需要使用哪個TokenValidationParameters和UseJwtBearerAuthentication

Question

我正打算在我的.net WebAPI上做JwtBearerAuthentication，它只是不起作用。 Authorize屬性始終聲明isAuthorized = false。

我正在與Okta一起作爲SSO。我在客戶端進行身份驗證並獲取訪問令牌和身份標識令牌。在webapi獲取請求時，我在授權標頭中提供了訪問令牌（我也嘗試了id令牌），並且能夠在webapi actioncontext中使用令牌查看授權標頭。

在我startup.cs我有以下

var clientID = WebConfigurationManager.AppSettings["okta:ClientId"]; 

var oidcIssuer = WebConfigurationManager.AppSettings["okta:OIDC_Issuer"]; 

TokenValidationParameters tvps = new TokenValidationParameters 
{ 
    ValidAudience = clientID, 
    ValidateAudience = true, 
    ValidIssuer = oidcIssuer, 
    ValidateIssuer = true 
}; 

app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions 
{ 
    TokenValidationParameters = tvps, 
    IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[] 
    { 
     new OpenIdConnectCachingSecurityTokenProvider(oidcIssuer + "/.well-known/openid-configuration") 
    } 
}); 

我失去了一些TokenValidationParameters我需要什麼？

Answer 1

我的問題不是與選項。 這是100％，需要下面的所有owin設置的東西移動

app.UseWebApi(config); 

。

Answer 2

當我輸入這個時，我看到那個twaldron能想出來！

我也意識到他問的是WebAPI，而不是MVC。然而，這裏是我需要得到下面用ASP.NET MVC的核心工作代碼，特別感興趣的可能是這條線，這是必要的，以獲得在JWT的額外索賠訪問：

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); 

下面是該代碼示例在命令行中是如何工作的，在$ID_TOKEN變量包含一個有效的智威湯遜：

$ curl -H "Authorization: Bearer ${ID_TOKEN}" http://localhost:3000/test/test 
sub: 01a23b4cd5eFgHI6j7k8 email:test@example.com 

Setup.cs：

using System; 
using Microsoft.AspNetCore.Builder; 
using Microsoft.AspNetCore.Hosting; 
using Microsoft.Extensions.Configuration; 
using Microsoft.Extensions.DependencyInjection; 
using Microsoft.Extensions.Logging; 
using Microsoft.IdentityModel.Tokens; 
using System.IdentityModel.Tokens.Jwt; 

namespace WebApplication 
{ 
    public class Startup 
    { 
     readonly string clientId = string.Empty; 
     readonly string issuer = string.Empty; 
     readonly string audience = string.Empty; 

     public Startup(IHostingEnvironment env) 
     { 
      clientId = "A0b1CDef2GHIj3k4lm5n"; 
      issuer = "https://example.okta.com"; 
      audience = "A0b1CDef2GHIj3k4lm5n"; 
     } 

     public IConfigurationRoot Configuration { get; } 

     public void ConfigureServices(IServiceCollection services) 
     { 
      services.AddMvc(); 
     } 

     public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) 
     { 
      loggerFactory.AddDebug(); 

      // https://github.com/aspnet/Security/issues/1043#issuecomment-261937401 
      JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); 

      TokenValidationParameters tvps = new TokenValidationParameters 
      { 

       ValidateAudience = true, 
       ValidAudience = audience, 

       ValidateIssuer = true, 
       ValidIssuer = issuer, 

       ValidateLifetime = true, 
       ClockSkew = TimeSpan.FromMinutes(5) 
      }; 

      app.UseJwtBearerAuthentication(new JwtBearerOptions 
      { 
       MetadataAddress = issuer + "/.well-known/openid-configuration", 
       TokenValidationParameters = tvps 
      }); 


      app.UseStaticFiles(); 

      // Add external authentication middleware below. To configure them please see https://go.microsoft.com/fwlink/?LinkID=532715 

      app.UseMvc(routes => 
      { 
       routes.MapRoute(
        name: "test-controller", 
        template: "test/{action}", 
        defaults: new { controller = "Test", action = "Index" } 
       ); 
       routes.MapRoute(
        name: "default", 
        template: "{controller=Test}/{action=Index}/{id?}"); 
      }); 
     } 
    } 
} 

在控制器/ test.cs中：

[Authorize] 
    public IActionResult Test() 
    { 
     var contextUser = User.Identity as ClaimsIdentity; 
     Dictionary<string, string> claim = contextUser.Claims.ToDictionary(x => x.Type, x => x.Value); 

     var output = "sub: " + claim["sub"] + " email:" + claim["email"]; 
     return Content(output); 
    }