(OAuthRequestTokenContext context)
    {
        var value = context.Request.Cookies[_name];

        if (!string.IsNullOrEmpty(value))
        {
            context.Token = value;
        }

        return Task.FromResult<object>(null);
    }

這里討論了這個(gè)解決方案詳細(xì).

This solution is discussed here with more detail.

現(xiàn)在我需要為 ASP.NET Core 實(shí)現(xiàn)類似的解決方案.問(wèn)題是 UseJwtBearerAuthentication 不再存在于 ASP.NET Core 中，我不知道如何引入自定義 AuthenticationProvider.

Now I need to implement similar solution for ASP.NET Core. Problem is that UseJwtBearerAuthentication does not exists in ASP.NET Core anymore and I do not know how I can introduce a custom AuthenticationProvider.

非常感謝任何幫助.

更新:有 一種嘗試通過(guò)自己的代碼驗(yàn)證 JWT 的解決方案.這不是我需要的.我只是在尋找一種方法，將從 cookie 收到的令牌傳遞給標(biāo)頭閱讀器.

UPDATE: There is a solution that tries to validate JWT by its own code. It is not what I need. I'm just searching for a way to pass token recieved from cookie to header reader.

推薦答案

在 ASP.NET Core 2.0 中，身份驗(yàn)證系統(tǒng)進(jìn)行了一些大修.而不是使用例如UseJwtBearerAuthentication 作為中間件，ASP.NET Core 2.0+ 使用 DI 進(jìn)行配置.例如，這看起來(lái)像這樣:

In ASP.NET Core 2.0, the authentication system was somewhat overhauled. Rather than using e.g. UseJwtBearerAuthentication as middleware, ASP.NET Core 2.0+ configures things using DI. For example, this looks something like this:

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(options => {
            // ...
        });
}

除此之外，下一個(gè)問(wèn)題是:我們?nèi)绾沃甘?JwtBearer 身份驗(yàn)證過(guò)程使用這個(gè)新系統(tǒng)查看 cookie?

With that out of the way, the next question would be: how do we instruct the JwtBearer authentication process to look at a cookie using this new system?

傳遞給 AddJwtBearer 的 options 對(duì)象包含自己的 Events 屬性，它允許您自定義流程的各個(gè)部分.使用 OnMessageReceived，您可以實(shí)現(xiàn)您想要的:

That options object being passed in to AddJwtBearer contains an Events property of its own, which allows you to customise various parts of the process. Using OnMessageReceived, you can achieve what you're looking for:

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(options => {
            options.Events = new JwtBearerEvents
            {
                OnMessageReceived = context =>
                {
                    context.Token = context.Request.Cookies["CookieName"];
                    return Task.CompletedTask;
                }
            };
        });
}

通過(guò)設(shè)置 context.Token，您是在告訴 JwtBearer 進(jìn)程您已經(jīng)負(fù)責(zé)自己提取令牌.

By setting context.Token, you're telling the JwtBearer process that you've taken care of extracting the token yourself.

這里是一個(gè)有用的遷移文檔，它更詳細(xì)地解釋了身份驗(yàn)證更改.

Here's a useful migration document that explains the authentication changes in more detail.

這篇關(guān)于在 ASP.NET Core 中，從 Cookie 而不是 Headers 中讀取 JWT 令牌的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！