JWT 令牌认证，过期令牌仍在工作，.net core Web Api [英] JWT Token authentication, expired tokens still working, .net core Web Api

问题描述

我正在构建一个 .net core web api.

I'm building a .net core web api.

前言 - 我已经按照 https://stormpath 实现了令牌身份验证.com/blog/token-authentication-asp-net-core 和 https://dev.to/samueleresca/developing-token-authentication-using-aspnet-core.我还在 github 和 SO 上阅读了一些问题.

Preface - I've implemented token authentication as per https://stormpath.com/blog/token-authentication-asp-net-core and https://dev.to/samueleresca/developing-token-authentication-using-aspnet-core. I've also read a few issues on github and here on SO.

这也派上了用场 https://goblincoding.com/2016/07/24/asp-net-core-policy-based-authorisation-using-json-web-tokens/.

在实施完这一切之后，我觉得我错过了一些东西.

After implementing it all I'm feeling like I'm missing something.

我创建了一个简单的 Angular 应用程序，它位于 Web 客户端中.当我进行身份验证时，客户端会收到一个令牌.我现在将其存储在会话中(仍在开发中，因此将解决有关稍后存储位置的安全问题).

I've created a simple Angular application that sits in a web client. When I authenticate, client is sent a token. I'm storing that in session for now (still in dev so will address security concerns around where to store it later).

不太确定(JWT(JSON Web Token)自动延长过期) 很有用，因为据我所知，我还没有实现刷新令牌.

Not really sure this (JWT (JSON Web Token) automatic prolongation of expiration) is useful as I haven't implemented refresh tokens as far as I can see.

我注意到，当我调用注销，然后再次登录时，客户端会收到一个新令牌 - 正如预期的那样.但是，如果令牌过期时间已过(我将其设置为 1 分钟以进行测试)然后刷新页面，则令牌在我的应用程序中似乎保持不变.即好像令牌永不过期?！

I noticed that when I call logout, and then log back in again, the client is sent a new token - as expected. However, if the token expiry time is passed (I set it to 1 minute for testing) and then the page is refreshed, the token seems to remain the same in my app. i.e. it's as if the token never expires?!

我本来希望客户端返回 401 Unauthorized 错误，然后我可以强制用户重新进行身份验证.

这不是应该如何工作的吗? 后台是否有一些默认的自动刷新令牌魔法(我没有在教程中明确设置任何刷新令牌的概念)?还是我错过了令牌身份验证的概念?

Is this not how this should work? Is there some auto-refresh token magic going on in the background that is default (I haven't set up any notion of refresh tokens in the tutorials explicitly)? Or am I missing something about the concept of token auth?

另外 - 如果这是一个永久刷新的令牌，如果令牌被泄露，我是否应该担心安全性?

感谢您的帮助

推荐答案

我相信这和JwtBearerOptions中的ClockSkew有关.

I believe this has to do with ClockSkew in JwtBearerOptions.

更改为 TimeSpan.Zero，因为我相信默认设置为 5 分钟(虽然不是 100% 确定).

Change to TimeSpan.Zero as I believe the default is set to 5 minutes (not 100% sure though).

我在下面发布了一些示例代码，这些示例代码将放置在 Startup.cs => 配置中.

I have posted some sample code below that is to be placed in Startup.cs => Configure.

        app.UseJwtBearerAuthentication(new JwtBearerOptions()
        {
            AuthenticationScheme = "Jwt",
            AutomaticAuthenticate = true,
            AutomaticChallenge = true,
            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidAudience = Configuration["Tokens:Audience"],
                ValidIssuer = Configuration["Tokens:Issuer"],
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Tokens:Key"])),
                ValidateLifetime = true,
                ClockSkew = TimeSpan.Zero
            }
        });

这篇关于JWT 令牌认证，过期令牌仍在工作，.net core Web Api的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！