ASP.NET Core Web API 是否为每个请求验证身份验证令牌?
[英]Are the authentication tokens validated for every request by the ASP.NET Core Web API?
问题描述
I have the following configuration in my ASP.NET Core Web API:
我的 ASP.NET Core Web API 中有以下配置:
// Adds Microsoft Identity platform (AAD v2.0) support to protect this Api
services.AddMicrosoftIdentityWebApiAuthentication(configuration);
services.AddControllers(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireClaim("email")
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
I have an Angular client application that sends the AuthToken with each request.我有一个 Angular 客户端应用程序,它随每个请求发送AuthToken 。 I don't believe that the Web API should validate the AuthToken for every single request as that would impact the performance as it might be contacting the Microsoft validate endpoint.我不认为 Web API 应该为每个请求验证AuthToken ,因为这会影响性能,因为它可能会联系 Microsoft 验证端点。
Are the authentication tokens validated for every request by the ASP.NET Core Web API? ASP.NET Core Web API 是否为每个请求验证身份验证令牌?
2 个解决方案
解决方案1
3 已采纳 2022-07-07 12:46:00
Yes, the tokens are validated by every request.是的,每个请求都会验证令牌。 But there is no "Microsoft validate endpoint", it does the validation completely in-memory most of the time.但是没有“Microsoft validate endpoint”,它在大多数情况下完全在内存中进行验证。
What actually happens at runtime:运行时实际发生的情况:
- App startup应用启动
- App downloads metadata from "authority-uri/.well-known/openid-configuration" (for example: https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration )应用从“authority-uri/.well-known/openid-configuration”下载元数据(例如: https ://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration)
- This JSON contains the "jwks_uri" (for example https://login.microsoftonline.com/organizations/discovery/v2.0/keys )此 JSON 包含“jwks_uri”(例如https://login.microsoftonline.com/organizations/discovery/v2.0/keys )
- App downloads the keys from that URL应用程序从该 URL 下载密钥
Later a request is received:稍后收到请求:
- App validates signature using one of those keys it downloaded earlier (it uses the one where "kid" matches in the token header)应用程序使用之前下载的密钥之一验证签名(它使用令牌标头中“孩子”匹配的密钥)
- Other validation is done其他验证完成
If I recall correctly the metadata is cached in memory for 24 hours by default.如果我没记错的话,默认情况下元数据会在内存中缓存 24 小时。 It automatically refreshes it when needed.它会在需要时自动刷新它。
In short, most of the time there are no requests at all to Microsoft endpoints.简而言之,大多数时候根本没有对 Microsoft 端点的请求。 Your app validates the token in-memory using only some CPU time.您的应用仅使用一些 CPU 时间来验证内存中的令牌。 Your DB queries will most likely completely eclipse the overhead of token validation.您的数据库查询很可能会完全抵消令牌验证的开销。
解决方案2
1 2022-07-07 12:46:35
Auth tokens should be validated on every request to a sensitive endpoint to ensure that the user accessing an endpoint is authorized to access it.应在对敏感端点的每个请求上验证身份验证令牌,以确保访问端点的用户有权访问它。 The impact on performance should be negligible.对性能的影响应该可以忽略不计。 If tokens are not validated any user could make a request with a fraudulent token and your API would still service the request, allowing unauthenticated users to access the endpoint.如果未验证令牌,则任何用户都可以使用欺诈性令牌发出请求,并且您的 API 仍会为请求提供服务,从而允许未经身份验证的用户访问端点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.