混合 JWT 和 windows 身份验证。 jwt 失败后弹出凭据
Mixed JWT and windows authentication. Credentials popup after jwt failed
我想在 IIS 上使用 JWT 和 Windows 身份验证。
在 IIS 上,我启用了 Windows 和匿名授权。
我配置了自定义 jwt 身份验证:
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddScheme<BearerAuthenticationSchemeOptions, BearerAuthenticationHandler>(JwtBearerDefaults.AuthenticationScheme, null);
public class BearerAuthenticationHandler
: AuthenticationHandler<BearerAuthenticationSchemeOptions>
{
private IJwtUtils _jwtUtils;
public BearerAuthenticationHandler(
IOptionsMonitor<BearerAuthenticationSchemeOptions> options,
ILoggerFactory logger,
UrlEncoder encoder,
ISystemClock clock,
IJwtUtils jwtUtils)
: base(options, logger, encoder, clock)
{
_jwtUtils = jwtUtils;
}
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
//if (HasAnonymousAttribute())
//{
// return Task.FromResult(AuthenticateResult.NoResult());
//}
var token = Request.Headers["Authorization"].FirstOrDefault()?.Split(" ").Last();
var user = _jwtUtils.ValidateJwtToken(token);
if (user != null)
{
var ticket = new AuthenticationTicket(user, this.Scheme.Name);
return AuthenticateResult.Success(ticket);
}
return AuthenticateResult.NoResult();
}
}
我在控制器中用属性标记方法:
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
并且我添加了 auth 和 autorization 中间件:
app.UseAuthentication();
app.UseAuthorization();
但是在我返回后 AuthenticateResult.NoResult() 再次调用了 HandleAuthenticateAsync 方法。然后弹出Windows授权。
我期待 401 代码回来。
为什么在JWT之后调用Windows授权?
JWT授权失败后如何得到401?
根据这个issue,可以看到PG回复了:
This may not be possible in IIS. IIS will add Windows Auth challenges
to any response with a 401 status code, triggering the login prompt.
This happens outside of ASP.NET and your application, you don't have
much control at that point.It should work with HttpSysServer because it's all controlled in process.
所以当 jwt 失败时你不应该 return 401。您应该 return 其他状态代码,它不会触发像 600 这样的登录提示。
我想在 IIS 上使用 JWT 和 Windows 身份验证。 在 IIS 上,我启用了 Windows 和匿名授权。 我配置了自定义 jwt 身份验证:
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddScheme<BearerAuthenticationSchemeOptions, BearerAuthenticationHandler>(JwtBearerDefaults.AuthenticationScheme, null);
public class BearerAuthenticationHandler
: AuthenticationHandler<BearerAuthenticationSchemeOptions>
{
private IJwtUtils _jwtUtils;
public BearerAuthenticationHandler(
IOptionsMonitor<BearerAuthenticationSchemeOptions> options,
ILoggerFactory logger,
UrlEncoder encoder,
ISystemClock clock,
IJwtUtils jwtUtils)
: base(options, logger, encoder, clock)
{
_jwtUtils = jwtUtils;
}
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
//if (HasAnonymousAttribute())
//{
// return Task.FromResult(AuthenticateResult.NoResult());
//}
var token = Request.Headers["Authorization"].FirstOrDefault()?.Split(" ").Last();
var user = _jwtUtils.ValidateJwtToken(token);
if (user != null)
{
var ticket = new AuthenticationTicket(user, this.Scheme.Name);
return AuthenticateResult.Success(ticket);
}
return AuthenticateResult.NoResult();
}
}
我在控制器中用属性标记方法:
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
并且我添加了 auth 和 autorization 中间件:
app.UseAuthentication();
app.UseAuthorization();
但是在我返回后 AuthenticateResult.NoResult() 再次调用了 HandleAuthenticateAsync 方法。然后弹出Windows授权。
我期待 401 代码回来。
为什么在JWT之后调用Windows授权?
JWT授权失败后如何得到401?
根据这个issue,可以看到PG回复了:
This may not be possible in IIS. IIS will add Windows Auth challenges to any response with a 401 status code, triggering the login prompt. This happens outside of ASP.NET and your application, you don't have much control at that point.It should work with HttpSysServer because it's all controlled in process.
所以当 jwt 失败时你不应该 return 401。您应该 return 其他状态代码,它不会触发像 600 这样的登录提示。