問題描述
我正在將 ASP.NET Web API 4.6 OWIN 應用程序移植到 ASP.NET Core 2.1.該應用程序基于 JWT 令牌工作.但是通過 cookie 而不是標頭傳遞的令牌.我不確定為什么不使用標題,這只是我必須處理的情況.
I am porting an ASP.NET Web API 4.6 OWIN application to ASP.NET Core 2.1. The application is working based on JWT token. But the token in passed via cookie instead of header. I'm not sure why headers are not used, it is just the situation that I have to deal with.
考慮到身份驗證不是通過 cookie 完成的.cookie 僅用作傳輸媒體.在遺留應用程序中,CookieOAuthBearerProvider 用于從 cookie 中提取 JWT 令牌.配置代碼如下:
Consider that authentication is not done via cookie. The cookie is just used as a transfering media. In the legacy application CookieOAuthBearerProvider is employed to extract JWT token from cookie. Configuration code is as like this:
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audienceId },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, audienceSecret)
},
Provider = new CookieOAuthBearerProvider("token")
});
}
CookieOAuthBearerProvider類源碼如下:
public class CookieOAuthBearerProvider : OAuthBearerAuthenticationProvider
{
readonly string _name;
public CookieOAuthBearerProvider(string name)
{
_name = name;
}
public override Task RequestToken(OAuthRequestTokenContext context)
{
var value = context.Request.Cookies[_name];
if (!string.IsNullOrEmpty(value))
{
context.Token = value;
}
return Task.FromResult<object>(null);
}
這里討論了這個解決方案詳細.
This solution is discussed here with more detail.
現(xiàn)在我需要為 ASP.NET Core 實現(xiàn)類似的解決方案.問題是 UseJwtBearerAuthentication 不再存在于 ASP.NET Core 中,我不知道如何引入自定義 AuthenticationProvider.
Now I need to implement similar solution for ASP.NET Core. Problem is that UseJwtBearerAuthentication does not exists in ASP.NET Core anymore and I do not know how I can introduce a custom AuthenticationProvider.
非常感謝任何幫助.
更新:有 一種嘗試通過自己的代碼驗證 JWT 的解決方案.這不是我需要的.我只是在尋找一種方法,將從 cookie 收到的令牌傳遞給標頭閱讀器.
UPDATE: There is a solution that tries to validate JWT by its own code. It is not what I need. I'm just searching for a way to pass token recieved from cookie to header reader.
推薦答案
在 ASP.NET Core 2.0 中,身份驗證系統(tǒng)進行了一些大修.而不是使用例如UseJwtBearerAuthentication 作為中間件,ASP.NET Core 2.0+ 使用 DI 進行配置.例如,這看起來像這樣:
In ASP.NET Core 2.0, the authentication system was somewhat overhauled. Rather than using e.g. UseJwtBearerAuthentication as middleware, ASP.NET Core 2.0+ configures things using DI. For example, this looks something like this:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options => {
// ...
});
}
除此之外,下一個問題是:我們?nèi)绾沃甘?JwtBearer 身份驗證過程使用這個新系統(tǒng)查看 cookie?
With that out of the way, the next question would be: how do we instruct the JwtBearer authentication process to look at a cookie using this new system?
傳遞給 AddJwtBearer 的 options 對象包含自己的 Events 屬性,它允許您自定義流程的各個部分.使用 OnMessageReceived,您可以實現(xiàn)您想要的:
That options object being passed in to AddJwtBearer contains an Events property of its own, which allows you to customise various parts of the process. Using OnMessageReceived, you can achieve what you're looking for:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options => {
options.Events = new JwtBearerEvents
{
OnMessageReceived = context =>
{
context.Token = context.Request.Cookies["CookieName"];
return Task.CompletedTask;
}
};
});
}
通過設置 context.Token,您是在告訴 JwtBearer 進程您已經(jīng)負責自己提取令牌.
By setting context.Token, you're telling the JwtBearer process that you've taken care of extracting the token yourself.
這里是一個有用的遷移文檔,它更詳細地解釋了身份驗證更改.
Here's a useful migration document that explains the authentication changes in more detail.
這篇關于在 ASP.NET Core 中,從 Cookie 而不是 Headers 中讀取 JWT 令牌的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網(wǎng)!