忽略JWT Bearer令牌签名(即不验证令牌) [英] Ignore JWT Bearer token signature (i.e. don't validate token)
问题描述
我有一个位于API网关后面的API.在将请求传递到API之前,API网关会验证承载令牌.
I have an API that sits behind an API Gateway. The API Gateway validates the bearer token before passing the request along to the API.
我的API使用asp.net core 2.0本机身份验证和基于声明的授权框架.从JWT令牌获取声明的艰巨工作是由Microsoft.AspNetCore.Authentication.JwtBearer中的中间件完成的.
My API the uses the the asp.net core 2.0 native authentication and claims based authorization framework. The grunt work of getting the claims from the JWT token is done by the middleware in Microsoft.AspNetCore.Authentication.JwtBearer.
可以将该中间件配置为忽略令牌上的到期日期,并且还可以指定本地公共密钥,因此不必联系令牌颁发机构即可获取一个,但是可以仅禁用令牌.令牌上的签名验证?
This middle ware can be configured to ignore the expiration date on the token and it is also possible to specify a local public key so it is not necessary to contact the token Authority to obtain one, but is it possible to just disable the signature validation on the token?
这将允许使用未签名的令牌进行开发中的临时测试,并防止生产中的双重验证(网关和API).
This would allow use of unsigned tokens for ad-hoc testing in development and prevent double validation (gateway and then API) in production.
推荐答案
尝试一下.终于,经过大量的尝试,我才能使它正常工作.
Try this. Finally, I got it to work after so much of trying.
public TokenValidationParameters CreateTokenValidationParameters()
{
var result = new TokenValidationParameters
{
ValidateIssuer = false,
ValidIssuer = ValidIssuer,
ValidateAudience = false,
ValidAudience = ValidAudience,
ValidateIssuerSigningKey = false,
//IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(SecretKey)),
//comment this and add this line to fool the validation logic
SignatureValidator = delegate(string token, TokenValidationParameters parameters)
{
var jwt = new JwtSecurityToken(token);
return jwt;
},
RequireExpirationTime = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero,
};
result.RequireSignedTokens = false;
return result;
}
这篇关于忽略JWT Bearer令牌签名(即不验证令牌)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
