希望任何人都可以幫助我解決以下非常令人沮喪的問題。令牌端點AllowInsecureHttp = false仍然接受http請求
我有我通過jwt身份驗證保護的.NET WebApi。在設置OAuthAuthorizationServerOptions
對象時,我將我的令牌終點的屬性AllowInsecureHttp
設置爲false
。在IISExpress本地運行我的API並使用Postman測試它就像一個魅力。如果我將該屬性設置爲true
,並在我的終點上請求令牌,那麼它將起作用,如果將其設置爲false
,我會按預期得到404
。但是,當我將API發佈到我的生產環境(Windows 2012/IIS8)並將屬性設置爲false
時,我可以通過https 和 http獲得令牌。它似乎沒有聽取財產。
我運行API作爲帶有別名Api的應用程序,只有一個https綁定的域。我用下面的助手基類,我的API:
public class BaseWebApi<TDerivedOAuthProvider> where TDerivedOAuthProvider : BaseOAuthProvider, new()
{
public BaseWebApi(IAppBuilder app)
{
HttpConfiguration config = new HttpConfiguration();
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(DefaultAuthenticationTypes.ExternalBearer));
ConfigureOAuth(app);
WebApiConfig.Register(config);
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
app.UseWebApi(config);
}
private static void ConfigureOAuth(IAppBuilder app)
{
var allowInsecureHttp = Convert.ToBoolean(ConfigurationManager.AppSettings["jwt::allowInsecureHttp"].ToString());
var issuer = ConfigurationManager.AppSettings["jwt::issuer"].ToString();
var secret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["jwt::secret"].ToString());
var clients = ConfigurationManager.AppSettings["jwt::clients"].ToString().Split(new char[] { ',' });
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = allowInsecureHttp,
AuthenticationType = DefaultAuthenticationTypes.ExternalBearer,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(10),
Provider = new TDerivedOAuthProvider(),
RefreshTokenProvider = new BaseRefreshTokenProvider(),
AccessTokenFormat = new BaseJwtFormat(issuer),
};
// OAuth 2.0 Bearer Access Token Generation
app.UseOAuthAuthorizationServer(OAuthServerOptions);
// Api controllers with an [Authorize] attribute will be validated with JWT
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ExternalBearer,
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = clients,
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
}
});
}
}
變量allowInsecureHttp
,issuer
,secret
和clients
從配置文件填充。將硬編碼爲allowInsecureHttp
的值設置爲false
或true
不會改變任何內容。
[assembly: OwinStartup(typeof(MyCustomAPI.Startup))]
namespace MyCustomAPI.API
{
public class Startup
{
public void Configuration(IAppBuilder app)
{
BaseWebApi<CustomOAuthProvider> webApi = new BaseWebApi<CustomOAuthProvider>(app);
}
}
}
希望任何人都可以點我:這個基類,然後通過我的實際API,它(旁邊的實際API函數)還提供了一個CustomOAuthProvider
類處理的實際執行證書檢查這個特定的API的實例正確的方向。拋開這個問題,API本身的工作是完美的,但我真的想強制SSL生產令牌。
乾杯, 奈奎斯特