身份服务器已启动并正在运行,并且正在通过资源所有者流提供令牌.获取令牌很好,范围和相关的access_token详细信息似乎是正确的.
当我向我的资源端点发出get请求时,我首先得到以下信息……
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1] Request starting HTTP/1.1 GET http://localhost:12886/v1/mystuff info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[2] Successfully validated the token. info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[3] HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Bearer. info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[8] AuthenticationScheme: Bearer was successfully authenticated. info: IdentityModel.AspNetCore.ScopeValidation.ScopeValidationMiddleware[0] Scopes found on current principal: scope: stuffdetails,scope: stuffmover info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[8] AuthenticationScheme: Bearer was successfully authenticated. info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[1] Authorization was successful for user: 939d72dd-654c-447f-a65d-d0426b1eca59.
所以,我可以告诉中间件正在验证我的令牌,读取范围以及验证令牌.
但是,在最初的成功之后,我立即获得了授权失败.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2] Authorization failed for user: 939d72dd-654c-447f-a65d-d0426b1eca59. info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1] Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. info: Microsoft.AspNetCore.Mvc.ChallengeResult[1] Executing ChallengeResult with authentication schemes (). info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[13] AuthenticationScheme: Bearer was forbidden. info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2] Executed action TestApi.StuffController.GetStuff (TestApi) in 32.4439ms info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2] Request finished in 1207.1769ms 403
以下是我认为启动时的相关内容.
ConfigureServices …
services.AddMvcCore() .AddAuthorization(opts => { opts.AddPolicy("stuffdetails",policy => policy.RequireClaim("stuffdetails")); } ) .AddJsonFormatters(); services.AddOptions();
配置
– 请注意,我知道我的configOptions是正确的,因为初始令牌挑战是成功的.
var authServerOptions = new IdentityServerAuthenticationOptions { Authority = configOptions.Value.AuthServerSettings.AuthServerURI,RequireHttpsMetadata = configOptions.Value.AuthServerSettings.RequiresHttpsMetaData,ApiName = configOptions.Value.AuthServerSettings.ApiName,AllowedScopes = configOptions.Value.AuthServerSettings.AllowedScopes,SupportedTokens = IdentityServer4.AccessTokenValidation.SupportedTokens.Jwt,AuthenticationScheme = "Bearer",SaveToken = true,ValidateScope = true }; app.UseIdentityServerAuthentication(authServerOptions); app.UseMvc();
东西控制器
[Route("v1/[controller]")] [Authorize(ActiveAuthenticationSchemes = "Bearer")] public class StuffController : Controller { [HttpGet] [Authorize(Policy = "stuffdetails")] public JsonResult GetStuff() { return new JsonResult(new { Message = "You've got stuff.." }); } }
如果我从GetStuff方法中删除Authorize属性,一切都很好,因为如日志所示,持有者令牌被授权.
问题:
>授权失败是因为我的政策不正确,如果是这样,应如何设置?
>如果我想验证令牌包含正确的声明并获得授权,那么使用策略是否正确?
>我是否在尝试使用UseIdentityServerAuthentication而不是UseJwtBearerAuthentication时出错?
任何帮助是极大的赞赏..
解决方法
Is authorization failing because my policy is incorrect,and if so how
should it be setup?
您所看到的内容看起来是正确的,但您只需删除“授权”属性的“政策”部分即可轻松验证:如果它现在有效,则问题与您的政策有关,如果仍然失败那么这是一个更广泛的问题而不仅仅是你的政策.我假设您使用自己的IProfileService实现将“stuffdetails”声明添加到access_token中?
If I want to validate a token contains the proper claims,and was
authorized,is it correct to use policies as I have?
是的,似乎是aspnet进行自定义授权的核心方式.
Am I making a mistake trying to use UseIdentityServerAuthentication
instead of UseJwtBearerAuthentication?
我正在使用UseIdentityServerAuthentication和ResourceOwnerPassword流程.我有兴趣听听UseJwtBearerAuthentication方法是首选还是提供其他功能.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。