使用 Jwt 的基于令牌的身份验证无法授权

Question

I'm trying to set up token-based authentication for my web-api. As of now i am generating the token correctly, but i'm having issues authorizing with the token. Using postman, i'm getting 401 Unauthorized on all posts. I have currently configured Jwt as follow:

Startup.cs

    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        private IConfiguration Configuration { get; }
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateIssuer = true,
                        ValidateAudience = true,
                        ValidateLifetime = true,
                        ValidateIssuerSigningKey = true,
                        IssuerSigningKey =
                            new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Key"]))
                    };
                });
            
            
            services.AddMvc();
            services.AddControllers();
            services.AddSingleton<ITitleDataService, TitleDataService>();
            services.AddSingleton<IPersonDataService, PersonDataService>();
            services.AddSingleton<IUserDataService, UserDataService>();
            services.AddAutoMapper(AppDomain.CurrentDomain.GetAssemblies());
            services.AddControllersWithViews()
                .AddNewtonsoftJson(options =>
                    options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore
                );
            services.AddMvc().AddControllersAsServices();
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseRequestLogging();
            
            app.UseRouting();
            app.UseAuthentication();
            app.UseAuthorization();

            app.UseFileServer();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }
    }
}

This is my controller:

//LOGIN
[HttpPost("user/login/")]
public IActionResult Login(UserDto userDto)
{
    var user = _dataService.Login(userDto.Username, userDto.Password);
    IActionResult response = Unauthorized();
    if (user)
    {
        var tokenStr = GenerateJSONWebToken(userDto);
        response = Ok(new {tokenStr});
    }
    else
    {
        return BadRequest("User not authorized");
    }
    return response;
}

[Authorize]
[HttpPost("post")]
public string Post()
{
    var identity = HttpContext.User.Identity as ClaimsIdentity;
    IList<Claim> claim = identity.Claims.ToList();
    Console.WriteLine(claim.Count);
    var username = claim[0].Value;
    Console.WriteLine(username);
    return "Welcome to " + username;
}

[Authorize]
[HttpGet("GetValue")]
public ActionResult<IEnumerable<string>> Get()
{
    return new string[] {"Value1", "Value2", "Value3"};
}

private string GenerateJSONWebToken(UserDto userDto)
{
    var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Jwt:Key"]));
    var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
    var claims = new[]
    {
        new Claim(JwtRegisteredClaimNames.Sub, userDto.Username),
        new Claim(JwtRegisteredClaimNames.Email, userDto.Password),
        new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
    };
    
    var token = new JwtSecurityToken(
        issuer: "Issuer",
        audience: "Issuer",
        claims,
        expires: DateTime.Now.AddMinutes(120),
        signingCredentials: credentials);
    
    
    var encodetoken = new JwtSecurityTokenHandler().WriteToken(token);
    return encodetoken;
}

I have tried to rearrange the middleware pipeline without any luck. I have very little experience with tokens, and am therefore pretty lost on how to solve this. All suggestions are highly appreciated!

Best regards, Jesper

Answer 1

You have a couple problems here: You configured your middleware to validate the issuer (URL of the entity that creates the token) and audience (the URL of the service that the token is intended for), but you do not do not specify the values in your configuration.

Your token is written with issuer and audience as "Issuer", but because your middleware is not configured to accept "Issuer" as the correct value for issuer / audience, your token fails.

In your middleware, either configure the accepted values for issuer and audience, or bypass issuer and audience validation by setting validateIssuer and validateAudience to false.