Asp.Net核心、JWT和OpenIdConnectServer

Question

我正在尝试理解所有这些关于Asp.Net核心中的JWT标记的东西。在经历了大量误解的工作之后，我被卡住了。我的任务是让WebApi服务器有两个控制器(受保护的和不受保护的)。我应该从服务器授予令牌，并能够获得受保护的资源。当我运行服务器并尝试从postman获取受保护的资源时，一切似乎都很正常。但是当我在我的Angular客户端中做同样的事情时，从另一个领域我有奇怪的事情。我可以获取未受保护的资源，但无法获取受保护的资源，错误如下：

XMLHttpRequest cannot load http://localhost:10450/api/prvalues. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:10377' is therefore not allowed access.

为了清楚起见，我展示了我所有的尝试。我的project.json看起来像

  "dependencies": {
     "AspNet.Security.OpenIdConnect.Server": "1.0.0-beta4",
     "EntityFramework.Core": "7.0.0-rc1-final",
     "EntityFramework.InMemory": "7.0.0-rc1-final",
     "Microsoft.AspNet.Authentication.JwtBearer": "1.0.0-rc1-final",
     "Microsoft.AspNet.Diagnostics": "1.0.0-rc1-final",
     "Microsoft.AspNet.Identity.EntityFramework": "3.0.0-rc1-final",
     "Microsoft.AspNet.IISPlatformHandler": "1.0.0-rc1-final",
     "Microsoft.AspNet.Mvc": "6.0.0-rc1-final",
     "Microsoft.AspNet.Server.Kestrel": "1.0.0-rc1-final",
     "Microsoft.AspNet.StaticFiles": "1.0.0-rc1-final",
     "Microsoft.Extensions.Configuration.FileProviderExtensions": "1.0.0-rc1-final",
     "Microsoft.Extensions.Logging": "1.0.0-rc1-final",
     "Microsoft.Extensions.Logging.Console": "1.0.0-rc1-final",
     "Microsoft.Extensions.Logging.Debug": "1.0.0-rc1-final",
     "NWebsec.Middleware": "1.0.0-gamma-39",
     "Microsoft.AspNet.Mvc.Cors": "6.0.0-rc1-final",
     "Microsoft.AspNet.Cors": "6.0.0-rc1-final"
},

我的Startup.ConfigureServices()看起来像

公共无效服务(IServiceCollection ConfigureServices){

        services.AddCors(options =>
        {
            options.AddPolicy("AllowAllOrigins",
                    builder =>
                    {
                        builder.AllowAnyOrigin();
                        builder.AllowAnyHeader();
                    });
        });

        services.AddEntityFramework()
           .AddInMemoryDatabase()
           .AddDbContext<ApplicationDbContext<ApplicationUser, Application, IdentityRole, string>>(options => {
               options.UseInMemoryDatabase();
           });
        services.AddScoped<IAuthStore<ApplicationUser,Application>, AuthStore<ApplicationUser, Application, IdentityRole, 
            ApplicationDbContext<ApplicationUser, Application, IdentityRole, string>, string>>();
        services.AddScoped<AuthManager<ApplicationUser, Application>>();
        services.AddIdentity<ApplicationUser, IdentityRole>(options =>
        {
            options.Password = new PasswordOptions()
            {
                RequiredLength = 1,
                RequireDigit = false,
                RequireLowercase = false,
                RequireUppercase = false,
                RequireNonLetterOrDigit = false

            };
        }).AddEntityFrameworkStores<ApplicationDbContext<ApplicationUser, Application, IdentityRole, string>>().AddDefaultTokenProviders();
        services.AddAuthentication();

        // Add framework services.

        services.AddCaching();
        services.AddMvc();
    }

AuthManager和AuthStore是从OpenIddict偷来的。我稍后会展示给他们看。我的Startup.Configure()看起来像这样：

    public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        loggerFactory.AddConsole(Configuration.GetSection("Logging"));
        loggerFactory.AddDebug();
        app.UseCors("AllowAllOrigins");
        app.UseIISPlatformHandler();
        app.UseDeveloperExceptionPage();
        app.UseStaticFiles();

        // Create a new branch where the registered middleware will be executed only for API calls.            

        app.UseWhen(context => context.Request.Path.StartsWithSegments(new PathString("/api")), branch =>
        {
            branch.UseJwtBearerAuthentication(options =>
            {

                options.AutomaticAuthenticate = true;
                options.AutomaticChallenge = true;
                options.RequireHttpsMetadata = false;
                // Thisi is test, if I uncomment this and SetResource in AuthorizationProvider everything works in postman
                //options.Audience = "http://localhost:10450/";
                // My Angular client
                options.Audience = "http://localhost:10377/";
                // My Api
                options.Authority = "http://localhost:10450/";

            });
        });



        // Note: visit https://docs.nwebsec.com/en/4.2/nwebsec/Configuring-csp.html for more information.
        app.UseCsp(options => options.DefaultSources(configuration => configuration.Self())
                                     .ImageSources(configuration => configuration.Self().CustomSources("data:"))
                                     .ScriptSources(configuration => configuration.UnsafeInline())
                                     .StyleSources(configuration => configuration.Self().UnsafeInline()));

        app.UseXContentTypeOptions();

        app.UseXfo(options => options.Deny());

        app.UseXXssProtection(options => options.EnabledWithBlockMode());

        app.UseOpenIdConnectServer(options =>
        {

            options.Provider = new AuthorizationProvider();
            // Note: see AuthorizationController.cs for more
            // information concerning ApplicationCanDisplayErrors.
            options.ApplicationCanDisplayErrors = true;
            options.AllowInsecureHttp = true;
            options.AuthorizationEndpointPath = PathString.Empty;
            options.TokenEndpointPath = "/token";
            // Note: by default, tokens are signed using dynamically-generated
            // RSA keys but you can also use your own certificate:
            // options.SigningCredentials.AddCertificate(certificate);
        });

        app.UseMvc();
        var hasher = new PasswordHasher<Application>();
        using (var database = app.ApplicationServices.GetService<ApplicationDbContext<ApplicationUser, Application, IdentityRole, string>>())
        {              
            database.Applications.Add(new Application
            {
                Id = "myPublicClient",
                DisplayName = "My client application",
                Type = ApplicationTypes.Public
            });
            database.Applications.Add(new Application
            {
                Id = "myConfidentialClient",
                DisplayName = "My client application",
                Secret = hasher.HashPassword(null, "secret_secret_secret"),
                Type = ApplicationTypes.Confidential
            });

            database.SaveChanges();
            CreateUser(app).Wait();
        }        
    }

最后，我的AthorizationProvider.GrantResourceOwnerCredentials() (我使用AspNet.Security.OpenIdConnect.Server)是：

    public override async Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context)
    {

        #region UserChecking
        var manager = context.HttpContext.RequestServices.GetRequiredService<AuthManager<ApplicationUser, Application>>();

        var user = await manager.FindByNameAsync(context.UserName);
        if (user == null)
        {
            context.Rejected(
                error: OpenIdConnectConstants.Errors.InvalidGrant,
                description: "Invalid credentials.");

            return;
        }

        // Ensure the user is not already locked out.
        if (manager.SupportsUserLockout && await manager.IsLockedOutAsync(user))
        {
            context.Rejected(
                error: OpenIdConnectConstants.Errors.InvalidGrant,
                description: "Account locked out.");

            return;
        }

        // Ensure the password is valid.
        if (!await manager.CheckPasswordAsync(user, context.Password))
        {
            context.Rejected(
                error: OpenIdConnectConstants.Errors.InvalidGrant,
                description: "Invalid credentials.");

            if (manager.SupportsUserLockout)
            {
                await manager.AccessFailedAsync(user);

                // Ensure the user is not locked out.
                if (await manager.IsLockedOutAsync(user))
                {
                    context.Rejected(
                        error: OpenIdConnectConstants.Errors.InvalidGrant,
                        description: "Account locked out.");
                }
            }

            return;
        }

        if (manager.SupportsUserLockout)
        {
            await manager.ResetAccessFailedCountAsync(user);
        }


        if (context.Request.ContainsScope(OpenIdConnectConstants.Scopes.Profile) &&
           !context.Request.ContainsScope(OpenIdConnectConstants.Scopes.Email) &&
            string.Equals(await manager.GetUserNameAsync(user),
                          await manager.GetEmailAsync(user),
                          StringComparison.OrdinalIgnoreCase))
        {
            context.Rejected(
                error: OpenIdConnectConstants.Errors.InvalidRequest,
                description: "The 'email' scope is required.");

            return;
        }

        #endregion

        var identity = await manager.CreateIdentityAsync(user, context.Request.GetScopes());

        var ticket = new AuthenticationTicket(
           new ClaimsPrincipal(identity),
           new AuthenticationProperties(),
           context.Options.AuthenticationScheme);

        //ticket.SetResources(context.Request.GetResources());
        // When I tested with postman
        //ticket.SetResources(new[] { "http://localhost:10450/" });
        ticket.SetResources(new[] { "http://localhost:10377" });
        ticket.SetScopes(context.Request.GetScopes());

        context.Validated(ticket);


    }

我已经展示了所有的代码，我认为这可能会导致问题。对不起，如果它很长，但我不知道是哪个部分导致的问题。

为了访问我的protecetd资源(简单地用[Authorize]装饰)，我使用来自我的Angular客户机的这样的虚拟代码

$http.defaults.headers.common['Authorization'] = 'Bearer ' + 'token here';
return $http.get('http://localhost:10450/' + 'api/prvalues');

正如我所说的，对于这样的请求，我有cors错误。但是，如果我尝试获取未受保护的资源(从控制器中移除[Authorize]属性)，则一切正常。

Answer 1

我已经找到了解决方案。当我在AthorizationProvider.GrantResourceOwnerCredentials()中设置资源时，我设置了"http://localhost:10377“，但在UseJwtBearerAuthentication中间件中，我在authority option中设置了"http://localhost:10377/”(在末尾包括斜杠)。这是一个非常愚蠢的错误。