stackoom
  简体   繁体   中英

Token based authentication with Jwt fails to authorize

 原文  2020-12-14 23:49:45       c#/ asp.net-web-api/ jwt

Question

I'm trying to set up token-based authentication for my web-api. As of now i am generating the token correctly, but i'm having issues authorizing with the token. Using postman, i'm getting 401 Unauthorized on all posts. I have currently configured Jwt as follow:

Startup.cs

    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        private IConfiguration Configuration { get; }
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateIssuer = true,
                        ValidateAudience = true,
                        ValidateLifetime = true,
                        ValidateIssuerSigningKey = true,
                        IssuerSigningKey =
                            new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Key"]))
                    };
                });
            
            
            services.AddMvc();
            services.AddControllers();
            services.AddSingleton<ITitleDataService, TitleDataService>();
            services.AddSingleton<IPersonDataService, PersonDataService>();
            services.AddSingleton<IUserDataService, UserDataService>();
            services.AddAutoMapper(AppDomain.CurrentDomain.GetAssemblies());
            services.AddControllersWithViews()
                .AddNewtonsoftJson(options =>
                    options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore
                );
            services.AddMvc().AddControllersAsServices();
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseRequestLogging();
            
            app.UseRouting();
            app.UseAuthentication();
            app.UseAuthorization();

            app.UseFileServer();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }
    }
}

This is my controller:

//LOGIN
[HttpPost("user/login/")]
public IActionResult Login(UserDto userDto)
{
    var user = _dataService.Login(userDto.Username, userDto.Password);
    IActionResult response = Unauthorized();
    if (user)
    {
        var tokenStr = GenerateJSONWebToken(userDto);
        response = Ok(new {tokenStr});
    }
    else
    {
        return BadRequest("User not authorized");
    }
    return response;
}

[Authorize]
[HttpPost("post")]
public string Post()
{
    var identity = HttpContext.User.Identity as ClaimsIdentity;
    IList<Claim> claim = identity.Claims.ToList();
    Console.WriteLine(claim.Count);
    var username = claim[0].Value;
    Console.WriteLine(username);
    return "Welcome to " + username;
}

[Authorize]
[HttpGet("GetValue")]
public ActionResult<IEnumerable<string>> Get()
{
    return new string[] {"Value1", "Value2", "Value3"};
}

private string GenerateJSONWebToken(UserDto userDto)
{
    var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Jwt:Key"]));
    var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
    var claims = new[]
    {
        new Claim(JwtRegisteredClaimNames.Sub, userDto.Username),
        new Claim(JwtRegisteredClaimNames.Email, userDto.Password),
        new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
    };
    
    var token = new JwtSecurityToken(
        issuer: "Issuer",
        audience: "Issuer",
        claims,
        expires: DateTime.Now.AddMinutes(120),
        signingCredentials: credentials);
    
    
    var encodetoken = new JwtSecurityTokenHandler().WriteToken(token);
    return encodetoken;
}

I have tried to rearrange the middleware pipeline without any luck. I have very little experience with tokens, and am therefore pretty lost on how to solve this. All suggestions are highly appreciated!

Best regards, Jesper

1 answers

solution1
 1 ACCPTED  2020-12-15 00:03:46

You have a couple problems here: You configured your middleware to validate the issuer (URL of the entity that creates the token) and audience (the URL of the service that the token is intended for), but you do not do not specify the values in your configuration.

Your token is written with issuer and audience as "Issuer", but because your middleware is not configured to accept "Issuer" as the correct value for issuer / audience, your token fails.

In your middleware, either configure the accepted values for issuer and audience, or bypass issuer and audience validation by setting validateIssuer and validateAudience to false.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Authentication based on JWT token bearer fails under .NET Core 2.2 after move from 3.0 How to Authorize Using JWT token Real Jwt token Authentication WebAPI does not respect Jwt token for authorize attribute JWT Authentication, roles defined in Authorize attribute are ignored Authentication Swagger with JWT Bearer token Blazor Authentication - Refresh Token for JWT token Owin Bearer Token Authentication + Authorize controller How to authorize an API endpoint with both JWT and Azure Ad token? .NET Core 3.0 using Identity + JWT fails to authorize
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM