如何在 .net 核心 web api 3.1 中创建 Customtom 授权属性？

Question

我有两个 api 项目

1. 消费者API

2. MasterApi

MasterApi负责创建和验证令牌。 我需要保护ConsumerApi资源。 这就是为什么我有一个带有登录方法的LoginController 。

起初用户点击这个方法并传递他们的用户名和密码。 ConsumerApi然后调用MasterApi获取令牌并将令牌返回给User 。 然后用户在授权header 中使用此 JWT 令牌作为承载 retrive_jwt_token调用ConsumerApi受保护的资源。 为了使用MasterApi验证令牌，我在ConsumerApi中有一个CustomAuthorizeAttribute ，我在上面提到了这个项目控制器或方法。

下面是我的CustomAuthorizeAttribute ：

public class ExternalAuthorization : AuthorizeAttribute, IAuthorizationFilter
    {
        private readonly HttpClient _httpClient;
        public ExternalAuthorization()
        {
            _httpClient = new HttpClient();
        }

        public void OnAuthorization(AuthorizationFilterContext context)
        {
            if (context.HttpContext.Request.Headers.TryGetValue("Authorization", out var authHeader))
            {
                var accessToken = authHeader.ToString().Split(' ')[1];
                var response = _httpClient.GetAsync(
                    $"https://localhost:44359/api/oauth/validate?token={accessToken}").Result;
                if (response.StatusCode == HttpStatusCode.Unauthorized)
                {
                    context.Result = new UnauthorizedResult();
                }
            }
        }
    }

我在我的ConsumerApi controller 方法之一中使用它，如下所示：

        [ExternalAuthorization]
        [HttpGet("getall")]
        public IEnumerable<WeatherForecast> GetAll()
        {
            var rng = new Random();
            return Enumerable.Range(1, 5).Select(index => new WeatherForecast
            {
                Date = DateTime.Now.AddDays(index),
                TemperatureC = rng.Next(-20, 55),
                Summary = Summaries[rng.Next(Summaries.Length)]
            })
            .ToArray();
        }

但是当我调用这个方法时，我遇到了异常

System.InvalidOperationException: Endpoint ConsumerApiClient.Controllers.WeatherForecastController.GetAll (ConsumerApi) contains authorization metadata, but a middleware was not found that supports authorization.
Configure your application startup by adding app.UseAuthorization() inside the call to Configure(..) in the application startup code. The call to app.UseAuthorization() must appear between app.UseRouting() and app.UseEndpoints(...).
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.ThrowMissingAuthMiddlewareException(Endpoint endpoint)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

HEADERS
=======
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,bn;q=0.7
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6InVzZXJfaWQiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOiJyZWd1bGFyIiwibmJmIjoxNTk0MTE1MDg4LCJleHAiOjE1OTQyMDE0ODgsImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0OjQ0MzU5LyIsImF1ZCI6Imh0dHBzOi8vbG9jYWxob3N0OjQ0MzU5LyJ9.mOEaM_IuQ0w_CKGcMHXACXCdCOebzdc19ArSeOOgxek
Cache-Control: no-cache
Connection: close
Host: localhost:44326
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
dnt: 1
x-postman-interceptor-id: 9dc8740c-6d4d-eb6b-4376-3eefdb355cb8
postman-token: 3191c452-708a-efd0-237a-0c343eb16bd6
sec-fetch-site: none
sec-fetch-mode: cors
sec-fetch-dest: empty

如果需要，我是否需要在StartUp.cs中添加它，那我该怎么做？

Answer 1

根据例外情况， app.UseAuthorization应该在app.UseRouting()和app.UseEndpoints(...)之间，如下所示：

app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    endpoints.MapControllerRoute(
        name: "default",
        pattern: "{controller}/{action=Index}/{id?}");
});