繁体   English   中英

.net Core 2.0 JWT令牌过期问题

[英].net core 2.0 JWT token expired issue

我遇到一个非常奇怪的问题,这确实使我发疯,对我没有任何意义。

让我解释一下:我有一个Angular 5客户端正在使用的.NET Core 2.0 Web API。 Web API托管在Azure AppService中。 通过使用AspnetCore.Authentication.JWTBearer的JWT Bearer令牌进行身份验证(当前版本为2.0.1),该应用程序在auth / login端点中创建JWT令牌。 这样客户端就可以在以下调用中进行身份验证了。

但是,即使我指定了令牌的时间跨度为1080分钟(一周),但在大约8小时后,我们还是可以说该令牌不再有效。 我可以不说了(实际上我开始指定令牌可以使用几个小时),但是一旦令牌过期……这就是奇怪的地方,应用程序在用户使用后发出了一个新令牌。再次登录,但是新令牌不进行身份验证,说明令牌已过期!如果刚刚创建了令牌,如何将其过期。 (我将检查加倍,并且将新接收到的令牌发送到服务器,而不是旧令牌)。

此外,如果我只是在Azure中重新启动应用程序服务,那么一切将再次恢复正常,并且将接受新发行的jwt令牌。 我认为这可能是有关Azure服务器与其他服务器之间的时钟的问题,因此我删除了ClockSkew属性,并将其保留为默认值5分钟,但是没有运气。

我不知道是什么原因导致了这种奇怪的行为,但是却导致我的应用在一天中的某个时候失效,除非我进入Azure并重新启动应用服务。

我的代码在下面,但是我开始认为它可能是与.net core和Azure相关的错误?

你有什么不对吗? 谢谢你的帮助!

这是我的startup.cs类

public class Startup
    {
        private string connectionString;
        private const string SecretKey = "iNivDmHLpUA223sqsfhqGbMRdRj1PVkH"; 
        // todo: get this from somewhere secure
        private readonly SymmetricSecurityKey _signingKey = new 
              SymmetricSecurityKey(Encoding.ASCII.GetBytes(SecretKey));
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            connectionString = Configuration.GetSection("ConnectionString:Value").Value;
            Console.WriteLine("Connection String: " + connectionString);
            services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(connectionString));

            //Initialize the UserManager instance and configuration
            services.AddIdentity<AppUser, IdentityRole>()
            .AddEntityFrameworkStores<ApplicationDbContext>()
            .AddDefaultTokenProviders();

            services.TryAddTransient<IHttpContextAccessor, HttpContextAccessor>();


            // add identity
            var builder = services.AddIdentityCore<AppUser>(o =>
            {
                // configure identity options
                o.Password.RequireDigit = true;
                o.Password.RequireLowercase = true;
                o.Password.RequireUppercase = true;
                o.Password.RequireNonAlphanumeric = true;
                o.Password.RequiredLength = 6;
            });

            builder = new IdentityBuilder(builder.UserType, typeof(IdentityRole), builder.Services);
            builder.AddEntityFrameworkStores<ApplicationDbContext>().AddDefaultTokenProviders();

            //START JWT CONFIGURATION
            services.AddSingleton<IJwtFactory, JwtFactory>();

            // Get options from app settings
            var jwtAppSettingOptions = Configuration.GetSection(nameof(JwtIssuerOptions));

            // Configure JwtIssuerOptions
            services.Configure<JwtIssuerOptions>(options =>
            {
                options.Issuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)];
                options.Audience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)];
                options.SigningCredentials = new SigningCredentials(_signingKey, SecurityAlgorithms.HmacSha256);
            });

            var tokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = true,
                ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)],
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = _signingKey,

                ValidateAudience = true,
                ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)],

                RequireExpirationTime = false,
                // ValidateLifetime = true,
                // ClockSkew = TimeSpan.Zero //default son 5 minutos
            };

            services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            }).AddJwtBearer(configureOptions =>
            {
                configureOptions.ClaimsIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)];
                configureOptions.TokenValidationParameters = tokenValidationParameters;
                configureOptions.SaveToken = true;
            });

            // api user claim policy
            // Enables [Authorize] decorator on controllers.
            //more information here: https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.1
            services.AddAuthorization(options =>
            {
                options.AddPolicy("ApiUser", policy => policy.RequireClaim(Constants.Strings.JwtClaimIdentifiers.Rol, Constants.Strings.JwtClaims.ApiAccess));
            });
            //END JWT CONFIGURATION

            // Register the Swagger generator, defining one or more Swagger documents
            services.AddSwaggerGen(c =>
            {
                c.SwaggerDoc("v1", new Info
                {
                    Title = Configuration.GetSection("Swagger:Title").Value,
                    Version = "v1"
                });
            });


            //Initialize auto mapper
            services.AddAutoMapper();

            services.AddCors();

            //Initialize MVC
            services.AddMvc();
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env,
        UserManager<AppUser> userManager, RoleManager<IdentityRole> roleManager)
        {
            var cultureInfo = new CultureInfo("es-AR");
            //cultureInfo.NumberFormat.CurrencySymbol = "€";

            CultureInfo.DefaultThreadCurrentCulture = cultureInfo;
            CultureInfo.DefaultThreadCurrentUICulture = cultureInfo;


            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseExceptionHandler(
          builder =>
          {
              builder.Run(
                        async context =>
                        {
                            context.Response.StatusCode = (int)HttpStatusCode.InternalServerError;
                            context.Response.Headers.Add("Access-Control-Allow-Origin", "*");

                            var error = context.Features.Get<IExceptionHandlerFeature>();
                            if (error != null)
                            {
                                context.Response.AddApplicationError(error.Error.Message);
                                await context.Response.WriteAsync(error.Error.Message).ConfigureAwait(false);
                            }
                        });
          });

            // Enable middleware to serve generated Swagger as a JSON endpoint.
            app.UseSwagger();

            // Enable middleware to serve swagger-ui (HTML, JS, CSS, etc.), specifying the Swagger JSON endpoint.
            app.UseSwaggerUI(c =>
            {
                c.SwaggerEndpoint(
                    Configuration.GetSection("Swagger:Endpoint").Value,
                    Configuration.GetSection("Swagger:Title").Value);
            });

            app.UseAuthentication();

            //Loads initial users and roles.
            if (Configuration["seed"] == "true")
            {
                Console.WriteLine("Seeding database with connection string: " + connectionString);
                Console.WriteLine();
                IdentityDataInitializer.SeedData(userManager, roleManager);
                Console.WriteLine("Finished seeding");
            }
            else
            {
                Console.WriteLine("seeding not configured");

            }

            app.UseDefaultFiles();
            app.UseStaticFiles();

            // Shows UseCors with CorsPolicyBuilder.
            app.UseCors(builder =>
               builder.WithOrigins(Configuration.GetSection("AllowedOrigins:Origin1").Value,
                                    Configuration.GetSection("AllowedOrigins:Origin2").Value)
                 .AllowAnyHeader()
                 .AllowAnyMethod() //Permite también PREFLIGHTS / OPTIONS REQUEST!
               );

            Console.WriteLine("Allowed origin: " + Configuration.GetSection("AllowedOrigins:Origin1").Value);
            Console.WriteLine("Allowed origin: " + Configuration.GetSection("AllowedOrigins:Origin2").Value);

            app.UseMvc();
        }

    }

这是我的JwtIssuerOptions.cs

public class JwtIssuerOptions
    {
        /// <summary>
        /// 4.1.1.  "iss" (Issuer) Claim - The "iss" (issuer) claim identifies the principal that issued the JWT.
        /// </summary>
        public string Issuer { get; set; }

        /// <summary>
        /// 4.1.2.  "sub" (Subject) Claim - The "sub" (subject) claim identifies the principal that is the subject of the JWT.
        /// </summary>
        public string Subject { get; set; }

        /// <summary>
        /// 4.1.3.  "aud" (Audience) Claim - The "aud" (audience) claim identifies the recipients that the JWT is intended for.
        /// </summary>
        public string Audience { get; set; }

        /// <summary>
        /// 4.1.4.  "exp" (Expiration Time) Claim - The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
        /// </summary>
        public DateTime Expiration => IssuedAt.Add(ValidFor);

        /// <summary>
        /// 4.1.5.  "nbf" (Not Before) Claim - The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.
        /// </summary>
        public DateTime NotBefore { get; set; } = DateTime.UtcNow;

        /// <summary>
        /// 4.1.6.  "iat" (Issued At) Claim - The "iat" (issued at) claim identifies the time at which the JWT was issued.
        /// </summary>
        public DateTime IssuedAt { get; set; } = DateTime.UtcNow;

        /// <summary>
        /// Set the timespan the token will be valid for (default is 120 min)
        /// </summary>
        public TimeSpan ValidFor { get; set; } = TimeSpan.FromMinutes(1080);//una semana



        /// <summary>
        /// "jti" (JWT ID) Claim (default ID is a GUID)
        /// </summary>
        public Func<Task<string>> JtiGenerator =>
          () => Task.FromResult(Guid.NewGuid().ToString());

        /// <summary>
        /// The signing key to use when generating tokens.
        /// </summary>
        public SigningCredentials SigningCredentials { get; set; }
    }

Token.cs类,它将带有令牌的json发送到客户端

public class Tokens
    {
        public static async Task<object> GenerateJwt(ClaimsIdentity identity, IJwtFactory jwtFactory, string userName, JwtIssuerOptions jwtOptions, JsonSerializerSettings serializerSettings)
        {
            var response = new
            {
                id = identity.Claims.Single(c => c.Type == "id").Value,
                auth_token = await jwtFactory.GenerateEncodedToken(userName, identity),
                expires_in = (int)jwtOptions.ValidFor.TotalSeconds
            };

            return response;
            //return JsonConvert.SerializeObject(response, serializerSettings);
        }
    }

AuthController.cs

[Produces("application/json")]
    [Route("api/[controller]")]
    public class AuthController : Controller
    {
        private readonly UserManager<AppUser> _userManager;
        private readonly IJwtFactory _jwtFactory;
        private readonly JwtIssuerOptions _jwtOptions;
        private readonly ILogger _logger;

        public AuthController(UserManager<AppUser> userManager,
            IJwtFactory jwtFactory,
            IOptions<JwtIssuerOptions> jwtOptions,
            ILogger<AuthController> logger)
        {
            _userManager = userManager;
            _jwtFactory = jwtFactory;
            _jwtOptions = jwtOptions.Value;
            _logger = logger;
        }

        // POST api/auth/login
        [HttpPost("login")]
        public async Task<IActionResult> Post([FromBody]CredentialsViewModel credentials)
        {
            try
            {
                if (!ModelState.IsValid)
                {
                    return BadRequest(ModelState);
                }

                var identity = await GetClaimsIdentity(credentials.UserName, credentials.Password);
                if (identity == null)
                {
                    // Credentials are invalid, or account doesn't exist
                    _logger.LogInformation(LoggingEvents.InvalidCredentials, "Invalid Credentials");
                    return BadRequest(Errors.AddErrorToModelState("login_failure", "Invalid username or password.", ModelState));
                }

                var jwt = await Tokens.GenerateJwt(identity, _jwtFactory, credentials.UserName, _jwtOptions, new JsonSerializerSettings { Formatting = Formatting.Indented });
                CurrentUser cu = Utils.GetCurrentUserInformation(identity.Claims.Single(c => c.Type == "id").Value, _userManager).Result;
                if (cu != null)
                {
                    cu.Jwt = jwt;
                    return new OkObjectResult(cu);
                }

                return StatusCode(500);
            }
            catch (System.Exception ex)
            {
                _logger.LogError(LoggingEvents.GenericError, ex.Message);
                return StatusCode(500, ex);
            }
        }

        private async Task<ClaimsIdentity> GetClaimsIdentity(string userName, string password)
        {
            try
            {
                if (string.IsNullOrEmpty(userName) || string.IsNullOrEmpty(password))
                    return await Task.FromResult<ClaimsIdentity>(null);

                // get the user to verifty
                ILogicUsers lusers = Business.UsersLogic(_userManager);
                AppUser userToVerify = await lusers.FindByNameAsync(userName);

                if (userToVerify == null)
                    return await Task.FromResult<ClaimsIdentity>(null);

                // check the credentials
                if (await lusers.CheckPasswordAsync(userToVerify, password))
                {
                    return await Task.FromResult(_jwtFactory.GenerateClaimsIdentity(userName, userToVerify.Id));
                }

                // Credentials are invalid, or account doesn't exist
                _logger.LogInformation(LoggingEvents.InvalidCredentials, "Invalid Credentials");
                return await Task.FromResult<ClaimsIdentity>(null);
            }
            catch
            {
                throw;
            }
        }
    }

好吧,我想我知道了问题所在。

IssuedAt属性是静态的,并且是第一次使用生成的令牌值。 当令牌过期时,会生成一个新令牌,但会采用第一个令牌的issueAtAt日期,这就是为什么所有新生成的令牌都已过期的原因。 在Azure中重新启动AppService导致清除了静态值,并正确创建了第一个新令牌。

这是正确的行。

public DateTime IssuedAt => DateTime.UtcNow; 

谢谢你的帮助!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM