将 JwtAuthProviderReader 与 ServiceStack 和 AWS Cognito 结合使用 [英] Using JwtAuthProviderReader with ServiceStack and AWS Cognito
问题描述
我们在 AWS Cognito 中使用现有用户池,为我们的 api 服务器创建了一个单独的客户端应用程序.
We are using an existing userpool in AWS Cognito, a separate client app is created for our api server.
当使用来自 Cognito accessToken、idToken 和 refreshToken 的托管 UI 时.
When using the hosted UI from Cognito accessToken, idToken and refreshToken.
问题是在将 JwtAuthProviderReader 添加到 AuthFeature 以进行令牌验证时,我们得到HTTP/1.1 401 Unauthorized";对于我们使用 [Authenticate] 属性创建的任何端点.
The issue is when adding JwtAuthProviderReader to AuthFeature for doing the token validation we get "HTTP/1.1 401 Unauthorized" for any endpoint we create with the [Authenticate] attribute.
Plugins.Add(new AuthFeature(() => new AuthUserSession(),
new IAuthProvider[]
{
new JwtAuthProviderReader
{
Audience = "11rqr096c55xxxxxxxxxxxxxx", // App client id
Issuer = "https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxXxxXXxX",
HashAlgorithm = "RS256",
PublicKey = new RSAParameters
{
Modulus = Base64UrlEncoder.DecodeBytes("JRDU3q2XoOcKGjcj1DsJ3Xj .... DTNVCGzUCGosKGYL0Q"),
Exponent = Base64UrlEncoder.DecodeBytes("AQAB")
},
RequireSecureConnection = false,
}
}
)
{
IncludeAssignRoleServices = false
});
模数和指数来自众所周知的响应参考 https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxXxxXXXxX/.well-known/jwks.json
The modulus and Exponent is from e and n in Well-Known response ref https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxXxxXXxX/.well-known/jwks.json
受 Authenticate 属性保护的服务总是返回 HTTP/1.1 401 Unauthorized
Service protected by Authenticate attribute always returns HTTP/1.1 401 Unauthorized
[Authenticate]
public object Get(GetTenants request)
{
return ...;
}
我们如何知道我们的 JwtAuthProviderReader 设置是否正确?
How can we know that our JwtAuthProviderReader is setup correctly?
推荐答案
您可以测试您的 JWT 是否可以使用 ServiceStack 的 JWT Auth Provider 通过在配置的 JwtAuthProviderReader
实例的 IsJwtValid
API 中测试 JWT 令牌,例如:
You can test whether your JWT can be validated with ServiceStack's JWT Auth Provider by testing the JWT Token in the IsJwtValid
API of a configured JwtAuthProviderReader
instance, e.g:
var jwtAuth = new JwtAuthProviderReader { ... };
jwtAuth.IsJwtValid(jwt);
如果 JWT 无效,这将返回 false
.JWT 无效的原因有很多,所以我要检查的第一件事是测试您是否可以通过调用 GetVerifiedJwePayload()
来实际解密 JWE 令牌,例如:
This will return false
if the JWT is not valid. There's a lot of reasons why a JWT wouldn't be valid, so the first thing I'd check is to test you can actually decrypt the JWE Token by calling GetVerifiedJwePayload()
, e.g:
var jsonObj = jwtAuth.GetVerifiedJwePayload(null, jwt.Split('.'));
如果成功,它将返回一个解密但未经验证的 JSON 对象.这将因您当前的配置而失败,因为解密 RSA JWE 令牌需要配置完整的 PrivateKey
,即不仅仅是 PublicKey
组件.
If successful it will return a decrypted but unverified JSON Object. This will fail with your current configuration because decrypting an RSA JWE Token requires configuring the complete PrivateKey
, i.e. not just the PublicKey
components.
如果您只使用 RSA256 来验证 JWT 签名而不是加密 JWE Token 并且 jwtAuth.IsJwtValid(jwt)
返回 false
,您可以验证签名通过调用 GetVerifiedJwtPayload()
有效,例如:
If you're only using RSA256 to verify the JWT Signature instead of encrypting the JWE Token and jwtAuth.IsJwtValid(jwt)
returns false
, you can verify if signature is valid by calling GetVerifiedJwtPayload()
, e.g:
var jwtBody = jwtAuth.GetVerifiedJwtPayload(null, jwt.Split('.'));
如果签名验证失败,这将返回 null
否则它将返回一个带有 JWT Body 内容的 JsonObject
.
This will return null
if the signature verification failed otherwise it will return a JsonObject
with the contents of the JWT Body.
然后您可以验证 jwtBody 负载以检查 JWT 是否有效,例如:
You can then validate the jwtBody payload to check if the JWT is valid, e.g:
var invalidErrorMessage = jwtAuth.GetInvalidJwtPayloadError(jwtBody);
var jwtIsValid = invalidErrorMessage == null;
如果 JWT 有效,则返回 null
,否则返回字符串错误消息.
Which returns null
if the JWT is valid otherwise a string error message why it's not.
这篇关于将 JwtAuthProviderReader 与 ServiceStack 和 AWS Cognito 结合使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!