在ASP.NET Core中,从Cookie而不是标题中读取JWT令牌 [英] In ASP.NET Core read JWT token from Cookie instead of Headers
问题描述
我正在将ASP.NET Web API 4.6 OWIN应用程序移植到ASP.NET Core 2.1.该应用程序基于JWT令牌运行.但是令牌通过cookie而不是标头传递.我不确定为什么不使用标题,这只是我必须处理的情况.
I am porting an ASP.NET Web API 4.6 OWIN application to ASP.NET Core 2.1. The application is working based on JWT token. But the token in passed via cookie instead of header. I'm not sure why headers are not used, it is just the situation that I have to deal with.
考虑不通过cookie进行身份验证. cookie只是用作传输介质.在旧版应用程序中,CookieOAuthBearerProvider用于从cookie中提取JWT令牌.配置代码如下:
Consider that authentication is not done via cookie. The cookie is just used as a transfering media. In the legacy application CookieOAuthBearerProvider is employed to extract JWT token from cookie. Configuration code is as like this:
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audienceId },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, audienceSecret)
},
Provider = new CookieOAuthBearerProvider("token")
});
}
CookieOAuthBearerProvider类源代码如下:
public class CookieOAuthBearerProvider : OAuthBearerAuthenticationProvider
{
readonly string _name;
public CookieOAuthBearerProvider(string name)
{
_name = name;
}
public override Task RequestToken(OAuthRequestTokenContext context)
{
var value = context.Request.Cookies[_name];
if (!string.IsNullOrEmpty(value))
{
context.Token = value;
}
return Task.FromResult<object>(null);
}
在此处中讨论了该解决方案,其中有更多内容细节.
This solution is discussed here with more detail.
现在,我需要为ASP.NET Core实现类似的解决方案.问题是UseJwtBearerAuthentication在ASP.NET Core中不再存在,而且我不知道如何引入自定义AuthenticationProvider.
Now I need to implement similar solution for ASP.NET Core. Problem is that UseJwtBearerAuthentication does not exists in ASP.NET Core anymore and I do not know how I can introduce a custom AuthenticationProvider.
我们非常感谢您的帮助.
Any helps is highly appreciated.
更新: 有一种尝试通过自己的代码验证JWT的解决方案.这不是我所需要的.我只是在寻找一种将从cookie接收到的令牌传递到标头阅读器的方法.
UPDATE: There is a solution that tries to validate JWT by its own code. It is not what I need. I'm just searching for a way to pass token recieved from cookie to header reader.
推荐答案
在ASP.NET Core 2.0中,对身份验证系统进行了全面的改进.而不是使用例如UseJwtBearerAuthentication作为中间件,ASP.NET Core 2.0+使用DI进行配置.例如,这看起来像这样:
In ASP.NET Core 2.0, the authentication system was somewhat overhauled. Rather than using e.g. UseJwtBearerAuthentication as middleware, ASP.NET Core 2.0+ configures things using DI. For example, this looks something like this:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options => {
// ...
});
}
接下来,下一个问题将是:我们如何指示JwtBearer身份验证过程使用此新系统查看cookie?
With that out of the way, the next question would be: how do we instruct the JwtBearer authentication process to look at a cookie using this new system?
传递给AddJwtBearer的options对象包含其自己的Events属性,该属性使您可以自定义过程的各个部分.使用OnMessageReceived,您可以实现所需的目标:
That options object being passed in to AddJwtBearer contains an Events property of its own, which allows you to customise various parts of the process. Using OnMessageReceived, you can achieve what you're looking for:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options => {
options.Events = new JwtBearerEvents
{
OnMessageReceived = context =>
{
context.Token = context.Request.Cookies["CookieName"];
return Task.CompletedTask;
}
};
});
}
通过设置context.Token,您将告诉JwtBearer进程您已经自己提取了令牌.
By setting context.Token, you're telling the JwtBearer process that you've taken care of extracting the token yourself.
Here's a useful migration document that explains the authentication changes in more detail.
这篇关于在ASP.NET Core中,从Cookie而不是标题中读取JWT令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
