logo标签列表

ASP.NET Core 5.0 JWT身份验证会抛出401代码。

c#asp.net-corejwtasp.net-core-mvc
3
我有一个ASP.NET Core 5.0 API,它使用JWT身份验证。目前,我只想让它在按钮中读取令牌。
@Html.ActionLink("Test","Oper","Home")

我需要使用[Authorize]头,并根据我的标准进行验证。我不知道错在哪里,但它总是返回HTTP 401代码。

测试添加此代码

app.UseCors(x => x.AllowAnyHeader()
                  .AllowAnyMethod()
                  .WithOrigins("https://localhost:4200"));

错误:

System.InvalidOperationException: CORS协议不允许同时指定通配符(任何)源和凭据。如果需要支持凭据,请通过列出单个源来配置CORS策略。

与终端pty主机进程的连接没有响应,终端可能会停止工作

这不是Angular项目。

这是Startup.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.FileProviders;
using System.IO;
using Microsoft.IdentityModel.Tokens;
using System.Text;
using Microsoft.AspNetCore.Authentication.JwtBearer;

namespace JWTtokenMVC
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddControllersWithViews();
            services.AddCors(options =>
            {
                options.AddPolicy("CorsPolicy", builder => builder.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader().AllowCredentials().Build());
            });

            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(options =>
            {
                options.IncludeErrorDetails = true;
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    NameClaimType ="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
                    RoleClaimType ="http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
                    ValidateIssuer = true,
                    ValidateAudience = false,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true,
                    ValidIssuer = Configuration["Jwt:Issuer"],
                    ValidAudience = Configuration["Jwt:Issuer"],
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Key"])

                    )
                };
            });
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
                app.UseHsts();
            }

            app.UseHttpsRedirection();
            app.UseStaticFiles();
            app.UseStaticFiles(new StaticFileOptions
            {
                FileProvider = new PhysicalFileProvider(Path.Combine(Directory.GetCurrentDirectory(), "Test_modules")),
                RequestPath = "/" + "Test_modules"
            });
            app.UseCookiePolicy();

            app.UseRouting();

            app.UseAuthentication();

            app.UseAuthorization();
            app.UseCors(x => x.AllowAnyHeader()
                              .AllowAnyMethod()
                              .WithOrigins("https://localhost:4200"));

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(
                    name: "default",
                    pattern: "{controller=Home}/{action=Index}/{id?}");
            });
        }
    }
}

这是HomeController.cs - 登录获取Jwt令牌已成功:

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Logging;
using JWTtokenMVC.Models;
using Microsoft.IdentityModel.Tokens;
using System.Text;
using Microsoft.Extensions.Configuration;
using JWTtokenMVC.Models.Test;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;

namespace JWTtokenMVC.Controllers
{
    public class HomeController : Controller
    {
        private IConfiguration _config;

        public HomeController(IConfiguration config)
        {
            _config = config;
        }

        public IActionResult Index()
        {
            return View();
        }

        public IActionResult Privacy()
        {
            return View();
        }

        [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
        public IActionResult Error()
        {
            return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
        }

        private string GenerateJSONWebToken(UserPaul userinfo)
        {
            var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Jwt:Key"]));
            var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
            var claims = new[]
            {
                new Claim(JwtRegisteredClaimNames.Sub,userinfo.Username),
                new Claim(JwtRegisteredClaimNames.Email,userinfo.Email),
                new Claim(JwtRegisteredClaimNames.Jti,Guid.NewGuid().ToString()),
            };
            var token = new JwtSecurityToken(
                issuer: _config["Jwt:Issuer"],
                audience: _config["Jwt:Issuer"],
                claims,
                expires: DateTime.Now.AddMinutes(10),
                signingCredentials: credentials
                );
            var encodetoken = new JwtSecurityTokenHandler().WriteToken(token);

            var cookieOptions = new CookieOptions();
            //cookieOptions.Expires = DateTimeOffset.UtcNow.AddHours(12);//you can set this to a suitable timeframe for your situation
            cookieOptions.HttpOnly = true;
            cookieOptions.Expires = DateTime.Now.AddMinutes(1);
            //cookieOptions.Domain = Request.Host.Value;
            cookieOptions.Path = "/";
            Response.Cookies.Append("jwt", encodetoken, cookieOptions);

            return encodetoken;
        }

        [HttpPost]
        public IActionResult Login()
        {
            string AccountNumber="TestUser";
            JWTtokenMVC.Models.TestContext userQuery = new JWTtokenMVC.Models.TestContext();
            var query = userQuery.Testxxxx.Where(N => N.UserId ==AccountNumber).FirstOrDefault();
            IActionResult response = Unauthorized();

            if (query != null)
            {
                var tokenStr = GenerateJSONWebToken(query);
                response = Ok(new { token = tokenStr });
            }

            return response;
        }

        [Authorize]
        [HttpGet("Home/Oper")]
        public IActionResult Oper()
        {
            var authenticationCookieName = "jwt";
            var cookie = HttpContext.Request.Cookies[authenticationCookieName];
            List<Test_SHOW> sHOWs = new List<Test_SHOW>();
            JWTtokenMVC.Models.Test.TestContext userQuery= new JWTtokenMVC.Models.Test.TestContext();
            var query = userQuery.Test.Select(T => new Test_SHOW
            {
                number= T.number,
                name= T.name,
                mail= T.mail

            }).OrderBy(o => o.Iid);

            sHOWs.AddRange(query);

            return View("Views/Home/Oper.cshtml", sHOWs);
        }
    }
}

这是 Test.cshtml 文件:
@{
    ViewBag.Title = "Home Page";
}

@inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf
@functions{
    public string GetAntiXsrfRequestToken()
    {
        return Xsrf.GetAndStoreTokens(Context).RequestToken;
    }
}

<input type="hidden" id="RequestVerificationToken"
       name="RequestVerificationToken" value="@GetAntiXsrfRequestToken()">


<form method="post" asp-antiforgery="false">
<!--form -->


    <div>
        <span style="color:red">@ViewBag.Msg</span>
    </div>

    <div class="col-md-4 select-outline">
</div>
    <button type="button" class="btn btn-light">@Html.ActionLink("Test","Oper","Home")</button>
  <button type="button" class="btn btn-light">@Html.ActionLink("TestLogin","Login","Home")</button>

</form>

最后,这是Oper.cshtml

@using JWTtokenMVC.Models.Test
@model List<Test_SHOW>

@{
    ViewBag.Title = "test";
}

<h2>Test List</h2>

<table class="table table-hover">
    <tr>
        <th>
          number
        </th>
        <th>
           name
        </th>
        <th>
            mail
        </th>
    </tr>
    @foreach (var item in Model)
    {    
        <tr>
             <td>
                @Html.DisplayFor(modelItem => item.number)
            </td>
            <td>
                <span class='text-danger'>@Html.DisplayFor(modelItem => item.name)</span>
            </td>
            <td>
                  <span class='text-danger'>@Html.DisplayFor(modelItem => item.mail)</span>
            </td>
        </tr>
    }
</table>

这是我的 appsettings.json 文件:

{
  "Logging": {
    "LogLevel": {
      "Default": "TestInformation",
      "Microsoft": "TestWarning",
      "Microsoft.Hosting.Lifetime": "TestInformation"
    }
  },
  "AllowedHosts": "*",
  "Jwt": {
    "Key": "TestProdigy",
    "Issuer": "Test.mail.com"
  }
}
1
抱歉,代码已经更新。 - Paul
1
在 appsettings.json 中更改您的 Jwt 密钥,我认为它应该是 16 个字符的长度。 - Majid Qafouri
尝试使用app.UseCors("CorsPolicy"); - Yinqiu
我参考了idx10603 SO问题中的更新代码,但是在读取@Html.ActionLink("Test","Oper","Home")按钮中的令牌以及其[Authorize]头并根据我的标准进行验证时,它总是返回HTTP 401代码。我不知道错过了什么。 - Paul
其实,我不知道你为什么在这个问题中将两个不同的问题联系起来。401错误很可能与响应Cookies不正确有关(即需要定义一个带端口的域)...Cors问题根本与401错误无关,并且可以通过处理内置服务AddCors范围来有条件地处理。 - Brett Caswell
显示剩余8条评论
2个回答
3

@Patriom Sarkar的回答解决了你的CORS问题/错误

关于你的401未经授权响应

这些问题可能与CORS无关。

你在这里遇到的问题是,你已经配置了JwtBearer JSON Web Tokens以便在请求Authorize端点时出现。默认情况下,它将使用Authorization请求头中存在的Bearer令牌。

这意味着,为了导航/调用Oper(),你需要确保"Authorization: Bearer {token}"存在并带有有效的令牌(作为请求头)。

目前,在你的Login处理中,你正在生成令牌并执行Set-Cookie,以便用户代理/客户端创建一个'jwt' cookie,并将其作为值;然而,用户代理不会自动将该jwt cookie添加到后续请求的标头中作为Authorization:Bearer Token。因此,Authorize属性端点上的JwtBearer配置将无效。

另外值得注意的是,设置Xhr或Fetch操作中的标头在SPA框架中是受支持且正常的(包括Cookie存储的jwt_tokens)。然而,在这里,你不是在做Xhr或Fetch请求,而是在进行html表单提交工作流/机制——导航页面/视图。在这方面,客户端设置Authorization Header(AFAIK)是不可能的。

为了支持此处的页面/视图导航,你需要在服务器端实现一个解决方案,使用传递的jwt cookie设置令牌。

该解决方案由@Kirk Larkin在In ASP.NET Core read JWT token from Cookie instead of Headers中介绍。

    .AddJwtBearer(options => {
            options.Events = new JwtBearerEvents
            {
                OnMessageReceived = context =>
                {
                    context.Token = context.Request.Cookies["jwt"];
                    return Task.CompletedTask;
                }
            };
        });

此外

在这个范围内,context.Token 始终为 null 或空。此声明和分配不会进行任何预处理或后处理。如果您打算支持授权头和 Cookie,则应在此分配的委托中实现该条件。

您可以查看GitHub 上的 JwtBearerHandler (aspnetcore 5.0) 的默认处理方式

再次感谢 @Kirk Larkin 在相关问题的回复评论中提供了此额外信息。

@Brett Caswell的回答非常贴切地解决了我的问题,非常感谢。 - Paul
1
作为@Yinkiu提到的,你需要使用app.UseCors("CorsPolicy"),因为它不是你已经提到的angular项目。安装NuGet包Microsoft.AspNetCore.Cors 我已经回答了你一个相关的问题。这是另一个过程。实际上,你不能同时使用AllowAnyOrigin()AllowCredentials()。但是,如果你想要AllowCredentials()AllowAnyOrigin()一起使用,请使用SetIsOriginAllowed(Func<string,bool> predicate) 关于IsOriginAllowed 
services.AddCors(options =>
            {
                options.AddPolicy("CorsPolicy",
                    builder => builder
                    .AllowAnyOrigin()
                    .AllowAnyMethod()
                    .AllowAnyHeader()
                    );

                options.AddPolicy("signalr",
                    builder => builder
                    .AllowAnyMethod()
                    .AllowAnyHeader()

                    .AllowCredentials()
                    .SetIsOriginAllowed(hostName => true));
            });
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接