今天在.NET项目中,使用基于策略角色的鉴权时,遇到一个401的问题,场景如下:
Program.cs代码如下:
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
var builder = WebApplication.CreateBuilder(args);
var authConfig = new AuthConfig();
builder.Configuration.Bind(“AuthConfig”, authConfig);
builder.Services.AddSingleton(authConfig);
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, opt =>
{
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(authConfig.SecurityKey)),
ValidateIssuer = true,
ValidIssuer = authConfig.Issuer,
ValidateAudience = true,
ValidAudience = authConfig.Audience,
ClockSkew = TimeSpan.Zero,
RequireExpirationTime = true,
ValidAlgorithms = new[] { SecurityAlgorithms.HmacSha512 }
};
});
builder.Services.AddAuthorization(opt =>
{
opt.AddPolicy(“rolevalidate”, policy => policy.RequireRole(“user”));
});
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.MapPost(“/login”, ([FromServices] AuthConfig config, [FromBody] UserModel userModel) =>
{
if (userModel.UserName != “gsw” || userModel.Password != “111111”)
{
return new { result = false, message = “用户名或密码错误!”, token = “” };
}
else
{
var token = new JwtSecurityTokenHandler().WriteToken(new JwtSecurityToken(
issuer: config.Issuer,
audience: config.Audience,
claims: new[] {
new Claim(ClaimTypes.Role, “user”)
},
notBefore: DateTime.UtcNow,
expires: DateTime.UtcNow.AddSeconds(config.Expires),
signingCredentials: new SigningCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(config.SecurityKey)), SecurityAlgorithms.HmacSha512)
));
return new { result = true, message = “”, token = token };
}
}).AllowAnonymous();
app.MapGet(“/index”, () =>
{
return “登录成功!”;
}).RequireAuthorization(“rolevalidate”);
app.Run();
public class AuthConfig
{
public string Issuer { get; set; }
public string Audience { get; set; }
public int Expires { get; set; }
public string SecurityKey { get; set; }
}
public class UserModel
{
public string UserName { get; set; }
public string Password { get; set; }
}
appsettings.json内容如下:
{
“Logging”: {
“LogLevel”: {
“Default”: “Information”,
“Microsoft.AspNetCore”: “Information”
}
},
“AllowedHosts”: “*”,
“AuthConfig”: {
“Issuer”: “https://www.demo.com”,
“Audience”: “https://www.demo.com”,
“Expires”: 86400,
“SecurityKey”: “1234567890abcdefg1234567890abcdefg1234567890abcdefg1234567890abcdefg”
}
}
引入的Nuget包如下(Microsoft.IdentityModel.Tokens包是因为觉得可传递包比较旧,升上来的):
测试开始,先登录,成功返回Token:
然后访问/index,遇到了401的报错。
一开始以为在注AddAuthentication和AddAuthorization的姿势不对,重写尝试了一段时间,总是不成功。逐渐感觉到不是这里的原因,于是想通过日志,把失败的原因找出来,方便深入分析,于是开启Microsoft.AspNetCore.Authentication.JwtBearer的日 志,在appsettings.json的LogLevel下,添加如下配置:
“Microsoft.AspNetCore.Authentication.JwtBearer”: “Information”
再次请求/index,错误日志如下:
最后定位到可能是Microsoft.IdentityModel.Tokens的问题,于是删除安装的版本,相当于给它降级,因类可传递的版本是8.0.1。
再次测试,正常通过!
声明:文中观点不代表本站立场。本文传送门:https://eyangzhen.com/424822.html
