如何在管道早期对JWT承载令牌进行自定义验证 [英] How to have custom validation of a JWT bearer token early in the pipeline
问题描述
我的传入承载令牌中的听众不正确.通过其他声明,令牌中有足够的信息来证明观众应该是什么样的人. 我希望尽早修复它,以便仍然可以利用JwtBearerOptions.TokenValidationParameters.ValidateAudience = true;. JwtBearerOptions.TokenValidationParameters.ValidAudiences = {合适的人"};
I have in incoming bearer token that has an incorrect audience. There is enough information in the token via other claims that prove what the audience should be. I was hoping to fix it up early so that I could still take advantage of the JwtBearerOptions.TokenValidationParameters.ValidateAudience = true; JwtBearerOptions.TokenValidationParameters.ValidAudiences ={"the right one"};
我可以挂钩OnTokenValidated事件,然后重写主体,但这为时已晚.在发行过程的早期,令牌已经过验证,并且由于受众错误,令牌已被拒绝.
I can hook the OnTokenValidated event, and rewrite the principal, but that is too late. Earlier in the pipeline the token has been validated and since the audience is wrong, it has already been rejected.
我可以通过使用授权策略,将ValidateAudience = false设置并在控制器级别进行处理来解决此问题.我不想将[Authorize("the-correct-audience")]属性添加到每个控制器,因为有人会错过一个.
I am able to get around this by using authorization policies, by setting ValidateAudience=false and taking care of this at the controller level. I don't like having to add that [Authorize("the-correct-audience")] attribute to every controller, because someone will miss one.
另一种替代方法是引入一种新的中间件,该中间件可用于identitiy.claims并在那里拒绝.
Another alternative is to introduce a new middleware that works on the identitiy.claims and reject there.
最后,当validateAudience作为过滤选项从我身边夺走时,我希望能够以validateAudience = true完成的方式全局拒绝这些令牌.
In the end I want to be able to globally reject these tokens the way a validateAudience = true accomplishes, when validateAudience has been taken away from me as a filtering option.
有人做过这样的事情吗?您还使用了哪些其他选择?
Has anyone done something like this and what other alternatives have you used?
推荐答案
解决方案1:通过引入中间件来解决它. 注意:请勿验证受众
Solution 1: Solve it by introducing a middleware. NOTE: Don't validate the audience
- 首先钩上以下内容;
```
JwtBearerOptions = options =>{
options.Events = new JwtBearerEvents
{
OnTokenValidated = context =>
{
...
// this will put in the right aud
// replace the entire principal
var appIdentity = new ClaimsIdentity(newClaims);
var claimsPrincipal = new ClaimsPrincipal(appIdentity);
context.Principal = claimsPrincipal;
}
}
}
- 介绍此中间件;
我在这里寻找aud,但您的身份一切都是公平的游戏.
- Introduce this middleware;
I am looking for aud here, but you everything is fair game in the identity.
```
app.UseAuthentication();
app.Use(async (HttpContext context, Func<Task> next) =>
{
//do work before the invoking the rest of the pipeline
if (context.Request.Headers.ContainsKey("x-authScheme") &&
context.Request.Headers.ContainsKey("Authorization") &&
context.User != null)
{
// looking for bearer token stuff.
var claims = context.User.Claims;
var q = from claim in claims
where claim.Type == "aud" && claim.Value == "aggregator_service"
select claim;
if (!q.Any())
{
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
return;
}
}
await next.Invoke(); //let the rest of the pipeline run
//do work after the rest of the pipeline has run
});
```
这篇关于如何在管道早期对JWT承载令牌进行自定义验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
