使用.Net使用.Net HttpClient失敗API如果沒有直接獲取訪問令牌，授權將失敗

Question

服務器是一個.net核心API，它使用Identity進行身份驗證/授權，SimpleTokenProvider用於生成JWT令牌。特定端點需要角色授權。

[Authorize(Roles = "Admin")] 

當我從一個不同的控制器操作方法令牌，保存令牌會話，並嘗試使用該令牌來調用API，或者當我硬編碼從郵差得到令牌並將其傳遞到API，用戶在服務器上得到認證，但未能授權。

用戶獲得授權的唯一方法是如果我在同一控制器操作方法內請求令牌。它也適用於Postman。

的客戶端代碼如下：

string token = "ew0KICAiYWxnIjogIkhTMjU2IiwNCiAg..."; 

    HttpClient client = new HttpClient(handler); 
    client.DefaultRequestHeaders.Accept.Clear(); 
    client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));  
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token); 
    HttpResponseMessage httpResponse = client.GetAsync("http://localhost:5001/api/dashboard").Result; 
      if (httpResponse.IsSuccessStatusCode) 
      { 
      Console.Write(httpResponse.Content.ReadAsStringAsync().Result); 
      } 

從服務器日誌，對於同一個端點授權調用有以下幾點：

Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:5001/api/dashboard  
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware:Information: HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Identity.Application. 
    Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Successfully validated the token. 
    Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Bearer. 
    Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization was successful for user: xxxxx. 
    Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization was successful for user: xxxxx. 

雖然未經許可的電話有以下日誌：

Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:5001/api/dashboard 
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Successfully validated the token. 
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Bearer. 
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization was successful for user: xxxxx. 
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization failed for user: xxxxx. 
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. 
Microsoft.AspNetCore.Mvc.ChallengeResult:Information: Executing ChallengeResult with authentication schemes(). 
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: AuthenticationScheme: Bearer was forbidden. 
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware:Information: AuthenticationScheme: Identity.Application was challenged. 

我不知道還有什麼其他選項需要添加到HttpCl用於授權的工作。

Answer 1

在使用wireshark跟蹤HttpClient和Postman的請求差異後，我發現.Net Identity在用戶登錄後設置了一個名爲.AspNetCore.Identity.Application的Cookie，該用戶登錄後必須作爲請求的一部分發送工作授權。

獲取cookie並將其設置爲後續請求的一部分後，它可以正常工作。