問題描述
我有一個使用 JWT 令牌授權(quán)用戶的 .Net Core 2.0 應用程序.這一切都很好,但我想要某種 API 密鑰機制來允許其他應用程序集成,但我似乎無法讓它與當前的身份驗證一起使用.
I have a .Net Core 2.0 application that uses JWT tokens to authorize the user. This all works fine but I want to have some sort of API Key mechanism to allow other applications to integrate but I cannot seem to get this to work with the current authentication.
代碼:
Startup.cs
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory,
IMemoryCache cache, IServiceProvider serviceProvider)
{
app.UseAuthentication();
ApiKeyMiddlewear(app, serviceProvider);
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
routes.MapSpaFallbackRoute(
name: "spa-fallback",
defaults: new { controller = "Home", action = "Index" });
});
}
}
private static void ApiKeyMiddlewear(IApplicationBuilder app, IServiceProvider serviceProvider)
{
app.Use(async (context, next) =>
{
if (context.Request.Path.StartsWithSegments(new PathString("/api")))
{
// Let's check if this is an API Call
if (context.Request.Headers["ApiKey"].Any())
{
// validate the supplied API key
// Validate it
var headerKey = context.Request.Headers["ApiKey"].FirstOrDefault();
var settingsProvider = serviceProvider.GetService<ISettingsService<OmbiSettings>>();
var ombiSettings = settingsProvider.GetSettings();
var valid = ombiSettings.ApiKey.Equals(headerKey, StringComparison.CurrentCultureIgnoreCase);
if (!valid)
{
context.Response.StatusCode = (int) HttpStatusCode.Unauthorized;
await context.Response.WriteAsync("Invalid API Key");
}
else
{
var identity = new GenericIdentity("API");
identity.AddClaim(new System.Security.Claims.Claim("Origin", "Api"));
identity.AddClaim(new System.Security.Claims.Claim("role", "Admin"));
var principal = new GenericPrincipal(identity, new[] {"ApiUser"});
context.User = principal;
await next();
}
}
else
{
await next();
}
}
else
{
await next();
}
});
}
}
所以在上面的代碼中,您可以看到我正在攔截提供名為 ApiKey 的標頭的 HTTP 請求,然后將其驗證為我存儲的內(nèi)容.這部分一切正常,但是當使用 Authorize 屬性調(diào)用 API 方法時,這不起作用,我得到以下錯誤日志:
So in the code above you can see that I am intercepting the HTTP requests that provide a header called ApiKey and then validate it to what I have stored. This part all works but when calling an API Method with the Authorize attribute this does not work and I get the following error logs:
2017-09-19 08:15:17.280 +01:00 [Information] Request starting HTTP/1.1 POST http://localhost:52038/api/v1/Identity/ application/json 372
2017-09-19 08:15:21.967 +01:00 [Information] Authorization failed for user: "API".
2017-09-19 08:15:21.976 +01:00 [Information] Authorization failed for the request at filter '"Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter"'.
2017-09-19 08:15:21.981 +01:00 [Information] Executing ForbidResult with authentication schemes ([]).
2017-09-19 08:15:21.991 +01:00 [Information] AuthenticationScheme: "Bearer" was forbidden.
2017-09-19 08:15:21.996 +01:00 [Information] Executed action "Ombi.Controllers.IdentityController.CreateUser (Ombi)" in 38.8268ms
2017-09-19 08:15:22.004 +01:00 [Information] Request finished in 4723.032ms 403
現(xiàn)在我猜這與僅提供 ApiKey 標頭而不是帶有正確 JWT 令牌的 Authorization 標頭的請求有關(guān).
Now I'm guessing this is to do with the request only supplying a ApiKey header and not a Authorization header with a correct JWT token.
我怎樣才能只提供 ApiKey 標頭,當沒有 ApiKey 標頭時回退到需要 JWT 令牌?
How am I able to only supply a ApiKey header and when there is no ApiKey header then fallback to requiring a JWT token?
推薦答案
應用 Claim("role", "Admin") 到 GenericPrincipal 不會有任何影響,因為GenericPrincipal 與角色聲明無關(guān).所以如果你想為 GenericPrincipal 應用管理員角色,你需要在構(gòu)造函數(shù)參數(shù)中添加它:
Applying Claim("role", "Admin") to GenericPrincipal will not affect anything, because GenericPrincipal have nothing to do with Role Claims. So if you want to apply admin role to GenericPrincipal, you need to add it in constructor parameter:
var principal = new GenericPrincipal(identity, new[] {"Admin","ApiUser"});
context.User = principal;
這篇關(guān)于.Net Core JWT 身份驗證與自定義 API 密鑰中間件的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網(wǎng)!