通过 JWT Token 授权 [英] Authorize via JWT Token

问题描述

带有 ASP.NET Identity 3.0 的 ASP.NET Core 5，我同时使用网页和 api.我正在使用 OpenIddict 发出 JWT 令牌并进行身份验证.我的代码如下所示:

ASP.NET Core 5 with ASP.NET Identity 3.0, I'm using both web pages and apis. I am using OpenIddict to issue a JWT token and to authenticate. My code looks as such:

    X509Certificate2 c = new X509Certificate2(@"tokensign.p12", "MyCertificatePassword");

    services.AddOpenIddict<WebUser, IdentityRole<int>, WebDbContext, int>()
        .EnableTokenEndpoint("/api/customauth/login")
        .AllowPasswordFlow()
        .UseJsonWebTokens()
        .AddSigningCertificate(c);

如果我禁用 UseJsonWebTokens()，我可以生成一个令牌并成功授权.但是，我不确定我的证书是否正在验证返回的令牌.

If I disable UseJsonWebTokens(), I can generate a token and authorise successfully. However, I am not sure that my certificate is validating the returned tokens.

当启用 UseJsonWebTokens 时，我可以在此端点发出 JWT 令牌.但是，我无法验证任何请求！

And when enable UseJsonWebTokens, I am able to issue a JWT token at this end point. However, I can't authenticate any request!

我在应用配置中使用以下代码:

I am using the following code in the app configuration:

    app.UseJwtBearerAuthentication(new JwtBearerOptions
    {
        AutomaticAuthenticate = true,
        AutomaticChallenge = true,
        RequireHttpsMetadata = false,
        Authority = "http://localhost:60000/",
        Audience = "http://localhost:60000/",
    });
    app.UseOAuthValidation();
    app.UseIdentity();
    app.UseOpenIddict();
    app.UseMvcWithDefaultRoute();

• 如何强制要求使用我的证书进行验证，以确保 JWT 令牌未被篡改.
• 什么是允许验证和授权我的 JWT 令牌的正确设置，如果我不使用 JWT，我将成功获得授权.

推荐答案

如果我禁用 UseJsonWebTokens()，我可以生成一个令牌并成功授权.但是，我不确定我的证书是否正在验证返回的令牌.

If I disable UseJsonWebTokens(), I can generate a token and authorise successfully. However, I am not sure that my certificate is validating the returned tokens.

在 ASOS(OpenIddict 背后的 OpenID Connect 服务器框架)中，有 2 种不同的内置序列化机制来创建和保护令牌:

In ASOS (the OpenID Connect server framework behind OpenIddict), there are 2 different built-in serialization mechanisms to create and protect tokens:

• 使用 IdentityModel(Microsoft 开发的库)并生成可由第三方验证的标准令牌:
• One that uses IdentityModel (a library developed by Microsoft) and produces standard tokens verifiable by third parties:

身份令牌(定义为 JWT)始终使用此过程创建，您可以调用 UseJsonWebTokens() 强制 OpenIddict 发出使用相同序列化过程的访问令牌.

Identity tokens (JWT by definition) are always created using this process and you can call UseJsonWebTokens() to force OpenIddict to issue access tokens that use the same serialization process.

您在调用 AddSigningCertificate() 时指定的证书始终用于签署这些令牌.

The certificate you specify when calling AddSigningCertificate() is always used to sign these tokens.

• 使用 ASP.NET Core 数据保护堆栈的一种(也由 Microsoft 开发):
• One that uses the ASP.NET Core Data Protection stack (also developed by Microsoft):

此堆栈专门生成 专​​有"令牌，不打算由第三方读取或验证，因为令牌格式不是标准的，并且必然依赖于对称签名和加密.

This stack exclusively produces "proprietary" tokens that are not meant to be read or verified by a third-party, as the token format is not standard and necessarily relies on symmetric signing and encryption.

这是我们用于授权代码和刷新令牌的机制，它们仅供 OpenIddict 本身使用.当您使用默认令牌格式时，它也用于访问令牌.

It's the mechanism we use for authorization codes and refresh tokens, that are only meant to be consumed by OpenIddict itself. It's also used for access tokens when you use the default token format.

在这种情况下，您在调用 AddSigningCertificate() 时指定的证书不会被使用.

In this case, the certificate you specify when calling AddSigningCertificate() is not used.

相反，数据保护堆栈始终使用 Authenticated Encryption 算法(默认情况下，AES-256-CBC 和 HMACSHA256)对这些令牌进行加密，该算法提供了真实性、完整性和机密性.为此，数据保护堆栈从存储在密钥环中的主密钥之一派生 2 个密钥(一个用于加密，一个用于验证).

Instead, these tokens are always encrypted by the Data Protection stack using an Authenticated Encryption algorithm (by default, AES-256-CBC with HMACSHA256), that provides authenticity, integrity and confidentiality. For that, 2 keys (one for encryption, one for validation) are derived by the Data Protection stack from one of the master keys stored in the key ring.

如何强制要求使用我的证书进行验证，以确保 JWT 令牌未被篡改.什么是允许验证和授权我的 JWT 令牌的正确设置，如果我不使用 JWT，我将成功获得授权.

How can I enforce the request to be validated with my certificate to make sure the JWT token is not tampered with. What are the correct settings that will allow validation and authorisation of my JWT token, given that if I am not using JWT, I am getting authorised successfully.

要回答这些问题，如果您启用日志记录并共享您的跟踪记录会有所帮助.

To answer these questions, it would help if you enabled logging and shared your traces.

这篇关于通过 JWT Token 授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！