服務器是一個.net核心API,它使用Identity進行身份驗證/授權,SimpleTokenProvider用於生成JWT令牌。特定端點需要角色授權。使用.Net使用.Net HttpClient失敗API如果沒有直接獲取訪問令牌,授權將失敗
[Authorize(Roles = "Admin")]
當我從一個不同的控制器操作方法令牌,保存令牌會話,並嘗試使用該令牌來調用API,或者當我硬編碼從郵差得到令牌並將其傳遞到API,用戶在服務器上得到認證,但未能授權。
用戶獲得授權的唯一方法是如果我在同一控制器操作方法內請求令牌。它也適用於Postman。
的客戶端代碼如下:
string token = "ew0KICAiYWxnIjogIkhTMjU2IiwNCiAg...";
HttpClient client = new HttpClient(handler);
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
HttpResponseMessage httpResponse = client.GetAsync("http://localhost:5001/api/dashboard").Result;
if (httpResponse.IsSuccessStatusCode)
{
Console.Write(httpResponse.Content.ReadAsStringAsync().Result);
}
從服務器日誌,對於同一個端點授權調用有以下幾點:
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:5001/api/dashboard
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware:Information: HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Identity.Application.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Successfully validated the token.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Bearer.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization was successful for user: xxxxx.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization was successful for user: xxxxx.
雖然未經許可的電話有以下日誌:
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:5001/api/dashboard
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Successfully validated the token.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Bearer.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization was successful for user: xxxxx.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization failed for user: xxxxx.
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
Microsoft.AspNetCore.Mvc.ChallengeResult:Information: Executing ChallengeResult with authentication schemes().
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: AuthenticationScheme: Bearer was forbidden.
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware:Information: AuthenticationScheme: Identity.Application was challenged.
我不知道還有什麼其他選項需要添加到HttpCl用於授權的工作。