令牌过期或未传递令牌时，出现404错误而不是401错误 [英] Getting 404 error instead of 401, when token is expired or when token is not passed

问题描述

我正在使用aspnet核心WEB Api应用程序.

i am working with aspnet core WEB Api application.

登录时，我像这样通过SignInManager验证用户.

While Login i am validating user through SignInManager like this.

 await _signInManager.PasswordSignInAsync

之后，我正在为该用户生成jwt令牌.

Äfter that i am generating jwt token for that user.

我在控制器方法中添加了[Authorize]标签.

i have added [Authorize] tag in controller method.

当我发送没有令牌或无效令牌的请求时，我得到的是404错误而不是401错误.

when i am sending request with out token or invalid token, i am getting 404 error instead of 401 error.

这是startup.cs文件

This is startup.cs file

var tp_options = new TokenProviderOptions
            {
                Audience = xyz,
                Issuer = xyz,
                SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256),
            };
            app.UseJwtBearerAuthentication(new JwtBearerOptions
            {
                AutomaticAuthenticate = true,
                AutomaticChallenge = true,
                TokenValidationParameters = tokenValidationParameters,
                AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme,
            });
            app.UseStaticFiles();
            app.UseFileServer();
            app.UseIdentity(); 

我添加了app.UseIdentity();.这是signInManger验证登录所必需的.

i have added a app.UseIdentity();. This is required for signInManger to validate login.

如果我删除app.UseIdentity()，我得到401错误，但是signInManager正在获取异常未配置身份验证处理程序来处理该方案:Identity.Application"

if i remove app.UseIdentity() i am getting 401 error ,but signInManager is getting exception "No authentication handler is configured to handle the scheme: Identity.Application"

我如何在这里实现两种功能.我想同时使用JWT令牌验证和ASP IDENTITY.

how can i achieve both functionality here. i want to use both JWT Token validation and ASP IDENTITY.

推荐答案

我遇到了同样的问题，并且可以通过不使用SignInManager进行用户身份验证来解决此问题.似乎SignInManager在内部使用cookie身份验证，并且未授权的请求被重定向到我尚未实现的登录"页面，因此出现404响应.

I had the same problem and was able to work around it by not using SignInManager for user authentication. It seems that SignInManager uses cookie authentication internally and unauthorized requests are redirected to Login page which I have not implemented, hence 404 response.

如果您排除app.UseIdentity()并还排除未经授权的Cookie中间件，则应返回401响应.这是用户身份验证代码:

If you exclude app.UseIdentity() and also exclude cookie middleware unauthorized request should return 401 response. Here is the user authentication code:

public async Task<ClaimsIdentity> GetIdentity(string username, string password)
{
    // Can't use SignInManager because it uses a cookie so requests for unauthorized actions will not return 401, 
    // it will return 404 (redirect to Login page that is missing)
    // instead we validate the user using PasswordHasher
    var user =  await _userManager.FindByNameAsync(username);
    if (user != null)
    {
        var passwordHasher = new Microsoft.AspNetCore.Identity.PasswordHasher<ApplicationUser>();

        var passverificationResult = passwordHasher.VerifyHashedPassword(user, user.PasswordHash, password);
        if (passverificationResult == PasswordVerificationResult.Success)
        {
             var claims = await _userManager.GetClaimsAsync(user);
             return new ClaimsIdentity(new GenericIdentity(username, "Token"), claims);
         }
     }
     return null;
 }

这篇关于令牌过期或未传递令牌时，出现404错误而不是401错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！