Asp.Net Core 2.1-根据请求中的内容进行授权 [英] Asp.Net Core 2.1 - Authorize based on content in request

问题描述

我正在公开一个与第三者集成的端点，他们的要求是我要根据发布的正文中传递的密钥向我的端点授权他们的请求.然后，我的代码将需要验证传递的密钥是否与我这边的某个预定值匹配.传入的模型将如下所示:

I am exposing an endpoint for integration with a 3rd party and their requirement is for me to authorize their requests to my endpoint based on a key passed in the body being posted. My code will then needs to validate that the passed key matches some predetermined value on my side. The incoming model will look something like this:

public class RequestBase
{
    public string ApiKey { get; set; }
    ...
}

探索我没有看到与我尝试做的匹配的东西.我正在考虑从此一个问题可以解决，但是无论我做什么，我都没有运气，得到401.这是我到目前为止的内容:

Exploring the options for Authorization in ASP.NET Core I don't really see a match for what I am attempting to do. I am thinking a custom AuthorizeAttribute from this question would work but I'm not having any luck and get a 401 regardless of what I do. This is what I have so far:

[AttributeUsage(AttributeTargets.Class)]
public class MyAuthorizeAttribute : AuthorizeAttribute, IAuthorizationFilter
{
    private static IEnumerable<string> _apiKeys = new List<string>
        {
            "some key... eventually will be dynamic"
        };

    public void OnAuthorization(AuthorizationFilterContext context)
    {
        var req = context.HttpContext.Request;
        req.EnableRewind();

        using (var reader = new StreamReader(req.Body, Encoding.UTF8, true, 1024, true))
        {
            var bodyStr = reader.ReadToEnd();
            var isAuthorized = _apiKeys.Any(apiKey => bodyStr.Contains(apiKey));
            if (!isAuthorized)
            {
                context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
                return;
            }
        }

        req.Body.Position = 0;
    }
}

当在主体中找不到密钥时，将按预期返回403.但是，找到键后，返回的结果仍然是401.几乎好像好像在调用了base.OnAuthorization.我还有其他使用标准AurhorizeAttribute的端点.只有当我通过JWT时，它们才能按预期工作.

When the key is not found in the body the 403 is returned as expected. However, when the key is found the result I get back is still a 401. Almost seems as if the base.OnAuthorization is being called. I have other endpoints that use a standard AurhorizeAttribute. They work as expected when only if I pass in a JWT.

问题:

1. 我在使用自定义AuthorizeAttribute的正确路径上还是有更好的方法?
2. 如果客户的AuthorizeAttribute是正确的路径...我想念什么?

感谢任何帮助！

推荐答案

要与 IAuthorizationFilter 一起使用自己的授权逻辑，请勿与 AuthorizeAttribute 一起使用，该逻辑将检查使用默认身份验证架构进行身份验证.

For using your own authorize logic with IAuthorizationFilter, you should not use with AuthorizeAttribute which will check the Authentication with default authentication schema.

尝试将 AuthorizeAttribute 更改为 Attribute .

[AttributeUsage(AttributeTargets.Class)]
public class KeyAuthorizeAttribute : Attribute, IAuthorizationFilter
{

这篇关于Asp.Net Core 2.1-根据请求中的内容进行授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！