在 ASP.NET Core API 项目中,我需要验证位于与 Authorization 标头不同的标头中的另一个 JWT Bearer 令牌。例如,假设发送 GET 请求以获取产品/api/products
在名为的标头中带有不记名令牌AccessToken
.
curl --location --request GET 'https://localhost/api/products' \
--header 'AccessToken: <bearer_token>'
我参考的是Microsoft.AspNetCore.Authentication.JwtBearer https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer/在 API 项目中打包并设置身份验证,如下所示:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options => Configuration.Bind("JwtSettings", options));
但是,我在以下内容中找不到有关标头名称的任何内容JwtBearerOptions 类 https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.jwtbeareroptions?view=aspnetcore-1.1.
如何配置 JWT 身份验证以从名为“AccessToken”的标头读取 JWT?是否可以使用 Microsoft.AspNetCore.Authentication.JwtBearer 包?
解决方案似乎是使用JwtBearerEvents 类 https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.jwtbearer.jwtbearerevents?view=aspnetcore-5.0。里面有一个代表名为 OnMessageReceived 的属性 https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.jwtbearer.jwtbearerevents.onmessagereceived?view=aspnetcore-5.0#Microsoft_AspNetCore_Authentication_JwtBearer_JwtBearerEvents_OnMessageReceived它是“首次收到协议消息时调用的”。委托将传递一个类型为消息接收上下文 https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.jwtbearer.messagereceivedcontext?view=aspnetcore-5.0,其中它有一个名为 Token 的属性根据文档 https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.jwtbearer.messagereceivedcontext?view=aspnetcore-5.0 “这将使应用程序有机会从替代位置检索令牌”.
创建一个继承自 JwtBearerEvents 的类,并在 OnMessageReceived 事件中将上下文对象中的令牌设置为标头“AccessToken”中的值。
/// <summary>
/// Singleton class handler of events related to JWT authentication
/// </summary>
public class AuthEventsHandler : JwtBearerEvents
{
private const string BearerPrefix = "Bearer ";
private AuthEventsHandler() => OnMessageReceived = MessageReceivedHandler;
/// <summary>
/// Gets single available instance of <see cref="AuthEventsHandler"/>
/// </summary>
public static AuthEventsHandler Instance { get; } = new AuthEventsHandler();
private Task MessageReceivedHandler(MessageReceivedContext context)
{
if (context.Request.Headers.TryGetValue("AccessToken", out StringValues headerValue))
{
string token = headerValue;
if (!string.IsNullOrEmpty(token) && token.StartsWith(BearerPrefix))
{
token = token.Substring(BearerPrefix.Length);
}
context.Token = token;
}
return Task.CompletedTask;
}
}
最后,将事件类添加到 Startup 类的 JWT 身份验证中。
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
{
Configuration.Bind("JwtSettings", options);
options.Events = AuthEventsHandler.Instance;
});
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)