[英]JWT Authentication, roles defined in Authorize attribute are ignored
在尝试使用JWT作为默认身份验证方案来实现基于角色的身份验证时,我遇到了这样一种情况,即在Authorize属性中定义的角色被忽略,允许任何请求(带有有效令牌)通过,即使不在那些角色,(有趣的是,在同一Authorize属性中定义的具有自定义要求的其他策略运行良好)
阅读杰里的文章,他提到
这是一个很好的发现:ASP.NET Core 中的 JWT 中间件知道如何解释 JWT 有效负载中的“角色”声明,并将适当的声明添加到
ClaimsIdentity。 这使得使用 Roles 的[Authorize]属性非常容易。
和:
真正有趣的是,当您考虑将角色传递给
[Authorize]时,实际上会查看是否存在类型为http://schemas.microsoft.com/ws/2008/06/identity/claims/role的声明您授权的角色的价值。 这意味着我可以简单地将[Authorize(Roles = "Admin")]添加到任何 API 方法中,这将确保只有负载包含声明“角色”的 JWT 才会在角色数组中包含 Admin 的值授权该 API 方法。
这仍然成立吗? (这篇文章好几年了)
我做错什么了吗?
启动(配置服务)
public void ConfigureServices(IServiceCollection services)
{
string defaultConnection = Configuration.GetConnectionString("Default");
services.AddDbContext<IdentityContext>(options => options.UseSqlServer(defaultConnection).UseQueryTrackingBehavior(QueryTrackingBehavior.TrackAll));
services.AddIdentity<AppUser, IdentityRole>()
.AddEntityFrameworkStores<IdentityContext>()
.AddDefaultTokenProviders();
services.AddAuthorization(o => o.AddPolicy(Policy.IsInTenant, x => x.AddRequirements(new IsInTenantRequirement())));
services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(x =>
{
x.SaveToken = true;
x.TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = new SymmetricSecurityKey(key),
ValidateIssuer = true,
ValidateAudience = true,
ValidAudience = "somehost...",
ValidIssuer = "somehost...",
};
});
}
启动(配置)
public void Configure(IApplicationBuilder app, IWebHostEnvironment envy)
{
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(x => x.MapControllers());
}
Controller:
[ApiController]
[Authorize(Roles = "some_random_string_which_is_not_registered_anywhere")] // <== any request with a valid token can access this controller
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
{
[HttpGet]
public string Get()
{
return "how are you?"
}
}
令牌服务
public class JwtService : ITokenService
{
private readonly JwtConfig _config;
public JwtService(IOptions<JwtConfig> config) => _config = config.Value;
public string GenerateRefreshToken(int size = 32)
{
var randomNumber = new byte[size];
using (var rng = RandomNumberGenerator.Create())
{
rng.GetBytes(randomNumber);
return Convert.ToBase64String(randomNumber);
}
}
public string GenerateAccessToken(IEnumerable<Claim> claims)
{
var tokenHandler = new JwtSecurityTokenHandler();
var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config.Secret));
var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256);
var tokeOptions = new JwtSecurityToken(
issuer: _config.Issuer,
audience: _config.Audience,
claims: claims,
expires: DateTime.Now.AddMinutes(int.Parse(_config.ExpirationInMinutes)),
signingCredentials: signinCredentials
);
return tokenHandler.WriteToken(tokeOptions);
}
public ClaimsPrincipal GetPrincipalFromExpiredToken(string token)
{
var tokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config.Secret)),
ValidateLifetime = false
};
var tokenHandler = new JwtSecurityTokenHandler();
SecurityToken securityToken;
var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out securityToken);
var jwtSecurityToken = securityToken as JwtSecurityToken;
if (jwtSecurityToken == null || !jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256, StringComparison.InvariantCultureIgnoreCase))
throw new SecurityTokenException("Invalid token");
return principal;
}
}
登录(使用令牌服务)
(目前我没有向令牌添加任何角色,但是用户可以完全访问由特定角色保护的资源。)
[AllowAnonymous]
[HttpPost()]
public async Task<IActionResult> Post(LoginDTO model)
{
if (!ModelState.IsValid) return BadRequest("errors.invalidParams");
var user = await _userManager.FindByEmailAsync(model.Email);
if (user == null)
{
return Unauthorized("errors.loginFailure");
}
var result = await _signInManager.PasswordSignInAsync(user?.UserName, model.Password, model.RememberMe, false);
if (result.Succeeded)
{
var claims = new List<Claim>
{
new Claim(AppClaim.TenantId, user.TenantId.ToString()),
new Claim(JwtRegisteredClaimNames.Email, user.Email),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
};
claims.AddRange(await _authOperations.GetUserRolesAsClaims(user));
claims.AddRange(await _authOperations.GetAllUserClaims(user));
var accessToken = _tokenService.GenerateAccessToken(claims);
var refreshToken = _tokenService.GenerateRefreshToken();
user.RefreshToken = refreshToken;
user.RefreshTokenExpiryTime = DateTime.Now.AddDays(7);
await _ctx.SaveChangesAsync();
return Ok(new TokenExchangeDTO
{
AccessToken = accessToken,
RefreshToken = refreshToken
});
}
appsettings.json
"JwtConfig": {
"Secret": "secret...",
"ExpirationInMinutes": 1440,
"Issuer": "somehost...",
"Audience": "somehost..."
}
如果需要更多详细信息或更好的信息来回答我的问题,请告诉我。
这是关于如何使用 JWT 基于角色的身份验证的完整工作演示:
启动.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidIssuer = Configuration["Jwt:JwtIssuer"],
ValidAudience = Configuration["Jwt:JwtIssuer"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:JwtKey"])),
ValidateIssuer = true,
ValidateAudience = true,
ValidateIssuerSigningKey = true,
};
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
endpoints.MapControllers();
});
}
在 appSettings.json 中存储Issuer 、 Audience和SigningKey :
"jwt": {
"JwtKey": "YourJwtKey",
"JwtIssuer": "YourJwtIssuer"
}
生成令牌:
[Route("api/[Controller]")]
[ApiController]
public class ValuesController : ControllerBase
{
private IConfiguration _config;
public ValuesController(IConfiguration config)
{
_config = config;
}
[Route("GenerateToken")]
public async Task<IActionResult> GenerateToken()
{
var claims = new List<Claim>
{
new Claim(ClaimTypes.Role, "Admin")
};
var token = new JwtSecurityToken(_config["Jwt:JwtIssuer"],
_config["Jwt:JwtIssuer"],
claims: claims,
expires: DateTime.Now.AddDays(5),
signingCredentials: new SigningCredentials(new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Jwt:JwtKey"])),
SecurityAlgorithms.HmacSha256));
var data = new JwtSecurityTokenHandler().WriteToken(token);
return Ok(new { data });
}
}
测试方法:
[ApiController]
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
{
[Authorize(Roles = "admin")]
[HttpGet]
public async Task<IActionResult> Get()
{
return Ok();
}
[Authorize(Roles = "Admin")]
[HttpGet("GetAdmin")]
public async Task<IActionResult> GetAdmin()
{
return Ok();
}
}
结果:
参考:
事实证明,我错误地将我的自定义授权处理程序之一配置为接受基本IAuthorizationRequirement作为 Requirement 参数类型,而不是特定的派生 Requirement,因此context.Succeed(requirement)被调用用于基本上标记它的任何要求成功了。
原代码:
public class IsInTenantRequirement : IAuthorizationRequirement { }
public class IsInTenantAuthorizationHandler : AuthorizationHandler<IAuthorizationRequirement>
{
private readonly RouteData _routeData;
public IsInTenantAuthorizationHandler(IHttpContextAccessor httpContextAccessor)
{
_routeData = httpContextAccessor.HttpContext.GetRouteData();
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, IAuthorizationRequirement requirement)
{
var tenantIdFromRequest = _routeData.Values["tenantId"]?.ToString();
var tenantId = context.User.FindFirstValue(AppClaim.TenantId);
if (tenantIdFromRequest == tenantId)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
更新后的代码:
public class IsInTenantRequirement : IAuthorizationRequirement { }
public class IsInTenantAuthorizationHandler : AuthorizationHandler<IsInTenantRequirement>
{
private readonly RouteData _routeData;
public IsInTenantAuthorizationHandler(IHttpContextAccessor httpContextAccessor)
{
_routeData = httpContextAccessor.HttpContext.GetRouteData();
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, IsInTenantRequirement requirement)
{
var tenantIdFromRequest = _routeData.Values["tenantId"]?.ToString();
var tenantId = context.User.FindFirstValue(AppClaim.TenantId);
if (tenantIdFromRequest == tenantId)
{
context.Succeed(requirement);
}
context.Succeed(requirement);
return Task.CompletedTask;
}
}
使用来自外部提供程序的ASP.NET Identity和JWT身份验证时,可以使用“角色和声明”的Authorize属性筛选吗?
[英]Can I use the Authorize attribute filtering by Roles and Claims when using ASP.NET Identity and JWT authentication from external providers?
使用具有Authorize属性的IIS基本身份验证为WebApi2中的用户允许角色
[英]Allow Roles for Users in WebApi2 using IIS Basic Authentication with Authorize Attribute
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.