Asp.net核心,JWT和CORS标题 [英] Asp.net Core, JWT, and CORS Headers
问题描述
当我在同一服务上同时启用JWT承载认证和CORS时,我从服务器获取了相应的Access-Control-Allow-Origin标头。
当我从配置中删除UseJwtBearerAuthentication时,一切正常。
I'm having an issue getting an appropriate Access-Control-Allow-Origin header back from the server when I have both JWT Bearer Authentication and CORS enabled on the same service. When I remove UseJwtBearerAuthentication from the configuration, everything works.
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("AllowAllOrigins", builder =>
{
builder.AllowAnyOrigin();
builder.AllowAnyHeader();
builder.AllowAnyMethod();
builder.AllowCredentials();
});
});
services.AddMvc();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseJwtBearerAuthentication(options =>
{
options.AutomaticAuthenticate = true;
options.RequireHttpsMetadata = false;
options.Audience = "c2cf422a-a432-2038-b183-cda64e16239e";
options.Authority = "domain.com";
});
app.UseCors("AllowAllOrigins");
app.UseIISPlatformHandler();
app.UseMvc();
}
我尝试更改配置的顺序,但似乎没有什么工作。我也尝试添加[EnableCors(AllowAllOrigins)]到我正在呼叫的控制器。
I've tried to change the ordering for configuration, but nothing seems to work. I also tried adding [EnableCors("AllowAllOrigins")] to the controller I'm calling.
我已经改变了配置顺序,基于评论中的建议,确定导致此问题的属性:
I've changed the config order based on the recommendation in the comments and identified the property causing the issue:
app.UseIISPlatformHandler();
app.UseCors("AllowAllOrigins");
app.UseJwtBearerAuthentication(options =>
{
options.AutomaticAuthenticate = true;
options.RequireHttpsMetadata = false;
options.Audience = "c8cf662a-ac73-4050-b285-cda90e22992e";
options.Authority = "iwdwk.com";
});
app.UseMvc();
在上面的代码中,下面的行似乎是导致问题的原因:
In the code above, the line below seems to be causing the issue:
options.AutomaticAuthenticate = true;
不幸的是,我需要启用,所以我可以通过JWT令牌通过授权...
Unfortunately, I need to have that enabled so I can pass the JWT token through for authorization... Unless there is another way to do this?
推荐答案
如果服务器抛出异常并清除头文件,请参阅CORS错误。我用来查看实际发生的事情的方式是首先使用Chrome开发工具从我的一个失败的请求中获取承载令牌
。
If the server throws and exception they clear the headers and so you'll only see the CORS error. The way I used to see what was actually going on was to first get the Bearer Token
out of one of my failed requests using the Chrome dev tools.
接下来我复制了该令牌并粘贴到Postman作为请求中的授权头的值。当我这样做,我终于收到那个漂亮的开发人员异常页面,告诉我我做错了什么。这是我使用 ClientId
GUID Azure AD给出而不是应用程序URI
。
Next I copied that token and pasted into Postman as the value for an Authorization header in a request. When I did that I finally received that nice developer exception page that told me exactly what I was doing wrong. Which was that I was using the ClientId
GUID Azure AD gives out instead of the App URI
.
所以如果你使用Azure AD,那么你的JWT选项应该是: / p>
So if you are using Azure AD then your JWT options should look like:
app.UseJwtBearerAuthentication(options =>
{
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
options.Authority = "https://login.microsoftonline.com/yourtenant.onmicrosoft.com"
options.Audience = "https://yourtenant.onmicrosoft.com/AppURI"
});
这篇关于Asp.net核心,JWT和CORS标题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!