除非指定AuthenticationScheme，否则未经授权的API访问 [英] API access unauthorized unless AuthenticationScheme is specified

问题描述

我正在与Identity Server 4一起学习Asp.Net Core身份.到目前为止，我已经根据IDS4对用户进行了身份验证，然后我可以获取令牌来使用访问我的API，所有这些都可以正常使用，但是我始终需要在API控制器上使用指定的 AuthenticationScheme 参数创建我的授权属性，即使我将其指定为我的API的 Config.cs (根据多个来源/我已阅读的指南).

I'm in the process of learning Asp.Net Core Identity along with Identity Server 4. So far I have got my User authenticated against IdS4, then I can get a token to use access my API, this all works as expected, however I always need to create my Authorization Attributes on my API controller with a specified AuthenticationScheme parameter, even though I specify it my API's Config.cs (according to several sources/guides I have read).

这是我的API的 Config.cs ，我已将不同的尝试注释掉了.每个版本都没有任何作用，偶尔会出现500错误而不是401错误，但这取决于我做错了什么！

This is my API's Config.cs, I have left the different attempts commented out. Each version hasn't has any effect, occasionally a 500 error instead of a 401, but that will be down to me doing something very wrong!

public void ConfigureServices(IServiceCollection services)
{
    services.AddDbContext<ApplicationCoreDbContext>(opt => opt.UseInMemoryDatabase("TestItem"));

    services
        .AddMvc();

    services
        //.AddAuthentication(cfg =>
        //{
        //    cfg.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        //    cfg.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        //})
        .AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
        //.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddIdentityServerAuthentication(options =>
        {
            options.Authority = "https://localhost:5001";
            options.RequireHttpsMetadata = false;
            options.ApiName = "web_api";
            options.EnableCaching = true;
            options.CacheDuration = TimeSpan.FromMinutes(10);
        });
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
       app.UseDeveloperExceptionPage();
    }

    app.UseHttpsRedirection();

    app.UseRouting();

    app.UseAuthorization();

    app.UseAuthentication();
        
    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

这是我的API控制器的示例端点.在当前状态下，它可以正常工作，但是我相信我不需要指定 AuthenticationSchemes ，但是如果删除它，我总是会收到401错误.有人对我的失踪有任何建议吗?

Here is a sample endpoint from my API Controller. In it's current state it works fine, however I believe I shouldn't need to specify the AuthenticationSchemes, but if I remove it, I always get a 401 error. Does anyone have any suggestions on what I'm missing?

// GET: api/TestItems
[HttpGet]
//[Authorize]
[Authorize(AuthenticationSchemes = "Bearer")]
public async Task<ActionResult<IEnumerable<TestItemDto>>> GetTestItems()
{
    //SNIP
}

推荐答案

问题是由于在 Startup.Configure 方法中添加了中间件的顺序所致.正确的订单对于安全性至关重要.在此处一个>.在这种情况下，您将 app.UseAuthorization()移到 app.UseAuthentication()之后.代码如下:

Issue is because of order of middleware added in the Startup.Configure method. Proper order is critical for security. Read more here. In this case you move app.UseAuthorization() to be after app.UseAuthentication(). The code would be like:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
       app.UseDeveloperExceptionPage();
    }

    app.UseHttpsRedirection();

    app.UseRouting();

    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

这篇关于除非指定AuthenticationScheme，否则未经授权的API访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！