UseJwtBearerAuthentication 在令牌到期时返回 HTTP 500

Question

我正在使用这样的 UseJwtBearerAuthentication

app.UseJwtBearerAuthentication(options =>
{
   options.Authority = Configuration["Urls:IdentityServer"];
   options.RequireHttpsMetadata = false;

   options.Audience = Configuration["Urls:IdentityServer"] + "/resources";
   options.AutomaticAuthenticate = true;
   options.Events = new JwtBearerEvents
   {
        OnAuthenticationFailed = context =>
        {
          context.HandleResponse();   
          return Task.FromResult(0);
        }
   }; 
});

在 Visual Studio 的诊断窗口中，我看到以下 2 个异常：

System.IdentityModel.Tokens.dll 中的 System.IdentityModel.Tokens.SecurityTokenExpiredException'（“IDX10223：生命周期验证失败。令牌已过期。

下线

抛出异常：Microsoft.AspNet.Authentication.dll 中的“System.ArgumentNullException”（“值不能为空。”）

如何返回 HTTP 401 Unauthorized？

Answer 1

这是一个known bug。可悲的是，the workaround you could use in beta8 不再有效 in RC1。

您唯一的选择是编写一个捕获异常的中间件，以防止服务器返回 500 响应。当然，它很丑陋并且可能会隐藏重要的异常，但它是唯一适用于 RC1 的已知解决方法。

这是一个例子：

app.Use(next => async context =>
{
    try
    {
        await next(context);
    }

    catch
    {
        // If the headers have already been sent, you can't replace the status code.
        // In this case, re-throw the exception to close the connection.
        if (context.Response.HasStarted)
        {
            throw;
        }

        // Rethrow the exception if it was not caused by IdentityModel.
        if (!context.Items.ContainsKey("jwt-workaround"))
        {
            throw;
        }

        context.Response.StatusCode = 401;
    }
});

app.UseJwtBearerAuthentication(new JwtBearerOptions
{
    AutomaticAuthenticate = true,
    AutomaticChallenge = true,
    RequireHttpsMetadata = false,

    Audience = "http://localhost:54540/",
    Authority = "http://localhost:54540/",

    Events = new JwtBearerEvents
    {
        OnAuthenticationFailed = context =>
        {
            context.HttpContext.Items["jwt-workaround"] = null;

            return Task.FromResult(0);
        }
    };
});