将 JwtAuthProviderReader 与 ServiceStack 和 AWS Cognito 结合使用 [英] Using JwtAuthProviderReader with ServiceStack and AWS Cognito
问题描述
我们在 AWS Cognito 中使用现有用户池,为我们的 api 服务器创建了一个单独的客户端应用程序.
We are using an existing userpool in AWS Cognito, a separate client app is created for our api server.
当使用来自 Cognito accessToken、idToken 和 refreshToken 的托管 UI 时.
When using the hosted UI from Cognito accessToken, idToken and refreshToken.
问题是在将 JwtAuthProviderReader 添加到 AuthFeature 以进行令牌验证时,我们得到HTTP/1.1 401 Unauthorized";对于我们使用 [Authenticate] 属性创建的任何端点.
The issue is when adding JwtAuthProviderReader to AuthFeature for doing the token validation we get "HTTP/1.1 401 Unauthorized" for any endpoint we create with the [Authenticate] attribute.
Plugins.Add(new AuthFeature(() => new AuthUserSession(),
new IAuthProvider[]
{
new JwtAuthProviderReader
{
Audience = "11rqr096c55xxxxxxxxxxxxxx", // App client id
Issuer = "https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxXxxXXxX",
HashAlgorithm = "RS256",
PublicKey = new RSAParameters
{
Modulus = Base64UrlEncoder.DecodeBytes("JRDU3q2XoOcKGjcj1DsJ3Xj .... DTNVCGzUCGosKGYL0Q"),
Exponent = Base64UrlEncoder.DecodeBytes("AQAB")
},
RequireSecureConnection = false,
}
}
)
{
IncludeAssignRoleServices = false
});
模数和指数来自众所周知的响应参考 https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxXxxXXXxX/.well-known/jwks.json
The modulus and Exponent is from e and n in Well-Known response ref https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxXxxXXxX/.well-known/jwks.json
受 Authenticate 属性保护的服务总是返回 HTTP/1.1 401 Unauthorized
Service protected by Authenticate attribute always returns HTTP/1.1 401 Unauthorized
[Authenticate]
public object Get(GetTenants request)
{
return ...;
}
我们如何知道我们的 JwtAuthProviderReader 设置是否正确?
How can we know that our JwtAuthProviderReader is setup correctly?
推荐答案
您可以测试您的 JWT 是否可以使用 ServiceStack 的 JWT Auth Provider 通过在配置的 JwtAuthProviderReader 实例的 IsJwtValid API 中测试 JWT 令牌,例如:
You can test whether your JWT can be validated with ServiceStack's JWT Auth Provider by testing the JWT Token in the IsJwtValid API of a configured JwtAuthProviderReader instance, e.g:
var jwtAuth = new JwtAuthProviderReader { ... };
jwtAuth.IsJwtValid(jwt);
如果 JWT 无效,这将返回 false.JWT 无效的原因有很多,所以我要检查的第一件事是测试您是否可以通过调用 GetVerifiedJwePayload() 来实际解密 JWE 令牌,例如:
This will return false if the JWT is not valid. There's a lot of reasons why a JWT wouldn't be valid, so the first thing I'd check is to test you can actually decrypt the JWE Token by calling GetVerifiedJwePayload(), e.g:
var jsonObj = jwtAuth.GetVerifiedJwePayload(null, jwt.Split('.'));
如果成功,它将返回一个解密但未经验证的 JSON 对象.这将因您当前的配置而失败,因为解密 RSA JWE 令牌需要配置完整的 PrivateKey,即不仅仅是 PublicKey 组件.
If successful it will return a decrypted but unverified JSON Object. This will fail with your current configuration because decrypting an RSA JWE Token requires configuring the complete PrivateKey, i.e. not just the PublicKey components.
如果您只使用 RSA256 来验证 JWT 签名而不是加密 JWE Token 并且 jwtAuth.IsJwtValid(jwt) 返回 false,您可以验证签名通过调用 GetVerifiedJwtPayload() 有效,例如:
If you're only using RSA256 to verify the JWT Signature instead of encrypting the JWE Token and jwtAuth.IsJwtValid(jwt) returns false, you can verify if signature is valid by calling GetVerifiedJwtPayload(), e.g:
var jwtBody = jwtAuth.GetVerifiedJwtPayload(null, jwt.Split('.'));
如果签名验证失败,这将返回 null 否则它将返回一个带有 JWT Body 内容的 JsonObject.
This will return null if the signature verification failed otherwise it will return a JsonObject with the contents of the JWT Body.
然后您可以验证 jwtBody 负载以检查 JWT 是否有效,例如:
You can then validate the jwtBody payload to check if the JWT is valid, e.g:
var invalidErrorMessage = jwtAuth.GetInvalidJwtPayloadError(jwtBody);
var jwtIsValid = invalidErrorMessage == null;
如果 JWT 有效,则返回 null,否则返回字符串错误消息.
Which returns null if the JWT is valid otherwise a string error message why it's not.
这篇关于将 JwtAuthProviderReader 与 ServiceStack 和 AWS Cognito 结合使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
