【发布时间】:2021-11-07 18:46:53
【问题描述】:
我有一个简单的 ASP.NET Core API (.net 5) 应用程序,其安全配置如下:
services.AddControllers(options =>
options.Filters.Add(new MyExceptionFilter()));
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(Configuration.GetSection("AAD"));
services.AddAuthorization(options =>
{
options.AddPolicy("MyPolicy", policy =>
policy.RequireAssertion(context =>
context.User.HasClaim(c => c.Type == "myclaim" && c.Value == "myvalue")));
});
然后将策略应用于控制器:
[ApiController]
[Route("[controller]")]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Policy = "MyPolicy")]
public class DefaultController : ControllerBase {}
当令牌没有必需的声明时,框架会抛出 System.UnauthorizedAccessException:
System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.
at Microsoft.Identity.Web.MicrosoftIdentityWebApiAuthenticationBuilderExtensions.<>c__DisplayClass3_1.<<AddMicrosoftIdentityWebApiImplementation>b__1>d.MoveNext()
--- End of stack trace from previous location ---
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
没关系。不好的是它随后转换为 HTTP 500,尽管我期望 HTTP 403。问题是标准异常过滤器(继承自 Microsoft.AspNetCore.Mvc.Filters.ExceptionFilterAttribute)没有捕捉到它,可能是因为它在管道中发生得太早了。
为什么要这样设计?如何将身份验证阶段的异常映射到我需要的任何内容?
【问题讨论】:
-
你能显示你的
AddJwtBearer步骤吗?异常是在AuthenticationMiddleware上抛出的,它甚至没有到达AuthorizationMiddleware,授权策略还没有发生......有点奇怪 -
@GordonKhanhNg。更新代码,谢谢。
标签: c# asp.net-core asp.net-web-api error-handling .net-5