Asp.Net Core 2.1 - 根据请求中的内容进行授权 [英] Asp.Net Core 2.1 - Authorize based on content in request

问题描述

我正在公开一个端点以与 3rd 方集成，他们的要求是我根据在发布的正文中传递的密钥授权他们对我的端点的请求.然后，我的代码需要验证传递的密钥是否与我这边的某个预定值匹配.传入模型将如下所示:

I am exposing an endpoint for integration with a 3rd party and their requirement is for me to authorize their requests to my endpoint based on a key passed in the body being posted. My code will then needs to validate that the passed key matches some predetermined value on my side. The incoming model will look something like this:

public class RequestBase
{
    public string ApiKey { get; set; }
    ...
}

探索 授权的选项ASP.NET Core 我真的没有看到我想要做的事情的匹配项.我正在考虑来自 this 问题会起作用，但我没有任何运气，无论我做什么都会得到 401.这是我目前所拥有的:

Exploring the options for Authorization in ASP.NET Core I don't really see a match for what I am attempting to do. I am thinking a custom AuthorizeAttribute from this question would work but I'm not having any luck and get a 401 regardless of what I do. This is what I have so far:

[AttributeUsage(AttributeTargets.Class)]
public class MyAuthorizeAttribute : AuthorizeAttribute, IAuthorizationFilter
{
    private static IEnumerable<string> _apiKeys = new List<string>
        {
            "some key... eventually will be dynamic"
        };

    public void OnAuthorization(AuthorizationFilterContext context)
    {
        var req = context.HttpContext.Request;
        req.EnableRewind();

        using (var reader = new StreamReader(req.Body, Encoding.UTF8, true, 1024, true))
        {
            var bodyStr = reader.ReadToEnd();
            var isAuthorized = _apiKeys.Any(apiKey => bodyStr.Contains(apiKey));
            if (!isAuthorized)
            {
                context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
                return;
            }
        }

        req.Body.Position = 0;
    }
}

当在正文中找不到密钥时，403 将按预期返回.然而，当找到密钥时，我得到的结果仍然是 401.几乎似乎正在调用 base.OnAuthorization.我还有其他使用标准 AurhorizeAttribute 的端点.只有当我传入 JWT 时，它们才能按预期工作.

When the key is not found in the body the 403 is returned as expected. However, when the key is found the result I get back is still a 401. Almost seems as if the base.OnAuthorization is being called. I have other endpoints that use a standard AurhorizeAttribute. They work as expected when only if I pass in a JWT.

问题:

1. 我使用自定义 AuthorizeAttribute 是否走在正确的道路上，还是有更好的方法?
2. 如果客户 AuthorizeAttribute 是正确的路径...我错过了什么?

感谢任何帮助！

推荐答案

对于将您自己的授权逻辑与 IAuthorizationFilter 一起使用，您不应与 AuthorizeAttribute 一起使用，它会检查使用默认身份验证架构进行身份验证.

For using your own authorize logic with IAuthorizationFilter, you should not use with AuthorizeAttribute which will check the Authentication with default authentication schema.

尝试将 AuthorizeAttribute 更改为 Attribute.

[AttributeUsage(AttributeTargets.Class)]
public class KeyAuthorizeAttribute : Attribute, IAuthorizationFilter
{

这篇关于Asp.Net Core 2.1 - 根据请求中的内容进行授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！