我正在使用基于 cookie 的身份验证制作 webapp。我有登录屏幕,后端发送 cookie,然后浏览器随每个请求发送 cookie。
但是当我尝试到达安全端点(有或没有 cookie)而不是未经授权或 OK 时,服务器返回内部服务器错误并出现此异常:
System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action<AuthenticationOptions> configureOptions).
at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
at Microsoft.AspNetCore.Authorization.Policy.AuthorizationMiddlewareResultHandler.HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
我的 cookie 身份验证配置如下所示:
builder.Services.ConfigureApplicationCookie(options =>
{
options.Cookie.Name = "Testcookie";
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.SameSite = SameSiteMode.Lax;
options.Cookie.Domain = "localhost";
options.SlidingExpiration = true;
options.ExpireTimeSpan = TimeSpan.FromMinutes(55);
options.Cookie.IsEssential = true;
});
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
});
当我将 cookie 配置更改为:
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
});
端点在发送 cookie 时开始工作,但在没有 cookie 的情况下尝试到达端点时出现相同的 500 错误和相同的消息。
当配置看起来像这样:
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
});
我一直有500个
当我从 Postman 或 Angular 拨打电话时,结果相同。
我完全不明白发生了什么,为什么我没有从服务器获得未经授权?这个配置应该是什么样子,我做错了什么?