.net core 2.1中具有自定义授权的JwtBearer身份验证
[英]JwtBearer Authentication with Custom Authorization in .net core 2.1
问题描述
We have a Gateway (implemented using Ocelot), which performs both Authentication & Authorization of the calls before it reaches the APIs 
我们有一个网关(使用Ocelot实现),该网关在到达API之前执行调用的身份验证和授权
For Authentication, the gateway uses JwtBearer like below 对于身份验证,网关使用JwtBearer,如下所示
services.AddAuthentication(Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Events = JwtBeaerEvents();
options.TokenValidationParameters = TokenValidationParameters(tokenConfig);
});
And, this validates the token correctly. 并且,这可以正确验证令牌。
Apart from this, the Gateway is implemented with Custom Authorization, to which it reads the permission related settings using a custom configuration file. 除此之外,网关还通过“自定义授权”实现,并使用自定义配置文件向其读取与权限相关的设置。 And, this Custom Authorization is added as a middleware 并且,此自定义授权被添加为中间件
We try to add this Authorization middleware after Authentication middleware, like 我们尝试在身份验证中间件之后添加此授权中间件,例如
app.UseAuthentication().UseAuthorizationMiddleware();
This works for a valid token. 这适用于有效令牌。 However, for an invalid token, irrespective of Authentication got failed, the call is being routed to AuthorizationMiddleware as well. 但是,对于无效的令牌,无论身份验证失败如何,该调用也将路由到AuthorizationMiddleware。 And, based on these findings, looks like we need to go with DI, rather than middleware. 而且,基于这些发现,看来我们需要使用DI而不是中间件。 But, what we want is a custom implementation for Authorization which accepts the permissions/policy/scope via config file (in the gateway) along with JwtBearer scheme, rather than decorating them in the API attribute. 但是,我们想要的是一个授权的自定义实现,该实现通过配置文件(在网关中)与JwtBearer方案一起接受权限/策略/范围,而不是在API属性中进行修饰。 Could anyone throw some light on how to achieve the same? 任何人都可以阐明如何实现相同目标吗?
Your help is much appreciated 非常感谢您的帮助
1 个解决方案
解决方案1
0 2019-02-06 06:30:40
The issue is due to the behaviour of .net core. 该问题是由于.net core的行为所致。 When the Identity's IsAuthenticated flag is false, Http StatusCode is not set to 401 by the framework in case of Token validation failure during Authentication and also it proceeds to the next call. 当Identity的IsAuthenticated标志为false时,如果在身份验证期间令牌验证失败的情况下,框架不会将Http StatusCode设置为401,并且它会继续进行下一个调用。 If only we used the Policy based Authorization, it would have been automatically taken care by RequireAuthenticatedUser() while building the Authorization Policy. 如果仅使用基于策略的授权,则在构建授权策略时,RequireAuthenticatedUser()会自动对其进行处理。 However, since we are using a custom middleware, introduced one another middleware which replicates what DenyAnonymousAuthorizationRequirement does, like below 但是,由于我们使用的是自定义中间件,因此引入了另一个中间件,该中间件复制了DenyAnonymousAuthorizationRequirement的功能,如下所示
var user = httpContext.User;
var userIsAnonymous =
user?.Identity == null ||
!user.Identities.Any(i => i.IsAuthenticated);
if (userIsAnonymous)
{
httpContext.Response.StatusCode = 401;
return Task.CompletedTask;
}
return _next(httpContext);
We placed this middleware in between Authentication & Authorization middlewares and the issue has been resolved 我们将此中间件放置在Authentication&Authorization中间件之间,此问题已解决
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.