【问题标题】:Authentication always using an old token value始终使用旧令牌值进行身份验证
【发布时间】:2022-01-07 20:47:24
【问题描述】:

我有一个不知道如何解决的问题。我的项目有一个微服务模型(基于Volo ABP Microservice Demo),我有一个包含所有检索数据方法的 API,一个充当我所有项目的授权机构的 AuthServer,以及一个转换请求的网关。

这就是我在 Gateway 项目中配置身份验证的方式:

public override void ConfigureServices(ServiceConfigurationContext context)
{
    IdentityModelEventSource.ShowPII = true;
    var configuration = context.Services.GetConfiguration();

    Configure<AbpMultiTenancyOptions>(options =>
    {
        options.IsEnabled = SidesysMicroservicesConsts.IsMultiTenancyEnabled;
    });

    context.Services.AddAuthentication("Bearer")
        .AddIdentityServerAuthentication(options =>
        {
            options.Authority = configuration["AuthServer:Authority"];
            options.ApiName = configuration["AuthServer:ApiName"];
            options.RequireHttpsMetadata = false;
        });

    context.Services.AddSwaggerGen(options =>
    {
        options.SwaggerDoc("v1", new OpenApiInfo { Title = "VirtualSpace Gateway API", Version = "v1" });
        options.DocInclusionPredicate((docName, description) => true);
        options.CustomSchemaIds(type => type.FullName);
    });

    context.Services.AddOcelot(context.Services.GetConfiguration());

    Configure<AbpDbContextOptions>(options =>
    {
        options.UseSqlServer();
    });

    context.Services.AddCors(options =>
    {
        options.AddPolicy(DefaultCorsPolicyName, builder =>
        {
            builder
                .WithOrigins(
                    configuration["App:CorsOrigins"]
                        .Split(",", StringSplitOptions.RemoveEmptyEntries)
                        .Select(o => o.RemovePostFix("/"))
                        .ToArray()
                )
                .WithAbpExposedHeaders()
                .SetIsOriginAllowedToAllowWildcardSubdomains()
                .AllowAnyHeader()
                .AllowAnyMethod()
                .AllowCredentials();
        });
    });

    //context.Services.AddStackExchangeRedisCache(options =>
    //{
    //    options.Configuration = configuration["Redis:Configuration"];
    //});

    //var redis = ConnectionMultiplexer.Connect(configuration["Redis:Configuration"]);
    //context.Services.AddDataProtection()
    //    .PersistKeysToStackExchangeRedis(redis, "MsDemo-DataProtection-Keys");
}

我的数据库中有角色和不同的用户,因此为了检索令牌,我使用来自 AuthServer 的/connect/token URL 和相应的角色,为此,我使用 Postman 和相应的标头。一旦我检索到我需要的令牌,我将使用 Postman 和来自 Gateway 的相应 URL(我的网关在端口 44377 上运行)以及相应的“Authorization”标头及其令牌值和“Bearer”身份验证方案,这个请求将URL转换为他们相应的API(它在端口44320上运行)我需要做的URL请求,例如http://localhost:44377/api/virtualspaceattention/GetSourceUsers,它将被转换为http://localhost:44320//api/virtualspaceattention/VirtualSpaceAttention/GetSourceUsers

这里的问题是,无论我使用什么令牌,每次我得到相同的日志错误:

Request starting HTTP/1.1 GET http://localhost:44377/api/virtualspaceattention/GetSoruceUsers - -
2022-01-07 17:00:47.928 -03:00 [INF] Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key: 
kid: 'C99C917C5E43906FE6A88DDF28E73628'.
Exceptions caught:
 ''. 
token: '{"alg":"RS256","kid":"C99C917C5E43906FE6A88DDF28E73628","typ":"at+jwt"}.{"nbf":1640913147,"exp":1672449147,"iss":"http://localhost/authserver","aud":["VirtualSpace","VirtualSpaceGateway"],"client_id":"virtualSpace","iat":1640913147,"scope":["VirtualSpace","VirtualSpaceGateway"]}'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
2022-01-07 17:00:48.025 -03:00 [INF] Bearer was not authenticated. Failure message: IDX10501: Signature validation failed. Unable to match key: 
kid: 'C99C917C5E43906FE6A88DDF28E73628'.
Exceptions caught:
 ''. 
token: '{"alg":"RS256","kid":"C99C917C5E43906FE6A88DDF28E73628","typ":"at+jwt"}.{"nbf":1640913147,"exp":1672449147,"iss":"http://localhost/authserver","aud":["VirtualSpace","VirtualSpaceGateway"],"client_id":"virtualSpace","iat":1640913147,"scope":["VirtualSpace","VirtualSpaceGateway"]}'.

我比较了通过/connect/token URL 检索到的令牌,与请求当前使用的令牌不同。我使用JWT website 检查了它的属性,它似乎使用了一个缓存在某处的令牌,但我不知道它在哪里处理它。

我将在此处粘贴 JWT website 中的值以进行比较:

{
  "alg": "RS256",
  "kid": "1C700F5BA873DCA75C9CEC6B36118026",
  "typ": "at+jwt"
}
{
  "nbf": 1641586212,
  "exp": 1673122212,
  "iss": "http://localhost:44399",
  "aud": [
    "VirtualSpace",
    "VirtualSpaceGateway"
  ],
  "client_id": "virtualSpace",
  "sub": "87861a01-4486-17b8-c6d6-3a01476f3851",
  "auth_time": 1641586212,
  "idp": "local",
  "tenantid": "0a1ea190-866c-3522-010e-3a014784d83d",
  "operator_description": "Operador 1",
  "role": "operator",
  "email": "operator.one@sidesys.com",
  "email_verified": "False",
  "name": "operatorOne",
  "iat": 1641586212,
  "scope": [
    "VirtualSpace",
    "VirtualSpaceGateway"
  ],
  "amr": [
    "pwd"
  ]
}

我发现比较令牌的两件事:

  • “iss”:“http://localhost:44399”和“iss”:“http://localhost/authserver”,这些值是不同的。我曾经通过 IIS 运行我的 AuthServer,但现在我不再这样做了。
  • “孩子”:“1C700F5BA873DCA75C9CEC6B36118026”和“孩子”:“C99C917C5E43906FE6A88DDF28E73628”。这些肯定不一样。同样,这个旧令牌似乎存储在某个地方。

任何建议将不胜感激。 TIA。

【问题讨论】:

    标签: authentication postman identityserver4 abp


    【解决方案1】:

    问题出在浏览器上。即使您选择了Disable cache 选项,谷歌浏览器似乎也将token 存储在Application 选项卡中。即使你强制页面清空缓存并强制重新加载,token 也会保留在那里。

    Application 选项卡中,您需要清理Storage 部分下的所有内容才能解决此问题。老实说是一场噩梦,在我意识到这一点之前,我几乎浪费了一整天的时间来想出一个解决方案。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2014-09-26
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2014-02-11
      • 2012-12-23
      相关资源
      最近更新 更多