Asp.net核心，JWT和CORS标题 [英] Asp.net Core, JWT, and CORS Headers

问题描述

当我在同一服务上同时启用JWT承载认证和CORS时，我从服务器获取了相应的Access-Control-Allow-Origin标头。
当我从配置中删除UseJwtBearerAuthentication时，一切正常。

I'm having an issue getting an appropriate Access-Control-Allow-Origin header back from the server when I have both JWT Bearer Authentication and CORS enabled on the same service. When I remove UseJwtBearerAuthentication from the configuration, everything works.

public void ConfigureServices(IServiceCollection services)
    {
        services.AddCors(options =>
        {
            options.AddPolicy("AllowAllOrigins", builder =>
            {
                builder.AllowAnyOrigin();
                builder.AllowAnyHeader();
                builder.AllowAnyMethod();
                builder.AllowCredentials();
            });
        });

        services.AddMvc();
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        loggerFactory.AddConsole(Configuration.GetSection("Logging"));
        loggerFactory.AddDebug();

        app.UseJwtBearerAuthentication(options =>
        {
            options.AutomaticAuthenticate = true;
            options.RequireHttpsMetadata = false;
            options.Audience = "c2cf422a-a432-2038-b183-cda64e16239e";
            options.Authority = "domain.com";
        });

        app.UseCors("AllowAllOrigins");

        app.UseIISPlatformHandler();

        app.UseMvc();
    }

我尝试更改配置的顺序，但似乎没有什么工作。我也尝试添加[EnableCors（AllowAllOrigins）]到我正在呼叫的控制器。

I've tried to change the ordering for configuration, but nothing seems to work. I also tried adding [EnableCors("AllowAllOrigins")] to the controller I'm calling.

我已经改变了配置顺序，基于评论中的建议，确定导致此问题的属性：

I've changed the config order based on the recommendation in the comments and identified the property causing the issue:

app.UseIISPlatformHandler();

        app.UseCors("AllowAllOrigins");

        app.UseJwtBearerAuthentication(options =>
        {
            options.AutomaticAuthenticate = true;
            options.RequireHttpsMetadata = false;
            options.Audience = "c8cf662a-ac73-4050-b285-cda90e22992e";
            options.Authority = "iwdwk.com";
        });

        app.UseMvc();

在上面的代码中，下面的行似乎是导致问题的原因：

In the code above, the line below seems to be causing the issue:

options.AutomaticAuthenticate = true;

不幸的是，我需要启用，所以我可以通过JWT令牌通过授权...

Unfortunately, I need to have that enabled so I can pass the JWT token through for authorization... Unless there is another way to do this?

推荐答案

如果服务器抛出异常并清除头文件，请参阅CORS错误。我用来查看实际发生的事情的方式是首先使用Chrome开发工具从我的一个失败的请求中获取承载令牌。

If the server throws and exception they clear the headers and so you'll only see the CORS error. The way I used to see what was actually going on was to first get the Bearer Token out of one of my failed requests using the Chrome dev tools.

接下来我复制了该令牌并粘贴到Postman作为请求中的授权头的值。当我这样做，我终于收到那个漂亮的开发人员异常页面，告诉我我做错了什么。这是我使用 ClientId GUID Azure AD给出而不是应用程序URI 。

Next I copied that token and pasted into Postman as the value for an Authorization header in a request. When I did that I finally received that nice developer exception page that told me exactly what I was doing wrong. Which was that I was using the ClientId GUID Azure AD gives out instead of the App URI.

所以如果你使用Azure AD，那么你的JWT选项应该是： / p>

So if you are using Azure AD then your JWT options should look like:

    app.UseJwtBearerAuthentication(options =>
    {
        options.AutomaticAuthenticate = true;
        options.AutomaticChallenge = true;
        options.Authority = "https://login.microsoftonline.com/yourtenant.onmicrosoft.com"
        options.Audience = "https://yourtenant.onmicrosoft.com/AppURI"
    });

这篇关于Asp.net核心，JWT和CORS标题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！