Auth0 OWIN API在通过AWS EC2上的Docker Container发布时不validationJWT令牌
我在EC2上托pipe的OWIN Web.API 2不会授权JWT令牌。 我已经在本地testing了这个function,但是一旦我把它发布到托pipe在EC2上的Docker容器上,它就会回应一个401.我正在使用默认的RS256algorithm和这些设置:
var domain = Environment.GetEnvironmentVariable("AUTH0_DOMAIN"); var audience = Environment.GetEnvironmentVariable("AUTH0_CLIENT_IDS"); var keyResolver = new OpenIdConnectSigningKeyResolver(domain); appBuilder.UseJwtBearerAuthentication( new JwtBearerAuthenticationOptions { AuthenticationMode = AuthenticationMode.Active, AllowedAudiences = new[] { audience }, TokenValidationParameters = new TokenValidationParameters() { ValidAudience = audience, ValidIssuer = domain, IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => keyResolver.GetSigningKey(identifier) } }); 我的端点只是说明你的身份validation与否。
[Authorize] [Route("secure")] public HttpResponseMessage GetSecured() { var userId = ClaimsPrincipal.Current.Identity.GetUserId(); return Request.CreateResponse($"Hello, {userId}! You are currently authenticated."); }
这是我的启动configuration:
public void Configuration(IAppBuilder appBuilder) { appBuilder.UseCors(CorsOptions.AllowAll); //must be first Auth0Config.Register(appBuilder); var httpConfiguration = new HttpConfiguration(); httpConfiguration.MapHttpAttributeRoutes(); UnityConfig.Register(httpConfiguration); appBuilder.UseWebApi(httpConfiguration); }
我不再使用OWINpipe道,但从以前的项目,这是我如何configuration。 看起来你正在使用OpenID,我没有。 不知道这是否有帮助。
var issuer = AppSettings.Auth0Domain; var audience = AppSettings.Auth0ClientID; var secret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["Auth0ClientSecret"]); app.UseJwtBearerAuthentication( new JwtBearerAuthenticationOptions { AuthenticationMode = AuthenticationMode.Active, AllowedAudiences = new[] {audience}, IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) }, Provider = new Auth0AuthenticationProvider() });
编辑添加了Auth0AuthenticationProvider
public class Auth0AuthenticationProvider : IOAuthBearerAuthenticationProvider { private string token; public Task ApplyChallenge(OAuthChallengeContext context) { return Task.FromResult<object>(null); } public Task RequestToken(OAuthRequestTokenContext context) { token = context.Token; return Task.FromResult<object>(null); } public Task ValidateIdentity(OAuthValidateIdentityContext context) { if (string.IsNullOrEmpty(token)) return Task.FromResult<object>(null); var notPadded = token.Split('.')[1]; var padded = notPadded.PadRight(notPadded.Length + (4 - notPadded.Length % 4) % 4, '='); var urlUnescaped = padded.Replace('-', '+').Replace('_', '/'); var claimsPart = Convert.FromBase64String(urlUnescaped); var obj = JObject.Parse(Encoding.UTF8.GetString(claimsPart, 0, claimsPart.Length)); // simple, not handling specific types, arrays, etc. foreach (var prop in obj.Properties().AsJEnumerable()) { switch (prop.Name) { case "app_metadata": SetAppMetadataClaims(context, prop.Value.ToString()); break; } } return Task.FromResult<object>(null); } private static void SetAppMetadataClaims(OAuthValidateIdentityContext context, string jsonString) { var appMetadata = JsonConvert.DeserializeObject<Auth0AppMetaDataModel>(jsonString); if(!context.Ticket.Identity.HasClaim("AccountId", appMetadata.accountId.ToString())) context.Ticket.Identity.AddClaim(new Claim("AccountId", appMetadata.accountId.ToString())); if (!context.Ticket.Identity.HasClaim("ClientId", appMetadata.clientId.ToString())) context.Ticket.Identity.AddClaim(new Claim("ClientId", appMetadata.clientId.ToString())); if (!context.Ticket.Identity.HasClaim("IsActive", appMetadata.isActive.ToString())) context.Ticket.Identity.AddClaim(new Claim("IsActive", appMetadata.isActive.ToString())); if (appMetadata.roles == null) return; foreach (var role in appMetadata.roles) { if (context.Ticket.Identity.HasClaim(ClaimTypes.Role, role)) continue; context.Ticket.Identity.AddClaim(new Claim(ClaimTypes.Role, role)); } } }
问题不在于使用HS256或RS256的Auth0,而是使用我所使用的基本映像。 莫诺默默无闻地阻止了我的令牌的validation。 我已经切换到dotnet核心,以便使用docker镜像:microsoft / dotnet:latest
我的启动文件现在看起来像这样:
public void ConfigureServices(IServiceCollection services) { services.AddCors(options => { options.AddPolicy("CorsPolicy", builder => builder.AllowAnyOrigin() .AllowAnyMethod() .AllowAnyHeader() .AllowCredentials()); }); ... } public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { app.UseCors("CorsPolicy"); var options = new JwtBearerOptions { Audience = Configuration["Auth0:ApiIdentifier"], Authority = $"https://{Configuration["Auth0:Domain"]}/" }; app.UseJwtBearerAuthentication(options); ... }
- 多Docker Elastic Beanstalk:上传.ebextensions
- Docker Compose:将不同的服务从docker-compose.yml部署到不同的主机集
- Kubernetes是否均匀分布在ec2集群中?
- Docker Scrapinghub /飞溅与139退出
- 使用docker在WSO2 APIpipe理器集群中设置AWS hazelcast集群
- 在ec2-server上运行应用程序和在ec2-server的docker上运行应用程序有什么区别?
- Elastic Beanstalk上的Docker连接到上游时connect()失败(111:连接被拒绝)
- 如何将文件从主机装载到ECS上的Docker容器
- 在新的EC2 Jenkins Slave上首次执行Docker不起作用