启用 JWT 令牌中的受众和发行者时,是否应该阻止使用来自任何其他 URL 的令牌?或者它只是代币的一部分?

问题描述 投票:0回答:0

我将发行者和听众定义为随机的东西,但只要发行者和听众在令牌的定义和生成方面都相同,我仍然可以调用邮递员。

认证时不是应该检查请求url并与我设置的观众进行比较吗?

这里是token的定义:

builder.Services.AddAuthentication(x => {

 x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
 x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options => {
 options.TokenValidationParameters = new TokenValidationParameters {

  IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"])),
  ValidIssuer = builder.Configuration["Jwt:Issuer"],
  ValidAudience = builder.Configuration["Jwt:Audience"],
  ValidateIssuer = true,
  ValidateAudience = true,
  ValidateLifetime = true,
  ValidateIssuerSigningKey = true,

 };
 options.Events = new JwtBearerEvents {
  OnAuthenticationFailed = context => {
   if(context.Exception.GetType() == typeof(SecurityTokenExpiredException)) {
    context.Response.Headers.Add("IS-TOKEN-EXPIRED", "true");
   }
   return Task.CompletedTask;
  }
 };
});

这是生成令牌的部分:

 public Token? GenerateToken(string email) {
  try {
   var tokenHandler = new JwtSecurityTokenHandler();
   var tokenKey = Encoding.UTF8.GetBytes(iconfiguration["JWT:Key"]!);
   var tokenDescriptor = new SecurityTokenDescriptor
      {
    Subject = new ClaimsIdentity(new Claim[]
        {
           new Claim(ClaimTypes.Email, email),



        }),

    Expires = DateTime.Now.AddDays(1),
    Issuer = iconfiguration["JWT:Issuer"],
    Audience = iconfiguration["JWT:Audience"],
    SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(tokenKey), SecurityAlgorithms.HmacSha256Signature)
   };
   var token = tokenHandler.CreateToken(tokenDescriptor);

   return new Token { Access_Token = tokenHandler.WriteToken(token) };
  } catch(Exception) {
   return null;
  }
 }

我尝试了几个不同的框架,.net 和节点。

.net authentication jwt token bearer-token
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.