問題描述

我正在使用 Visual Studio 2015 Enterprise Update 1 和 ASP.NET vNext rc1-update1 來發(fā)布和使用 JWT 令牌，如 這里.

I am using Visual Studio 2015 Enterprise Update 1 and ASP.NET vNext rc1-update1 to issue and consume JWT tokens as described here.

在我們的實現(xiàn)中，我們希望控制令牌生命周期驗證.

In our implementation we want to control token lifetime validation.

我們嘗試了幾種方法，所有這些方法都有不良副作用.例如，在一次嘗試中，我們在 Configure 方法中接管了 TokenValidationParameters.TokenValidationParameters.LifetimeValidator 事件:

We tried several approaches, all of which had undesirable side effects. For example in one attempt we took over the TokenValidationParameters.TokenValidationParameters.LifetimeValidator event in the Configure method:

app.UseJwtBearerAuthentication
(
    options => 
    {
        options.TokenValidationParameters = new TokenValidationParameters()
        {
            LifetimeValidator = (DateTime? notBefore, DateTime? expires, SecurityToken securityToken, TokenValidationParameters validationParameters) =>
            {
                // Pretend to do custom validation
                return false;
            }
        };
    }
);

該事件導致驗證失敗，但客戶端收到 500 錯誤，而我們希望返回 400 系列錯誤和一個小負載.

That event causes validation to fail as we'd like but the client receives a 500 error whereas we would like to return a 400-series error and a small payload instead.

在另一次嘗試中，我們嘗試了 TokenValidationParameters.Events 的各種實現(xiàn)，例如檢查 ValidatedToken 事件中的聲明，但發(fā)現(xiàn)我們無法阻止中間件調(diào)用控制器操作，除非引發(fā)異常，導致我們回到 500 錯誤問題.

In another attempt we tried various implementations of TokenValidationParameters.Events, such as inspecting claims in the ValidatedToken event but found we were unable to prevent the middleware from invoking the controller action short of throwing an exception which got us back to the 500 error problem.

所以我的問題是:

• 使用 OIDC 接管生命周期驗證的最佳做法是什么?

• What what is the best practices for taking over lifetime validation with OIDC?

我們是否可以強制 OIDC 不在令牌中包含某些生命周期聲明，例如nbf"，因為我們無論如何都不需要它們?

Can we force OIDC not to include certain lifetime claims in the token like "nbf" since we won't need them anyway?

推薦答案

此錯誤已在 ASP.NET Core RC2 中修復(fù).不再需要此答案中描述的解決方法.

這是一個已知錯誤.遺憾的是，您可以在 beta8 中使用的解決方法 不再有效 在 RC1 中.

It's a known bug. Sadly, the workaround you could use in beta8 no longer works in RC1.

您唯一的選擇是編寫一個捕獲異常的中間件，以防止服務(wù)器返回 500 響應(yīng).當然，它很丑陋，并且可能會隱藏重要的異常，但它是唯一適用于 RC1 的已知解決方法.

Your only option is to write a middleware catching the exception to prevent the server from returning a 500 response. Of course, it's ugly and will potentially hide important exceptions, but it's the only known workaround that works with RC1.

這是一個例子(確保在 JWT 承載中間件之前注冊它):

Here's an example (make sure to register it before the JWT bearer middleware):

app.Use(next => async context => {
    try {
        await next(context);
    }

    catch {
        // If the headers have already been sent, you can't replace the status code.
        // In this case, throw an exception to close the connection.
        if (context.Response.HasStarted) {
            throw;
        }

        context.Response.StatusCode = 401;
    }
});

這篇關(guān)于使用 AspNet.Security.OpenIdConnect.Server (ASP.NET vNext) 的自定義生命周期驗證的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！