我正在使用 AspNet Core 构建 Web api 和 JWT 令牌来对用户进行身份验证。
我可以在
TokenValidationParameters
中在哪里指定令牌中的 alg
应与 HS256 匹配(并且永远不匹配 none
)?
services
.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(cfg =>
{
cfg.RequireHttpsMetadata = false;
cfg.SaveToken = true;
string jwtIssuer = configuration["JwtIssuer"];
SymmetricSecurityKey securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JwtKey"]));
cfg.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = jwtIssuer,
ValidAudience = jwtIssuer,
ValidateIssuerSigningKey = true,
IssuerSigningKey = securityKey,
ClockSkew = TimeSpan.Zero
};
});
默认情况下,库是否拒绝将
alg
设置为 none
的传入令牌?
我错误地设置了:
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuerSigningKey = true,
ValidIssuer = jwtSettings.Issuer,
ValidAudiences = jwtSettings.Audiences,
IssuerSigningKey = SymmetricSecurityKey,
ValidAlgorithms = new string[] { SecurityAlgorithms.HmacSha256Signature },
NameClaimType = ClaimTypes.Name
};
删除 ValidAlgorithms 配置选项后,问题就解决了。