我将发行者和听众定义为随机的东西,但只要发行者和听众在令牌的定义和生成方面都相同,我仍然可以调用邮递员。
认证时不是应该检查请求url并与我设置的观众进行比较吗?
这里是token的定义:
builder.Services.AddAuthentication(x => {
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options => {
options.TokenValidationParameters = new TokenValidationParameters {
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"])),
ValidIssuer = builder.Configuration["Jwt:Issuer"],
ValidAudience = builder.Configuration["Jwt:Audience"],
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
};
options.Events = new JwtBearerEvents {
OnAuthenticationFailed = context => {
if(context.Exception.GetType() == typeof(SecurityTokenExpiredException)) {
context.Response.Headers.Add("IS-TOKEN-EXPIRED", "true");
}
return Task.CompletedTask;
}
};
});
这是生成令牌的部分:
public Token? GenerateToken(string email) {
try {
var tokenHandler = new JwtSecurityTokenHandler();
var tokenKey = Encoding.UTF8.GetBytes(iconfiguration["JWT:Key"]!);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Email, email),
}),
Expires = DateTime.Now.AddDays(1),
Issuer = iconfiguration["JWT:Issuer"],
Audience = iconfiguration["JWT:Audience"],
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(tokenKey), SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return new Token { Access_Token = tokenHandler.WriteToken(token) };
} catch(Exception) {
return null;
}
}
我尝试了几个不同的框架,.net 和节点。