我有两个不同的jwt身份验证令牌,它们来自我的api接受的两个不同的提供程序,设置为:
services.AddAuthentication()
.AddJwtBearer("auth provider1", options =>
{
options.Audience = authSettings.Audience1;
options.Authority = authSettings.Authority1;
options.ClaimsIssuer = authSettings.Issuer1;
})
.AddJwtBearer("auth provider2", options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ClockSkew = TimeSpan.FromMinutes(5),
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(authSettings.SymmetricKey)),
RequireSignedTokens = true,
RequireExpirationTime = true,
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = authSettings.Audience2,
ValidateIssuer = true,
ValidIssuer = authSettings.Issuer2
};
});
这些身份验证提供程序可以访问不同的API,因此当访问令牌尝试访问API时,我将抛出403。我通过以下策略设置来完成此操作
services.AddAuthorization(options =>
{
// Blocks auth provider 2 tokens by returning 403 because it does not have claim only present in tokens from auth provider 1
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireClaim(Constants.CLAIM_ONLY_IN_AUTH_1)
.AddAuthenticationSchemes("auth provider1", "auth provider2")
.Build();
// Accepts both auth provider tokens
options.AddPolicy("accept both auth1 and auth2 policy", new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("auth provider1", "auth provider2")
.Build());
});
当我使用这些策略中的任何一个时,我都遇到以下异常,因为我相信管道会尝试验证在两种身份验证方案中传递的身份验证令牌。
IDX10501:签名验证失败。无法匹配“孩子”:
该异常不会冒泡并终止请求,它只会给我的日志记录增加很多噪音,有人在一个策略上使用多种身份验证方案时会遇到此异常吗?
有时用户已经通过身份验证,但是来自一个提供程序的错误阻止了正确的响应
if (arg.HttpContext.User.Identity.IsAuthenticated)
{
return Task.CompletedTask;
}
如果在对两个jwt提供程序进行身份验证时遇到问题,都可以在此处尝试其他解决方案:.net core 2.2 multiple bearer token authentication schemes