如何使AzureAD和自定义JWT令牌在Web API中并行工作? [英] How to make AzureAD and custom JWT tokens to work side by side in web API?
问题描述
API客户端使用的是API本身(标准)或Azure AD发出的JWT令牌.
The API client is using either JWT token issued by API itself (standard) or by Azure AD.
当我仅启用自定义(标准)承载身份验证时,一切运行正常,没有任何问题.
When I enable ONLY the custom (standard) bearer authentication, everything works perfectly, without any issues.
此外,当我仅启用Azure AD承载身份验证时,一切也将正常运行.
Also, when I enable ONLY the Azure AD bearer authentication, everything works perfectly, also.
同时启用这两个功能时,其中一个会停止工作.
When I enable both of them, one of them stops working.
这是我设置的.Net核心API:
Here is my setup of the .Net core API:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(BuildStandardJwtBearerOptions);
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
services.AddMvc()
.SetCompatibilityVersion(CompatibilityVersion.Version_2_1)
private void BuildStandardJwtBearerOptions(JwtBearerOptions options)
{
var settings = GetStandardTokenSettings(null);
options.IncludeErrorDetails = true;
options.RequireHttpsMetadata = false;
options.SaveToken = true;
var signingKeyBytes = Encoding.UTF8.GetBytes(settings.SecretKey);
var signingKey = new SymmetricSecurityKey(signingKeyBytes);
options.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = settings.Issuer,
ValidAudience = settings.Issuer,
IssuerSigningKey = signingKey
};
}
这是客户端发送Azure AD令牌时的示例错误:
Here is an example error for when client is sending Azure AD token:
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:信息: 无法验证令牌.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10500:签名验证失败.没有提供安全密钥 验证签名.在 System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String 令牌,TokenValidationParametersvalidationParameters)位于 System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(字符串 令牌,TokenValidationParametersvalidationParameters,SecurityToken& validatedToken)位于 Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:信息: 未对AzureADJwtBearer进行身份验证.失败消息:IDX10500: 签名验证失败.没有提供安全密钥给 验证签名. Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:信息: 与{action ="List",controller ="Account"}匹配的路由. 执行动作BookRental.Api.Controllers.AccountController.List (BookRental.Api) Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:信息: 授权失败. Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:信息: 过滤器中的请求授权失败 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. Microsoft.AspNetCore.Mvc.ChallengeResult:信息:正在执行 带有身份验证方案()的ChallengeResult. Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:信息: 身份验证方案:AzureADJwtBearer受到了挑战. Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:信息: 执行的动作BookRental.Api.Controllers.AccountController.List (BookRental.Api)在7.1108毫秒内 Microsoft.AspNetCore.Hosting.Internal.WebHost:信息:请求 在16.8394ms内完成401
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10500: Signature validation failed. No security keys were provided to validate the signature. at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: AzureADJwtBearer was not authenticated. Failure message: IDX10500: Signature validation failed. No security keys were provided to validate the signature. Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Route matched with {action = "List", controller = "Account"}. Executing action BookRental.Api.Controllers.AccountController.List (BookRental.Api) Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization failed. Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. Microsoft.AspNetCore.Mvc.ChallengeResult:Information: Executing ChallengeResult with authentication schemes (). Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: AuthenticationScheme: AzureADJwtBearer was challenged. Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Executed action BookRental.Api.Controllers.AccountController.List (BookRental.Api) in 7.1108ms Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request finished in 16.8394ms 401
如何使这两种类型的令牌并排工作?
推荐答案
您可以通过同时指定两种身份验证方案来尝试更改授权系统的默认策略:
You can try to change the default policy of the authorization system by indicating both the authentication schemes :
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options))
.AddJwtBearer("scc", BuildStandardJwtBearerOptions);
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services
.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes(AzureADDefaults.BearerAuthenticationScheme, "scc")
.Build();
});
这篇关于如何使AzureAD和自定义JWT令牌在Web API中并行工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!