JWT 令牌认证，过期令牌仍然有效，.net 核心 Web Api [英] JWT Token authentication, expired tokens still working, .net core Web Api

问题描述

我正在构建一个 .net 核心 web api.

I'm building a .net core web api.

前言 - 我已经按照 https://stormpath 实现了令牌身份验证.com/blog/token-authentication-asp-net-core 和 https://dev.to/samueleresca/developing-token-authentication-using-aspnet-core.我还在 github 和 SO 上阅读了一些问题.

Preface - I've implemented token authentication as per https://stormpath.com/blog/token-authentication-asp-net-core and https://dev.to/samueleresca/developing-token-authentication-using-aspnet-core. I've also read a few issues on github and here on SO.

这也派上了用场 https://goblincoding.com/2016/07/24/asp-net-core-policy-based-authorisation-using-json-web-tokens/.

执行完这一切后，我觉得我错过了一些东西.

After implementing it all I'm feeling like I'm missing something.

我创建了一个简单的 Angular 应用程序，它位于 Web 客户端中.当我进行身份验证时，客户端会收到一个令牌.我现在将它存储在会话中(仍在开发中，因此将解决以后存储位置的安全问题).

I've created a simple Angular application that sits in a web client. When I authenticate, client is sent a token. I'm storing that in session for now (still in dev so will address security concerns around where to store it later).

不太确定这个(JWT(JSON Web Token)自动延长过期) 很有用，因为就我所见，我还没有实现刷新令牌.

Not really sure this (JWT (JSON Web Token) automatic prolongation of expiration) is useful as I haven't implemented refresh tokens as far as I can see.

我注意到，当我调用 logout，然后重新登录时，客户端会收到一个新令牌 - 正如预期的那样.但是，如果令牌到期时间已过(我将其设置为 1 分钟进行测试)然后刷新页面，则令牌在我的应用程序中似乎保持不变.即就好像令牌永不过期?！

I noticed that when I call logout, and then log back in again, the client is sent a new token - as expected. However, if the token expiry time is passed (I set it to 1 minute for testing) and then the page is refreshed, the token seems to remain the same in my app. i.e. it's as if the token never expires?!

我希望客户端返回 401 Unauthorized 错误，然后我可以处理强制用户重新进行身份验证.

这不是应该如何工作吗? 是否有一些默认的自动刷新令牌魔法在后台进行(我没有在教程中明确设置任何刷新令牌的概念)?或者我是否遗漏了一些关于令牌身份验证的概念?

Is this not how this should work? Is there some auto-refresh token magic going on in the background that is default (I haven't set up any notion of refresh tokens in the tutorials explicitly)? Or am I missing something about the concept of token auth?

此外 - 如果这是一个永久刷新的令牌，如果令牌曾经被泄露，我是否应该担心安全性?

感谢您的帮助

推荐答案

我相信这与 JwtBearerOptions 中的 ClockSkew 有关.

I believe this has to do with ClockSkew in JwtBearerOptions.

更改为 TimeSpan.Zero，因为我相信默认设置为 5 分钟(虽然不是 100% 确定).

Change to TimeSpan.Zero as I believe the default is set to 5 minutes (not 100% sure though).

我在下面发布了一些示例代码，这些代码将放置在 Startup.cs => 配置中.

I have posted some sample code below that is to be placed in Startup.cs => Configure.

        app.UseJwtBearerAuthentication(new JwtBearerOptions()
        {
            AuthenticationScheme = "Jwt",
            AutomaticAuthenticate = true,
            AutomaticChallenge = true,
            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidAudience = Configuration["Tokens:Audience"],
                ValidIssuer = Configuration["Tokens:Issuer"],
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Tokens:Key"])),
                ValidateLifetime = true,
                ClockSkew = TimeSpan.Zero
            }
        });

这篇关于JWT 令牌认证，过期令牌仍然有效，.net 核心 Web Api的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！