【发布时间】:2023-04-04 03:25:01
【问题描述】:
我正在尝试在我的 ASP.NET Core 5 Web API 中实现基于 JWT 的身份验证。但是,当我使用标有 [Authorize] 属性的 API 时,我总是得到响应代码 401。
这是我目前所拥有的。首先,如果用户提供了有效的用户名和密码,我的AccountController 会发出 JWT:
[Authorize]
[ApiController]
[Route("api/" + Constants.ApiVersion + "/Accounts")]
public class AccountController : ControllerBase
{
private readonly UserManager<AppUser> _userManager;
private readonly IPasswordHasher<AppUser> _passwordHasher;
public AccountController(UserManager<AppUser> userManager, IPasswordHasher<AppUser> passwordHasher)
{
_userManager = userManager;
_passwordHasher = passwordHasher;
}
[AllowAnonymous]
[HttpPost]
[Route("Token")]
public async Task<IActionResult> Login([FromForm]LoginBindingModel model)
{
if(model == null)
{
return BadRequest();
}
if(!ModelState.IsValid)
{
return BadRequest(ModelState);
}
AppUser user = await _userManager.FindByNameAsync(model.UserName);
if(user == null || !await _userManager.CheckPasswordAsync(user, model.Password))
{
return Unauthorized();
}
SymmetricSecurityKey encryptionKey = new(Encoding.UTF8.GetBytes("TODO_Find_better_key_and_store_as_secret"));
JwtSecurityTokenHandler jwtTokenHandler = new();
SecurityTokenDescriptor tokenDescriptor = new()
{
Subject = new ClaimsIdentity(new[] { new Claim("UserName", user.UserName) }),
Expires = DateTime.UtcNow.AddDays(7),
SigningCredentials = new SigningCredentials(encryptionKey, SecurityAlgorithms.HmacSha256Signature)
};
SecurityToken jwtToken = jwtTokenHandler.CreateToken(tokenDescriptor);
string token = jwtTokenHandler.WriteToken(jwtToken);
return Ok(token);
}
[HttpPost]
[Route("ChangePassword")]
public async Task<ActionResult> ChangePassword([FromBody]ChangePasswordBindingModel model)
{
if(model == null)
{
return BadRequest();
}
if(!ModelState.IsValid)
{
return BadRequest(ModelState);
}
AppUser user = await _userManager.GetUserAsync(User);
if(user == null)
{
return new StatusCodeResult(StatusCodes.Status403Forbidden);
}
IdentityResult result = await _userManager.ChangePasswordAsync(user, model.OldPassword, model.NewPassword);
return GetHttpResponse(result);
}
...
}
这段代码似乎可以正常工作。它返回一个被jwt.io成功解析的令牌,并包含我输入的用户名。
接下来,Startup 类如下所示:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration
{
get;
}
public void ConfigureServices(IServiceCollection services)
{
services.Configure<ApplicationSettings>(Configuration.GetSection(nameof(ApplicationSettings)));
services.AddIdentityCore<AppUser>(options =>
{
Configuration.GetSection(nameof(IdentityOptions)).Bind(options);
});
services.AddScoped<IPasswordHasher<AppUser>, Identity.PasswordHasher<AppUser>>();
services.AddTransient<IUserStore<AppUser>, UserStore>();
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.SaveToken = true;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = "whatever",
ValidateAudience = true,
ValidAudience = "whatever",
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("TODO_Find_better_key_and_store_as_secret"))
};
});
services.AddMvc();
services.AddControllers();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if(env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseAuthentication();
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
我正在向 Token 路由发送 HTTP POST 请求,该路由返回 JWT。之后,我将在请求正文中包含必要的 JSON 数据和标头中的 Authorization: Bearer <the JWT> 发送 HTTP POST 请求到 ChangePassword 路由。
但是,它总是返回响应代码 401,没有任何其他信息或异常。
我不知道Startup.ConfigureServices 中的魔法实际上应该在幕后做什么。无论如何,这显然是行不通的。有谁知道发生了什么以及如何使其发挥作用?
【问题讨论】:
标签: c# asp.net-core jwt asp.net-core-webapi