诚然,这是构建Asp.Net Core Web api项目的第一步。一个要求是支持OAuth2。 Api和Identity服务器是两个独立的项目,都从Asp.Net核心的Empty模板开始。
身份服务器已启动并正在运行,并且正在通过资源所有者流提供 token 。获取 token 很好,范围和相关的access_token详细信息似乎是正确的。
当我向资源端点发出get请求时,首先得到以下信息...
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET http://localhost:12886/v1/mystuff
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[2]
Successfully validated the token.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[3]
HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Bearer.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[8]
AuthenticationScheme: Bearer was successfully authenticated.
info: IdentityModel.AspNetCore.ScopeValidation.ScopeValidationMiddleware[0]
Scopes found on current principal: scope: stuffdetails, scope: stuffmover
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[8]
AuthenticationScheme: Bearer was successfully authenticated.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[1]
Authorization was successful for user: 939d72dd-654c-447f-a65d-d0426b1eca59.
因此,我可以告诉中间件正在验证我的 token ,读取作用域以及对 token 进行身份验证。
但是,在最初取得成功之后,我立即获得授权失败。
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed for user: 939d72dd-654c-447f-a65d-d0426b1eca59.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
info: Microsoft.AspNetCore.Mvc.ChallengeResult[1]
Executing ChallengeResult with authentication schemes ().
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[13]
AuthenticationScheme: Bearer was forbidden.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action TestApi.StuffController.GetStuff (TestApi) in 32.4439ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 1207.1769ms 403
我认为这是启动中的相关位。
ConfigureServices ...
services.AddMvcCore()
.AddAuthorization(opts =>
{
opts.AddPolicy("stuffdetails",
policy => policy.RequireClaim("stuffdetails"));
}
)
.AddJsonFormatters();
services.AddOptions();
配置
-请注意,我知道configOptions是正确的,因为初始 token 挑战成功。
var authServerOptions = new IdentityServerAuthenticationOptions
{
Authority = configOptions.Value.AuthServerSettings.AuthServerURI,
RequireHttpsMetadata = configOptions.Value.AuthServerSettings.RequiresHttpsMetaData,
ApiName = configOptions.Value.AuthServerSettings.ApiName,
AllowedScopes = configOptions.Value.AuthServerSettings.AllowedScopes,
SupportedTokens = IdentityServer4.AccessTokenValidation.SupportedTokens.Jwt,
AuthenticationScheme = "Bearer",
SaveToken = true,
ValidateScope = true
};
app.UseIdentityServerAuthentication(authServerOptions);
app.UseMvc();
东西 Controller
[Route("v1/[controller]")]
[Authorize(ActiveAuthenticationSchemes = "Bearer")]
public class StuffController : Controller
{
[HttpGet]
[Authorize(Policy = "stuffdetails")]
public JsonResult GetStuff()
{
return new JsonResult(new
{
Message = "You've got stuff.."
});
}
}
如果我从GetStuff方法中删除Authorize属性,那么一切都很好,因为如日志所示,承载 token 已得到授权。
问题:
任何帮助是极大的赞赏..
最佳答案
您所看到的内容是正确的,但是您可以通过删除Authorize属性的“policy”部分轻松地进行验证:如果现在有效,则问题与您的策略有关,如果仍然失败,则是更广泛的问题不仅仅是您的政策。我假设您正在使用自己的IProfileService实现将'stuffdetails'声明添加到access_token中?
是的,这似乎是aspnet进行自定义授权的核心方式。
我在UseIdentityServerAuthentication流中使用ResourceOwnerPassword。我想知道UseJwtBearerAuthentication方法是首选还是提供其他功能。
关于asp.net-web-api - 使用Asp.Net Core Web API进行授权,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/42257481/