堆栈内存溢出
  简体   繁体   English

忽略 JWT Bearer 令牌签名(即不验证令牌)

[英]Ignore JWT Bearer token signature (i.e. don't validate token)

 原文  2018-04-20 01:36:52       c#/ asp.net-core

问题描述

I have an API that sits behind an API Gateway.我有一个位于 API 网关后面的 API。 The API Gateway validates the bearer token before passing the request along to the API. API 网关在将请求传递给 API 之前验证不记名令牌。

My API the uses the the asp.net core 2.0 native authentication and claims based authorization framework.我的 API 使用 asp.net core 2.0 本机身份验证和基于声明的授权框架。 The grunt work of getting the claims from the JWT token is done by the middleware in Microsoft.AspNetCore.Authentication.JwtBearer .从 JWT 令牌获取声明的繁重工作由Microsoft.AspNetCore.Authentication.JwtBearer的中间件完成。

This middle ware can be configured to ignore the expiration date on the token and it is also possible to specify a local public key so it is not necessary to contact the token Authority to obtain one, but is it possible to just disable the signature validation on the token?这个中间件可以配置为忽略令牌上的到期日期,也可以指定一个本地公钥,这样就不需要联系令牌授权来获取一个,但是否可以只禁用签名验证令牌?

This would allow use of unsigned tokens for ad-hoc testing in development and prevent double validation (gateway and then API) in production.这将允许在开发中使用未签名的令牌进行临时测试,并防止生产中的双重验证(网关和 API)。

3 个解决方案

解决方案1
 38 已采纳  2019-01-30 07:06:04

Try this.试试这个。 Finally, I got it to work after so much of trying.终于,经过这么多的尝试,我让它工作了。

public TokenValidationParameters CreateTokenValidationParameters()
{
    var result = new TokenValidationParameters
    {
    ValidateIssuer = false,
    ValidIssuer = ValidIssuer,

    ValidateAudience = false,
    ValidAudience = ValidAudience,

    ValidateIssuerSigningKey = false,
    //IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(SecretKey)),
    //comment this and add this line to fool the validation logic
    SignatureValidator = delegate(string token, TokenValidationParameters parameters)
    {
        var jwt = new JwtSecurityToken(token);

        return jwt;
    },

    RequireExpirationTime = true,
    ValidateLifetime = true,

    ClockSkew = TimeSpan.Zero,
    };

    result.RequireSignedTokens = false;

    return result;
}

解决方案2
 3  2018-04-20 06:51:25

You may setup token validation using JwtBearerOptions.TokenValidationParameters .您可以使用JwtBearerOptions.TokenValidationParameters设置令牌验证。 You could check all available parameters from the class definition .您可以检查类定义中的所有可用参数。

Contains a set of parameters that are used by a Microsoft.IdentityModel.Tokens.SecurityTokenHandler when validating a Microsoft.IdentityModel.Tokens.SecurityToken .包含了一组由使用的参数Microsoft.IdentityModel.Tokens.SecurityTokenHandler在验证时Microsoft.IdentityModel.Tokens.SecurityToken

Set All ValidateXXX and RequireXXX bool properties to false if you want to disable validation at all:如果您想完全禁用验证,请将所有ValidateXXXRequireXXX bool 属性设置为 false:

.AddJwtBearer("<authenticationScheme>", configureOptions =>
{
   options.TokenValidationParameters.ValidateActor = false;
   options.TokenValidationParameters.ValidateAudience = false;
   options.TokenValidationParameters.ValidateIssuerSigningKey = false;
   ...
}

As an another option you can override the default token signature validation by setting own implementation to JwtBearerOptions.SignatureValidator :作为另一个选项,您可以通过将自己的实现设置为JwtBearerOptions.SignatureValidator来覆盖默认令牌签名验证:

// Gets or sets a delegate that will be used to validate the signature of the token.
//
// Remarks:
//  If set, this delegate will be called to signature of the token, instead of normal
//  processing.
public SignatureValidator SignatureValidator { get; set; }

where SignatureValidator delegate is defined as:其中SignatureValidator委托定义为:

public delegate SecurityToken SignatureValidator(string token, TokenValidationParameters validationParameters);

解决方案3
 1  2019-11-24 03:15:29

I was able to clean up the code a bit, showing that we can just change the flag and with a bit more consistency when setting the flags.我能够稍微清理一下代码,表明我们可以只更改标志,并且在设置标志时更加一致。

services.AddAuthentication(o =>
{
    o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
    .AddJwtBearer(o =>
    {
        o.RequireHttpsMetadata = false;
        o.SaveToken = true;
        o.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = false,
            ValidateAudience = false,
            ValidateIssuerSigningKey = false,
            ValidateLifetime = false,
            RequireExpirationTime = false,
            RequireSignedTokens = false
        };
    });

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 验证 JWT 令牌签名的最简单方法是什么? - What is the easiest way to validate the signature of a JWT token? Web API从自定义身份验证提供程序验证JWT承载令牌 - Web API Validate JWT Bearer Token from Custom Auth Provider Azure AD Jwt Bearer令牌 - Azure AD Jwt Bearer token 在 Angular 中设置不记名 JWT 令牌 - Setting a bearer JWT token in Angular 带有 JWT Bearer 令牌的身份验证 Swagger - Authentication Swagger with JWT Bearer token 在.Net 中验证 JWT 令牌 - Validate JWT token in .Net OAuthAuthorizationServerProvider:验证客户端承载令牌 - OAuthAuthorizationServerProvider: validate client bearer token 将不记名令牌发送到端点,然后验证此令牌 - Sending a bearer token to endpoint, then validate this token Jwt 令牌签名始终无效 - Jwt Token signature always invalid JWT 不记名令牌:“观众 &#39;api://...&#39; 无效” - JWT Bearer Token: "The audience 'api://...' is invalid"
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM