【问题标题】：Authorization Bearer token not being sent in request using Swagger in Asp.Net Core在 Asp.Net Core 中使用 Swagger 在请求中未发送授权承载令牌
【发布时间】：2020-09-17 02:05:58
【问题描述】：

我正在使用 Swagger 在 Asp.Net Core 应用程序中测试我的 API。我通过输入像这样Authorization: Bearer {token} 这样的令牌来发送请求。但授权标头未在请求中发送。

Asp.Net Core 3.1 版和 Swashbuckle.AspNetCore 5.4.1

Startup.cs 代码：

public class Startup
{
    private const string _apiVersion = "v1";
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(options =>
            {
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ClockSkew = TimeSpan.FromMinutes(0),
                    ValidateIssuer = true,
                    ValidateAudience = true,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true,
                    ValidIssuer = Configuration["Jwt:Issuer"],
                    ValidAudience = Configuration["Jwt:Issuer"],
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Key"]))
                };
            });


        services.AddSwaggerGen(options =>
        {
            options.SwaggerDoc("v1", new OpenApiInfo
            {
                Version = "v1",
                Title = "MyProject API",
                Description = "MyProject"
            });
            options.DocInclusionPredicate((docName, description) => true);

            // Define the BearerAuth scheme that's in use
            options.AddSecurityDefinition("bearerAuth", new OpenApiSecurityScheme()
            {
                Description = "JWT Authorization header using the Bearer scheme. Example: \"Authorization: Bearer {token}\"",
                Name = "Authorization",
                In = ParameterLocation.Header,
                Type = SecuritySchemeType.ApiKey
            });
        });

    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory)
    {
        app.UseAuthentication();
        loggerFactory.AddLog4Net();

        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseRouting();

        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });

        // Enable middleware to serve generated Swagger as a JSON endpoint
        app.UseSwagger(c => { c.RouteTemplate = "swagger/{documentName}/swagger.json"; });

        // Enable middleware to serve swagger-ui assets (HTML, JS, CSS etc.)
        app.UseSwaggerUI(options =>
        {
            // specifying the Swagger JSON endpoint.
            options.SwaggerEndpoint($"/swagger/{_apiVersion}/swagger.json", $"MyProject API {_apiVersion}");
            //options.IndexStream = () => Assembly.GetExecutingAssembly()
            //    .GetManifestResourceStream("MyProject.Web.Host.wwwroot.swagger.ui.index.html");
            options.DisplayRequestDuration(); // Controls the display of the request duration (in milliseconds) for "Try it out" requests.  
        }); // URL: /swagger
    }
}

【问题讨论】：

捕获http请求时，是否有Authorization项？
@hina10531 不，它不存在

标签： c# asp.net-core swagger swagger-ui swashbuckle

【解决方案1】：

罪魁祸首

配置看起来不错。您定义的身份验证名称似乎是罪魁祸首。

services.AddSwaggerGen(options =>
    {
        options.SwaggerDoc("v1", new OpenApiInfo
        {
            Version = "v1",
            Title = "MyProject API",
            Description = "MyProject"
        });
        options.DocInclusionPredicate((docName, description) => true);


        // options.AddSecurityDefinition("bearerAuth", new OpenApiSecurityScheme()
                             // "bearerAuth" -> "oauth2"
        options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme()
        {
            Description = "JWT Authorization header using the Bearer scheme. Example: \"Authorization: Bearer {token}\"",
            Name = "Authorization",
            In = ParameterLocation.Header,
            Type = SecuritySchemeType.ApiKey
        });

        // Add this filter as well.
        options.OperationFilter<SecurityRequirementsOperationFilter>();
    });

除非您手动将securitySchemaName 传递给构造函数，否则您必须将定义名称用作"oauth2"。事实上，SecurityRequirementsOperationFilter 默认使用标准名称。只需查看securitySchemaName 的默认值即可。

public SecurityRequirementsOperationFilter(bool includeUnauthorizedAndForbiddenResponses = true, string securitySchemaName = "oauth2")
{
    Func<IEnumerable<AuthorizeAttribute>, IEnumerable<string>> policySelector = (IEnumerable<AuthorizeAttribute> authAttributes) => authAttributes.Where((Func<AuthorizeAttribute, bool>)((AuthorizeAttribute a) => !string.IsNullOrEmpty(a.Policy))).Select((Func<AuthorizeAttribute, string>)((AuthorizeAttribute a) => a.Policy));
    filter = new SecurityRequirementsOperationFilter<AuthorizeAttribute>(policySelector, includeUnauthorizedAndForbiddenResponses, securitySchemaName);
}

它在我的环境中运行良好。请尝试使用此配置，请不要忘记添加过滤选项。

【讨论】：

【解决方案2】：

您需要在 Swagger UI 中手动添加授权标头。 API 配置需要包含端点的 BearerAuth 架构，如规范 https://swagger.io/docs/specification/authentication/ 中所述。

OpenAPI 使用术语安全方案进行身份验证和授权方案。 OpenAPI 3.0 让您描述受保护的 API 使用以下安全方案： HTTP 身份验证方案（它们使用授权标头）、标头中的 API 密钥、查询字符串或 cookie Cookie 身份验证、OAuth 2、OpenID 连接发现

这是通过AddSecurityDefinition 完成的，但您缺少AddSecurityRequirement，它表示这是端点的要求，并且它在UI 中呈现，正如answer 中所述。 here 也是一个自动添加标题的选项。

【讨论】：

我已添加此代码，但仍未发送自动化标头 options.AddSecurityRequirement(new OpenApiSecurityRequirement() { { new OpenApiSecurityScheme { Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" }, Scheme = "oauth2", Name = "Bearer", In = ParameterLocation.Header, }, new List() } });
也许试试自动版？这个问题应该对stackoverflow.com/questions/38784537/…有帮助。