JWT Bearer Authentication 不从标头中读取 Token答案

【问题标题】：JWT Bearer Authentication Does not read Token from headersJWT Bearer Authentication 不从标头中读取 Token
【发布时间】：2023-03-20 12:12:02
【问题描述】：

我正在尝试使用 .Net-Core 中的 JWT Bearer 进行身份验证，这是我的启动：

var jwtAppSettingOptions = Configuration.GetSection(nameof(JwtIssuerOptions));

// Configure JwtIssuerOptions
services.Configure<JwtIssuerOptions>(options =>
{
    options.Issuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)];
    options.Audience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)];
    options.SigningCredentials = new SigningCredentials(_signingKey, SecurityAlgorithms.HmacSha256);
});

var tokenValidationParameters = new TokenValidationParameters
{
    ValidateIssuer = true,
    ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)],

    ValidateAudience = true,
    ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)],

    ValidateIssuerSigningKey = true,
    IssuerSigningKey = _signingKey,

    RequireExpirationTime = false,
    ValidateLifetime = true,
    ClockSkew = TimeSpan.Zero
};

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(cfg =>
    {
        cfg.RequireHttpsMetadata = false;
        cfg.SaveToken = true;

        cfg.Events = new JwtBearerEvents
        {
            OnMessageReceived = async (ctx) =>
            {
                Console.WriteLine(ctx.Token);
            },

            OnTokenValidated = async (ctx) =>
            {
                Console.WriteLine("BreakPoint");
            },
        };

        cfg.TokenValidationParameters = tokenValidationParameters;
    })
    .AddCoinbase(options => {
        options.AccessAllAccounts = true;
        options.SendLimitAmount = 1;
        options.SendLimitCurrency = "USD";
        options.SendLimitPeriod = SendLimitPeriod.day;
        options.ClientId = Configuration["Coinbase:ClientId"];
        options.ClientSecret = Configuration["Coinbase:ClientSecret"];
        COINBASE_SCOPES.ForEach(scope => options.Scope.Add(scope));
        options.SaveTokens = true;
        options.ClaimActions.MapJsonKey("urn:coinbase:avatar", "avatar_url");
    });

我正在使用我的 access_token 从 Postman 发出一个简单的 Get Request：

获取https://localhost:44377/api/values HEADERS: 授权: Bearer

但是，当我检查收到消息的令牌时我总是得到 null

OnMessageReceived = async (ctx) =>
{
    Console.WriteLine(ctx.Token);
}

【问题讨论】：

标签： c# asp.net-core .net-core jwt bearer-token

【解决方案1】：

调用OnMessageReceived 委托时无需先设置Token 属性。对于这个事件，Token 是您可以设置自己的东西，如果您要覆盖令牌的检索方式。你可以在source code看到这个：

protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
    string token = null;
    try
    {
        // Give application opportunity to find from a different location, adjust, or reject token
        var messageReceivedContext = new MessageReceivedContext(Context, Scheme, Options);

        // event can set the token
        await Events.MessageReceived(messageReceivedContext);
        if (messageReceivedContext.Result != null)
        {
            return messageReceivedContext.Result;
        }

        // If application retrieved token from somewhere else, use that.
        token = messageReceivedContext.Token;

        if (string.IsNullOrEmpty(token))
        {
            string authorization = Request.Headers["Authorization"];

            ...

对Events.MessageReceived 的调用会调用您的OnMessageReceived 委托，但MessageReceivedContext 尚未使用Token 进行初始化，所以它只是null。在调用Events.MessageReceived 之后，会从Authorization 标头中检索令牌（如果您没有按照我提到的那样自己设置）。

【讨论】：