如何在没有观众的情况下正确验证Cognito JWT,并在验证之后进行验证? [英] How to validate Cognito JWT with empty audience correctly and authenticate after?
本文介绍了如何在没有观众的情况下正确验证Cognito JWT,并在验证之后进行验证?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我使用带有JWT身份验证的aps.net core,我发现AWS Cogonito返回错误的令牌。相反,它在访问令牌中返回client_id。 我使用Nuget库
- AWSSDK.Core
- AWSSDK.CognitoIdentityProvider
- Amazon.Extensions.CognitoAuthentication
结果相同。例如: 访问令牌为:
{
"sub": "9ed87b45-da04-4fda-bc74-XXXXXXXXXXXX",
"event_id": "469880d0-8b17-417a-88d7-XXXXXXXXXXXX",
"token_use": "access",
"scope": "aws.cognito.signin.user.admin",
"auth_time": 1583252488,
"iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_XXXXXXXX",
"exp": 1583256088,
"iat": 1583252488,
"jti": "c1ca9561-51ce-4b57-9f51-3355363fb4f6",
"client_id": "AppClientIDXXXXXXXXXXXXX",
"username": "testname"
}
毕竟我发现id内标识返回‘aud’
{
"sub": "9ed87b45-da04-4fda-bc74-XXXXXXXXXXXX",
"aud": "AppClientIDXXXXXXXXXXXXX",
"email_verified": true,
"event_id": "469880d0-8b17-417a-88d7-XXXXXXXXXXXX",
"token_use": "id",
"auth_time": 1583252488,
"iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_XXXXXXXX",
"cognito:username": "testname",
"exp": 1583256088,
"iat": 1583252488,
"email": "testname@mail.no"
}
我使用了两种添加JWT身份验证的方法。这对我不起作用。 示例1:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKeyResolver = (s, securityToken, identifier, parameters) =>
{
var json = new WebClient().DownloadString(parameters.ValidIssuer + "/.well-known/jwks.json");
return JsonConvert.DeserializeObject<JsonWebKeySet>(json).Keys;
},
ValidateIssuer = true,
ValidIssuer = $"https://cognito-idp.{region}.amazonaws.com/{poolId}",
ValidateAudience = true,
ValidAudience = appClientId,
};
});
示例2:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Audience = appClientId;
options.Authority = $"https://cognito-idp.{region}.amazonaws.com/{poolId}";
});
我的验证码
使用AWSSDK.CognitoIdentityProvider
var initiateAuthRequest = new InitiateAuthRequest()
{
ClientId = myClientId,
AuthFlow = AuthFlowType.USER_PASSWORD_AUTH,
};
initiateAuthRequest.AuthParameters.Add("USERNAME", user.Username);
initiateAuthRequest.AuthParameters.Add("PASSWORD", user.Password);
var authResponse = await _cognitoIdentityProvider.InitiateAuthAsync(initiateAuthRequest);
使用Amazon.Extensions.CognitoAuthentication
var provider = new AmazonCognitoIdentityProviderClient(new EnvironmentVariablesAWSCredentials(), myRegion);
var userPool = new CognitoUserPool(myPool, myClient, provider);
var usr = new CognitoUser(user.Username, myClient, userPool, provider);
AuthFlowResponse authResponse = await usr.StartWithSrpAuthAsync(
new InitiateSrpAuthRequest(){Password = user.Password}).ConfigureAwait(false);
更新: 在示例1中,如果将ValidateAudience设置为False并删除ValidAudience,则会出现401错误
ValidateAudience = false,
//ValidAudience = appClientId
我的Startup.cs是
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public static IConfiguration Configuration { get; private set; }
public void ConfigureServices(IServiceCollection services)
{
var region = Configuration[Resources.AWSRegion];
var poolId = Configuration[Resources.AWSPoolId];
var appClientId = Configuration[Resources.AWSClientId];
services.AddSingleton<IAmazonCognitoIdentityProvider>(provider => new AmazonCognitoIdentityProviderClient(RegionEndpoint.USEast2)));
services.AddControllers();
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKeyResolver = (s, securityToken, identifier, parameters) =>
{
var json = new WebClient().DownloadString(parameters.ValidIssuer + "/.well-known/jwks.json");
return JsonConvert.DeserializeObject<JsonWebKeySet>(json).Keys;
},
ValidateIssuer = true,
ValidIssuer = $"https://cognito-idp.{region}.amazonaws.com/{poolId}",
ValidateAudience = true,
ValidAudience = appClientId
};
});
services.AddAuthorization();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
app.UseAuthentication();
}
}
推荐答案
这解决了我的问题,我使用的是ID令牌而不是访问令牌
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.TokenValidationParameters = GetCognitoTokenValidationParams();
});
}
private TokenValidationParameters GetCognitoTokenValidationParams()
{
var cognitoIssuer = $"https://cognito-idp.{Configuration["AWS:Region"]}.amazonaws.com/{Configuration["AWS:UserPoolId"]}";
var jwtKeySetUrl = $"{cognitoIssuer}/.well-known/jwks.json";
var cognitoAudience = Configuration["AWS:UserPoolClientId"];
return new TokenValidationParameters
{
IssuerSigningKeyResolver = (s, securityToken, identifier, parameters) =>
{
// get JsonWebKeySet from AWS
var json = new WebClient().DownloadString(jwtKeySetUrl);
return JsonConvert.DeserializeObject<JsonWebKeySet>(json).Keys;
},
ValidIssuer = cognitoIssuer,
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateLifetime = true,
ValidAudience = cognitoAudience
};
}
这篇关于如何在没有观众的情况下正确验证Cognito JWT,并在验证之后进行验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
