我在.net core 2.1中运行Web API,我需要验证传入请求中存储的传入JWT令牌。令牌是从OAUTH 2 IDP生成的,并由我的客户端插入其对Web API的请求中。我可以从cognito获得的OpenID配置如下:
{
"authorization_endpoint": "https://xxx.xxx.xxx.amazoncognito.com/oauth2/authorize",
"id_token_signing_alg_values_supported": ["RS256"],
"issuer": "https://cognito-idp.eu-west-1.amazonaws.com/xxx",
"jwks_uri": "https://cognito-idp.eu-west-1.amazonaws.com/xxxxxx/.well-known/jwks.json",
"response_types_supported": ["code", "token", "token id_token"],
"scopes_supported": ["openid", "email", "phone", "profile"],
"subject_types_supported": ["public"],
"token_endpoint": "https://xxxxxxx.auth.eu-west-1.amazoncognito.com/oauth2/token",
"token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
"userinfo_endpoint": "https://xxxxxxxx.auth.eu-west-1.amazoncognito.com/oauth2/userInfo"
}
我想使用.net核心Web API“标准”方式来管理在startup.cs中实现的任务:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
// Clock skew compensates for server time drift.
// We recommend 5 minutes or less:
ClockSkew = TimeSpan.FromMinutes(5),
// Specify the key used to sign the token:
IssuerSigningKey = signingKey,
RequireSignedTokens = true,
// Ensure the token hasn't expired:
RequireExpirationTime = true,
ValidateLifetime = true,
// Ensure the token audience matches our audience value (default true):
ValidateAudience = true,
ValidAudience = "api://default",
// Ensure the token was issued by a trusted authorization server (default true):
ValidateIssuer = true,
ValidIssuer = "???????"
};
如何在Web API令牌验证参数中使用/匹配cognito参数?特别是如何加载IssuerSigningKey,ValidIssuer和ValidAudience?
基本上,我解决了令牌签名验证检查,在“Startup.cs”中的“ConfigureServices”方法中插入以下内容
...
IConfigurationManager<OpenIdConnectConfiguration> configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>("*PutHereCognitoOpenIdWellKnownConfigurationURL*", new OpenIdConnectConfigurationRetriever());
Task<OpenIdConnectConfiguration> t = configurationManager.GetConfigurationAsync(CancellationToken.None);
t.Wait();
OpenIdConnectConfiguration openIdConfig = t.Result;
....
以前的陈述给我发了IssuerSigningKeys,所以我也插入了以下内容:
...
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateAudience = false,
ValidateIssuer = false,
ValidateLifetime = false,
IssuerSigningKeys = openIdConfig.SigningKeys
};
});
...
然后我调用了“app.UseAuthentication();”在Configure方法中。最后,我在每个涉及的Web API方法之前加上[Authorize]装饰