.net core 2.2多承载令牌认证方案 [英] .net core 2.2 multiple bearer token authentication schemes

问题描述

我当前正在尝试在.net core 2.2应用程序中使用2个不同的承载令牌.我想使用Identity Server令牌和Azure AD承载令牌.根据Microsoft的说法，这是可能的( https ://docs.microsoft.com/zh-cn/aspnet/core/security/authorization/limitingidentitybyscheme?view = aspnetcore-2.2 )，但我无法成功使其正常运行.

I am currently trying to use 2 different bearer tokens in a .net core 2.2 app. I would like to use an Identity Server token and an Azure AD bearer token. According to Microsoft this is possible (https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-2.2) but I am having no success getting it working.

我将Identity Server令牌作为默认"身份验证，后跟上述链接中记录的AzureAD令牌:

I have the Identity Server token as the "default" authentication followed by the AzureAD token as documented in the aforementioned link:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(o =>
    {
        o.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateAudience = true,
            ValidateIssuer = true,
            ValidateLifetime = true,
            ClockSkew = ClockSkew
        };
        o.Audience = Audience;
        o.Authority = IdentityIssuer;
        o.RequireHttpsMetadata = true;
    })
    .AddJwtBearer("AzureAd",o =>
    {
        o.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
        };
        o.Audience = AudienceUri;
        o.Authority = Authority
    });

Identity Server令牌按预期方式进行验证；但是Azure AD令牌没有.它们似乎总是命中默认的Bearer令牌处理程序.

Identity Server tokens validate as expected; however Azure AD tokens do not. They appear to always hit the default Bearer token handler.

推荐答案

可以尝试的方法:

1设置默认策略

services.AddAuthorization(options => { 
        options.DefaultPolicy = new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme, "AzureAD")
           .RequireAuthenticatedUser()
           .Build();

2在OnAuthenticationFailed>的jwtOptions.Events之一下，添加一个经过验证的条件，然后完成任务，并且不显示错误. 有时用户已经通过身份验证，但是来自一个提供程序的错误阻止了正确的响应

2 On the OnAuthenticationFailed > under one of the jwtOptions.Events, add a condition if it's authenticated then complete the task and don't show the error. Sometimes the user is authenticated already but the error from one provider prevents the proper response

 if (arg.HttpContext.User.Identity.IsAuthenticated)
    {
       return Task.CompletedTask;
    }

3如果不起作用.有黑客可以检查它是否已通过身份验证.为每个方案添加更多条件.

3 If this doesn't work. There's a hack to check if it's authenticated. Add more conditions per scheme.

      app.Use(async (context, next) =>
            {
                if (!context.User.Identity.IsAuthenticated)
                {
                    var result = await context.AuthenticateAsync("AzureAD");
                    if (result?.Principal != null)
                    {
                        context.User = result.Principal;
                    }
                }

                await next.Invoke();
            });

这篇关于.net core 2.2多承载令牌认证方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！