始终使用旧令牌值进行身份验证
Authentication always using an old token value
我有一个不知道如何解决的问题。我的项目有一个微服务模型(基于 Volo ABP Microservice Demo),我有一个包含所有检索数据方法的 API,一个作为我所有项目的授权机构的 AuthServer,以及一个网关翻译请求。
这就是我在 Gateway 项目中配置身份验证的方式:
public override void ConfigureServices(ServiceConfigurationContext context)
{
IdentityModelEventSource.ShowPII = true;
var configuration = context.Services.GetConfiguration();
Configure<AbpMultiTenancyOptions>(options =>
{
options.IsEnabled = SidesysMicroservicesConsts.IsMultiTenancyEnabled;
});
context.Services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = configuration["AuthServer:Authority"];
options.ApiName = configuration["AuthServer:ApiName"];
options.RequireHttpsMetadata = false;
});
context.Services.AddSwaggerGen(options =>
{
options.SwaggerDoc("v1", new OpenApiInfo { Title = "VirtualSpace Gateway API", Version = "v1" });
options.DocInclusionPredicate((docName, description) => true);
options.CustomSchemaIds(type => type.FullName);
});
context.Services.AddOcelot(context.Services.GetConfiguration());
Configure<AbpDbContextOptions>(options =>
{
options.UseSqlServer();
});
context.Services.AddCors(options =>
{
options.AddPolicy(DefaultCorsPolicyName, builder =>
{
builder
.WithOrigins(
configuration["App:CorsOrigins"]
.Split(",", StringSplitOptions.RemoveEmptyEntries)
.Select(o => o.RemovePostFix("/"))
.ToArray()
)
.WithAbpExposedHeaders()
.SetIsOriginAllowedToAllowWildcardSubdomains()
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials();
});
});
//context.Services.AddStackExchangeRedisCache(options =>
//{
// options.Configuration = configuration["Redis:Configuration"];
//});
//var redis = ConnectionMultiplexer.Connect(configuration["Redis:Configuration"]);
//context.Services.AddDataProtection()
// .PersistKeysToStackExchangeRedis(redis, "MsDemo-DataProtection-Keys");
}
我的数据库中有角色和不同的用户,因此为了检索令牌,我使用来自 AuthServer 的 /connect/token URL 和相应的角色,为此,我使用 Postman 和相应的 headers。一旦我检索到我需要的令牌,我将使用 Postman 和来自 Gateway(我的网关 运行s 在端口 44377 上)的相应 URL 和相应的“授权”header及其带有“Bearer”身份验证方案的令牌值,此请求将转换为 URL 到其相应的 API(它 运行s 在端口 44320 上)URL 请求我需要做的,例如 http://localhost:44377/api/virtualspaceattention/GetSourceUsers,它会被翻译成 http://localhost:44320//api/virtualspaceattention/VirtualSpaceAttention/GetSourceUsers.
这里的问题是无论我使用什么令牌,每次我都得到相同的日志错误:
Request starting HTTP/1.1 GET http://localhost:44377/api/virtualspaceattention/GetSoruceUsers - -
2022-01-07 17:00:47.928 -03:00 [INF] Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: 'C99C917C5E43906FE6A88DDF28E73628'.
Exceptions caught:
''.
token: '{"alg":"RS256","kid":"C99C917C5E43906FE6A88DDF28E73628","typ":"at+jwt"}.{"nbf":1640913147,"exp":1672449147,"iss":"http://localhost/authserver","aud":["VirtualSpace","VirtualSpaceGateway"],"client_id":"virtualSpace","iat":1640913147,"scope":["VirtualSpace","VirtualSpaceGateway"]}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
2022-01-07 17:00:48.025 -03:00 [INF] Bearer was not authenticated. Failure message: IDX10501: Signature validation failed. Unable to match key:
kid: 'C99C917C5E43906FE6A88DDF28E73628'.
Exceptions caught:
''.
token: '{"alg":"RS256","kid":"C99C917C5E43906FE6A88DDF28E73628","typ":"at+jwt"}.{"nbf":1640913147,"exp":1672449147,"iss":"http://localhost/authserver","aud":["VirtualSpace","VirtualSpaceGateway"],"client_id":"virtualSpace","iat":1640913147,"scope":["VirtualSpace","VirtualSpaceGateway"]}'.
我比较了通过 /connect/token URL 检索到的令牌,与请求当前使用的令牌不同。我已经使用 JWT website 检查了它的属性,它似乎正在使用缓存在某处的令牌,但我不知道在哪里处理它。
我将在此处粘贴 JWT website 中的值进行比较:
{
"alg": "RS256",
"kid": "1C700F5BA873DCA75C9CEC6B36118026",
"typ": "at+jwt"
}
{
"nbf": 1641586212,
"exp": 1673122212,
"iss": "http://localhost:44399",
"aud": [
"VirtualSpace",
"VirtualSpaceGateway"
],
"client_id": "virtualSpace",
"sub": "87861a01-4486-17b8-c6d6-3a01476f3851",
"auth_time": 1641586212,
"idp": "local",
"tenantid": "0a1ea190-866c-3522-010e-3a014784d83d",
"operator_description": "Operador 1",
"role": "operator",
"email": "operator.one@sidesys.com",
"email_verified": "False",
"name": "operatorOne",
"iat": 1641586212,
"scope": [
"VirtualSpace",
"VirtualSpaceGateway"
],
"amr": [
"pwd"
]
}
我发现比较令牌的两件事:
- “iss”:“http://localhost:44399”和“iss”:“http:///localhost/authserver”,这些值是不同的。我曾经 运行 通过 IIS 使用我的 AuthServer,但我不再使用了。
- “孩子”:“1C700F5BA873DCA75C9CEC6B36118026”和“孩子”:“C99C917C5E43906FE6A88DDF28E73628”。这些绝对不一样。同样,这个旧令牌似乎存储在某个地方。
如有任何建议,我们将不胜感激。 TIA.
问题出在浏览器上。 Google Chrome 似乎将 token 存储在 Application 选项卡中,即使您选择了 Disable cache 选项。即使您强制页面清空缓存并强制重新加载,token 也会保留在那里。
在 Application 选项卡中,您需要清理 Storage 部分下的所有内容才能解决此问题。老实说,这是一场噩梦,在我意识到这一点之前,我几乎一整天都在试图想出一个解决方案。
我有一个不知道如何解决的问题。我的项目有一个微服务模型(基于 Volo ABP Microservice Demo),我有一个包含所有检索数据方法的 API,一个作为我所有项目的授权机构的 AuthServer,以及一个网关翻译请求。
这就是我在 Gateway 项目中配置身份验证的方式:
public override void ConfigureServices(ServiceConfigurationContext context)
{
IdentityModelEventSource.ShowPII = true;
var configuration = context.Services.GetConfiguration();
Configure<AbpMultiTenancyOptions>(options =>
{
options.IsEnabled = SidesysMicroservicesConsts.IsMultiTenancyEnabled;
});
context.Services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = configuration["AuthServer:Authority"];
options.ApiName = configuration["AuthServer:ApiName"];
options.RequireHttpsMetadata = false;
});
context.Services.AddSwaggerGen(options =>
{
options.SwaggerDoc("v1", new OpenApiInfo { Title = "VirtualSpace Gateway API", Version = "v1" });
options.DocInclusionPredicate((docName, description) => true);
options.CustomSchemaIds(type => type.FullName);
});
context.Services.AddOcelot(context.Services.GetConfiguration());
Configure<AbpDbContextOptions>(options =>
{
options.UseSqlServer();
});
context.Services.AddCors(options =>
{
options.AddPolicy(DefaultCorsPolicyName, builder =>
{
builder
.WithOrigins(
configuration["App:CorsOrigins"]
.Split(",", StringSplitOptions.RemoveEmptyEntries)
.Select(o => o.RemovePostFix("/"))
.ToArray()
)
.WithAbpExposedHeaders()
.SetIsOriginAllowedToAllowWildcardSubdomains()
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials();
});
});
//context.Services.AddStackExchangeRedisCache(options =>
//{
// options.Configuration = configuration["Redis:Configuration"];
//});
//var redis = ConnectionMultiplexer.Connect(configuration["Redis:Configuration"]);
//context.Services.AddDataProtection()
// .PersistKeysToStackExchangeRedis(redis, "MsDemo-DataProtection-Keys");
}
我的数据库中有角色和不同的用户,因此为了检索令牌,我使用来自 AuthServer 的 /connect/token URL 和相应的角色,为此,我使用 Postman 和相应的 headers。一旦我检索到我需要的令牌,我将使用 Postman 和来自 Gateway(我的网关 运行s 在端口 44377 上)的相应 URL 和相应的“授权”header及其带有“Bearer”身份验证方案的令牌值,此请求将转换为 URL 到其相应的 API(它 运行s 在端口 44320 上)URL 请求我需要做的,例如 http://localhost:44377/api/virtualspaceattention/GetSourceUsers,它会被翻译成 http://localhost:44320//api/virtualspaceattention/VirtualSpaceAttention/GetSourceUsers.
这里的问题是无论我使用什么令牌,每次我都得到相同的日志错误:
Request starting HTTP/1.1 GET http://localhost:44377/api/virtualspaceattention/GetSoruceUsers - -
2022-01-07 17:00:47.928 -03:00 [INF] Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: 'C99C917C5E43906FE6A88DDF28E73628'.
Exceptions caught:
''.
token: '{"alg":"RS256","kid":"C99C917C5E43906FE6A88DDF28E73628","typ":"at+jwt"}.{"nbf":1640913147,"exp":1672449147,"iss":"http://localhost/authserver","aud":["VirtualSpace","VirtualSpaceGateway"],"client_id":"virtualSpace","iat":1640913147,"scope":["VirtualSpace","VirtualSpaceGateway"]}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
2022-01-07 17:00:48.025 -03:00 [INF] Bearer was not authenticated. Failure message: IDX10501: Signature validation failed. Unable to match key:
kid: 'C99C917C5E43906FE6A88DDF28E73628'.
Exceptions caught:
''.
token: '{"alg":"RS256","kid":"C99C917C5E43906FE6A88DDF28E73628","typ":"at+jwt"}.{"nbf":1640913147,"exp":1672449147,"iss":"http://localhost/authserver","aud":["VirtualSpace","VirtualSpaceGateway"],"client_id":"virtualSpace","iat":1640913147,"scope":["VirtualSpace","VirtualSpaceGateway"]}'.
我比较了通过 /connect/token URL 检索到的令牌,与请求当前使用的令牌不同。我已经使用 JWT website 检查了它的属性,它似乎正在使用缓存在某处的令牌,但我不知道在哪里处理它。
我将在此处粘贴 JWT website 中的值进行比较:
{
"alg": "RS256",
"kid": "1C700F5BA873DCA75C9CEC6B36118026",
"typ": "at+jwt"
}
{
"nbf": 1641586212,
"exp": 1673122212,
"iss": "http://localhost:44399",
"aud": [
"VirtualSpace",
"VirtualSpaceGateway"
],
"client_id": "virtualSpace",
"sub": "87861a01-4486-17b8-c6d6-3a01476f3851",
"auth_time": 1641586212,
"idp": "local",
"tenantid": "0a1ea190-866c-3522-010e-3a014784d83d",
"operator_description": "Operador 1",
"role": "operator",
"email": "operator.one@sidesys.com",
"email_verified": "False",
"name": "operatorOne",
"iat": 1641586212,
"scope": [
"VirtualSpace",
"VirtualSpaceGateway"
],
"amr": [
"pwd"
]
}
我发现比较令牌的两件事:
- “iss”:“http://localhost:44399”和“iss”:“http:///localhost/authserver”,这些值是不同的。我曾经 运行 通过 IIS 使用我的 AuthServer,但我不再使用了。
- “孩子”:“1C700F5BA873DCA75C9CEC6B36118026”和“孩子”:“C99C917C5E43906FE6A88DDF28E73628”。这些绝对不一样。同样,这个旧令牌似乎存储在某个地方。
如有任何建议,我们将不胜感激。 TIA.
问题出在浏览器上。 Google Chrome 似乎将 token 存储在 Application 选项卡中,即使您选择了 Disable cache 选项。即使您强制页面清空缓存并强制重新加载,token 也会保留在那里。
在 Application 选项卡中,您需要清理 Storage 部分下的所有内容才能解决此问题。老实说,这是一场噩梦,在我意识到这一点之前,我几乎一整天都在试图想出一个解决方案。