如何使用JwtBearerAuthentication修复403？

Question

当我在asp.net中配置地狱时，我正在试图理解如何钻研我得到的自动机。我目前正在将一个小应用程序接口从asp.net web-API2转换到asp.net核心。我不确定403在这种配置中来自哪里，也不知道如何修复它。现在，大多数api端点只需要一个有效的令牌，而不需要检查令牌中的任何特定声明。因此，对于所有经过身份验证的控制器，当使用有效的持有者令牌时，我会得到一个403响应，它应该是200。另外，现在我使用非对称密钥，并使用Auth0作为提供者。

我用来验证Startup.cs持有者令牌的JWT配置方法。

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        loggerFactory.AddConsole(Configuration.GetSection("Logging"));
        loggerFactory.AddDebug();
        //Middleware added here order matters

        //TODO formatter settings https://docs.asp.net/en/latest/mvc/models/formatting.html

        //samples to check
        //https://auth0.com/docs/server-apis/webapi-owin
        //https://github.com/auth0-samples/auth0-aspnetcore-webapi-rs256
        var options = new JwtBearerOptions
        {
            Audience = Configuration["auth0:clientId"]
            ,Authority = $"https://{Configuration["auth0:domain"]}/"
            ,Events = new JwtBearerEvents() // just a pass through to log events
        };

        app.UseJwtBearerAuthentication(options);
        // Very hacky to catch invaild tokens https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/191
        // issue says the need for the required hack is fixed but it's been still happening. Issue about the fix https://github.com/aspnet/Security/issues/411
        app.Use(next => async context => {
            try
            {
                await next(context);
            }
            catch
            {
                // If the headers have already been sent, you can't replace the status code.
                // In this case, throw an exception to close the connection.
                if (context.Response.HasStarted)
                {
                    throw;
                }
                context.Response.StatusCode = 401;
            }
        });
        app.UseMvc();

        // TODO global exception handling https://github.com/dotnet/corefx/issues/6398
        app.UseSwaggerGen();
        app.UseSwaggerUi();
    }

}

Answer 1

您的令牌中间件似乎没有被执行来验证传入的请求。尝试将令牌中间件设置为自动运行。

    var options = new JwtBearerOptions
    {
        //other configurations..
        AutomaticAuthenticate = true;
    };

您还可以使用属性来指定控制器中的身份验证方案。

[Authorize(AuthenticationSchemes = "MyAuthenticationScheme")]

点击此处了解更多信息：Limiting identity by scheme

Answer 2

问题出在ConfigureServices部分的策略上。目前最简单的策略就是我所需要的。

    public void ConfigureServices(IServiceCollection services)
    {
        // Add framework services.
        services.AddMvc(c =>
        {
            // TODO implement this abstract class c.Filters.Add(typeof(ExceptionFilterAttribute));
            var policy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser()
                .Build();
            c.Filters.Add(new AuthorizeFilter(policy));
            c.Filters.Add(typeof(ValidateModelFilter));
        });