.net core - Jwt 中间件身份验证签名密钥被忽略
.net core - Jwt middleware authentication signing key being ignored
我正在使用配置为使用 json 网络令牌的 openiddict:
// Add authentication
services.AddAuthentication();
// Add OpenId Connect/OAuth2
services.AddOpenIddict()
.AddEntityFrameworkCoreStores<ApplicationDbContext>()
.AddMvcBinders()
.EnableTokenEndpoint("/connect/token")
.AllowPasswordFlow()
.AllowRefreshTokenFlow()
.UseJsonWebTokens() // access_token should be jwt
// You can disable the HTTPS requirement during development or if behind a reverse proxy
.DisableHttpsRequirement()
// Register a new ephemeral key, that is discarded when the application
// shuts down. Tokens signed using this key are automatically invalidated.
// To be used during development
.AddEphemeralSigningKey();
我已经按照以下方式通过 JWT 中间件进行了配置:
// Add Jwt middleware for authentication
var secretKey = Configuration.Get<AppOptions>().Jwt.SecretKey;
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
RequireHttpsMetadata = env.IsProduction(),
Audience = Configuration.Get<AppOptions>().Jwt.Audience,
Authority = Configuration.Get<AppOptions>().Jwt.Authority,
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey)),
ValidateIssuer = true,
// makes no difference seemingly being ignored
//ValidIssuer = Configuration.Get<AppOptions>().Jwt.Authority,
ValidateAudience = true,
ValidAudience = Configuration.Get<AppOptions>().Jwt.Audience,
ValidateLifetime = true,
}
});
// Add OpedId Connect middleware
app.UseOpenIddict();
如您所见,发行者签名密钥设置为对称密钥:
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey)),
但是创建的 jwt access_tokens 将 alg 声明设置为 RS256,因此似乎此设置被忽略并且 openiddict 使用 RSA 私钥签署从
.AddEphemeralSigningKey();
为了强制 openiddict 使用对称密钥,必须在 openiddict 中配置它
services.AddOpenIddict()
.AddEntityFrameworkCoreStores<ApplicationDbContext>()
.AddMvcBinders()
.EnableTokenEndpoint("/connect/token")
.AllowPasswordFlow()
.AllowRefreshTokenFlow()
.UseJsonWebTokens()
// You can disable the HTTPS requirement during development or if behind a reverse proxy
.DisableHttpsRequirement()
// set your symmetric key
.AddSigningKey(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration.Get<AppOptions>().Jwt.SecretKey)));
在 .net 2.0 中,您还应该在 JWT 中间件中注册您的密钥,如下所示:
services.AddAuthentication(opt => {
opt.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
opt.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.RequireHttpsMetadata = false;
options.SaveToken = true;
//options.Audience = "http://localhost:13818/";
//options.Authority = "http://localhost:13818/";
options.TokenValidationParameters = new
TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("iNivDmHLpUA223sqsfhqGbMRdRj1PVkH")),
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true
};
});
我正在使用配置为使用 json 网络令牌的 openiddict:
// Add authentication
services.AddAuthentication();
// Add OpenId Connect/OAuth2
services.AddOpenIddict()
.AddEntityFrameworkCoreStores<ApplicationDbContext>()
.AddMvcBinders()
.EnableTokenEndpoint("/connect/token")
.AllowPasswordFlow()
.AllowRefreshTokenFlow()
.UseJsonWebTokens() // access_token should be jwt
// You can disable the HTTPS requirement during development or if behind a reverse proxy
.DisableHttpsRequirement()
// Register a new ephemeral key, that is discarded when the application
// shuts down. Tokens signed using this key are automatically invalidated.
// To be used during development
.AddEphemeralSigningKey();
我已经按照以下方式通过 JWT 中间件进行了配置:
// Add Jwt middleware for authentication
var secretKey = Configuration.Get<AppOptions>().Jwt.SecretKey;
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
RequireHttpsMetadata = env.IsProduction(),
Audience = Configuration.Get<AppOptions>().Jwt.Audience,
Authority = Configuration.Get<AppOptions>().Jwt.Authority,
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey)),
ValidateIssuer = true,
// makes no difference seemingly being ignored
//ValidIssuer = Configuration.Get<AppOptions>().Jwt.Authority,
ValidateAudience = true,
ValidAudience = Configuration.Get<AppOptions>().Jwt.Audience,
ValidateLifetime = true,
}
});
// Add OpedId Connect middleware
app.UseOpenIddict();
如您所见,发行者签名密钥设置为对称密钥:
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey)),
但是创建的 jwt access_tokens 将 alg 声明设置为 RS256,因此似乎此设置被忽略并且 openiddict 使用 RSA 私钥签署从
.AddEphemeralSigningKey();
为了强制 openiddict 使用对称密钥,必须在 openiddict 中配置它
services.AddOpenIddict()
.AddEntityFrameworkCoreStores<ApplicationDbContext>()
.AddMvcBinders()
.EnableTokenEndpoint("/connect/token")
.AllowPasswordFlow()
.AllowRefreshTokenFlow()
.UseJsonWebTokens()
// You can disable the HTTPS requirement during development or if behind a reverse proxy
.DisableHttpsRequirement()
// set your symmetric key
.AddSigningKey(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration.Get<AppOptions>().Jwt.SecretKey)));
在 .net 2.0 中,您还应该在 JWT 中间件中注册您的密钥,如下所示:
services.AddAuthentication(opt => {
opt.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
opt.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.RequireHttpsMetadata = false;
options.SaveToken = true;
//options.Audience = "http://localhost:13818/";
//options.Authority = "http://localhost:13818/";
options.TokenValidationParameters = new
TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("iNivDmHLpUA223sqsfhqGbMRdRj1PVkH")),
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true
};
});