ASP.NET核心中的承载令牌认证
尝试在简单的.Net Core Web API项目中使用基于承载令牌的身份validation。 这是我的Startup.cs
app.UseMvc(); //--- const string secretKey = "mysupersecret_secretkey!123"; SymmetricSecurityKey signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secretKey)); SigningCredentials signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256); //--- const string audience = "Audience"; const string issuer = "Issuer"; //--- TokenValidationParameters tokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, ValidateIssuer = false, ValidIssuer = issuer, ValidateAudience = true, ValidAudience = audience, ValidateLifetime = true, ClockSkew = TimeSpan.Zero, AuthenticationType = JwtBearerDefaults.AuthenticationScheme }; //--- app.UseJwtBearerAuthentication(new JwtBearerOptions { AutomaticAuthenticate = true, AutomaticChallenge = true, TokenValidationParameters = tokenValidationParameters, AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme, });
我还将AuthorizeAttribute添加到控制器操作
[HttpGet] [Authorize(ActiveAuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)] public IEnumerable Get() { return new[] { "value1", "value2" }; }
但是当尝试使用标题发送get请求时Authorization: Bearer [TOKEN]我得到例外
System.InvalidOperationException: No authentication handler is configured to authenticate for the scheme: Bearer at Microsoft.AspNetCore.Http.Authentication.Internal.DefaultAuthenticationManager.
那么这个“身份validation处理程序”是什么? 我需要设置这个处理程序?
在ASP.NET Core中,中间件的顺序很重要:它们的执行顺序与注册顺序相同。 这里, app.UseMvc()在JWT承载中间件之前被调用,所以这不起作用。
将app.UseMvc()放在管道的末尾,它应该工作:
app.UseJwtBearerAuthentication(new JwtBearerOptions { AutomaticAuthenticate = true, AutomaticChallenge = true, TokenValidationParameters = tokenValidationParameters, AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme, }); app.UseMvc();