在 .net core web api 中使用 OAUTH2 Cognito 配置参数进行令牌验证

Question

我在 .net core 2.1 中运行 Web API，我需要验证存储在传入请求中的传入 JWT 令牌。 该令牌是从 OAUTH 2 IDP 生成的，并由我的客户在其对我的 Web API 的请求中插入。 我可以从 cognito 获得的 OpenID 配置如下：

{
    "authorization_endpoint": "https://xxx.xxx.xxx.amazoncognito.com/oauth2/authorize",
    "id_token_signing_alg_values_supported": ["RS256"],
    "issuer": "https://cognito-idp.eu-west-1.amazonaws.com/xxx",
    "jwks_uri": "https://cognito-idp.eu-west-1.amazonaws.com/xxxxxx/.well-known/jwks.json",
    "response_types_supported": ["code", "token", "token id_token"],
    "scopes_supported": ["openid", "email", "phone", "profile"],
    "subject_types_supported": ["public"],
    "token_endpoint": "https://xxxxxxx.auth.eu-west-1.amazoncognito.com/oauth2/token",
    "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
    "userinfo_endpoint": "https://xxxxxxxx.auth.eu-west-1.amazoncognito.com/oauth2/userInfo"
}

我想使用 .net 核心 Web API“标准”方式来管理在 startup.cs 中实现的以下任务：

 services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
     {
         options.TokenValidationParameters = new TokenValidationParameters
         {
             // Clock skew compensates for server time drift.
             // We recommend 5 minutes or less:
             ClockSkew = TimeSpan.FromMinutes(5),
             // Specify the key used to sign the token:
             IssuerSigningKey = signingKey,
             RequireSignedTokens = true,
             // Ensure the token hasn't expired:
             RequireExpirationTime = true,
             ValidateLifetime = true,
             // Ensure the token audience matches our audience value (default true):
             ValidateAudience = true,
             ValidAudience = "api://default",
             // Ensure the token was issued by a trusted authorization server (default true):
             ValidateIssuer = true,
             ValidIssuer = "???????"
         };

如何在我的 Web API 令牌验证参数中使用/匹配 congnito 参数？特别是如何加载 IssuerSigningKey、ValidIssuer 和 ValidAudience？

Answer 1

基本上，我解决了令牌签名验证检查，在“Startup.cs”中的“ConfigureServices”方法中插入以下内容

...

IConfigurationManager<OpenIdConnectConfiguration> configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>("*PutHereCognitoOpenIdWellKnownConfigurationURL*", new OpenIdConnectConfigurationRetriever());          
Task<OpenIdConnectConfiguration> t = configurationManager.GetConfigurationAsync(CancellationToken.None);
t.Wait();
OpenIdConnectConfiguration openIdConfig = t.Result;

....

之前的语句返回给我 IssuerSigningKeys，所以我还插入了以下内容：

...

  services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        RequireExpirationTime = true,
                        RequireSignedTokens = true,
                        ValidateAudience = false,
                        ValidateIssuer = false,
                        ValidateLifetime = false,
                        IssuerSigningKeys = openIdConfig.SigningKeys
                    };

                });

...

然后我调用了“app.UseAuthentication();”在 Configure 方法中。 最后，我将 [Authorize] 装饰放在每个涉及的 Web API 方法之前