我正在尝试配置
使用LinkedIn Auth2登录,并根据我从LinkedIn检索到的信息设置JWT令牌。但是,我遇到了两个问题:
-
-
一旦我设置了JWT令牌,并调用任何其他端点,我就会得到401“Unauthorized”。
在
在里面
配置服务
services.AddAuthentication(option =>
{
option.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
option.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
option.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(option =>
{
Configuration.Bind($"{nameof(AppSettings.Security)}:{nameof(AppSettings.Security.Jwt)}", option);
option.SaveToken = true;
option.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(appSettings.Security.Jwt.ClientId)),
ValidateIssuer = true,
RequireExpirationTime = false,
ValidateLifetime = true
};
option.Events = new JwtBearerEvents();
//only way I figured out how to get the access code that linked in is returning. Open to suggestion for a simpler way
option.Events.OnMessageReceived += context =>
{
if (context.Request.QueryString.HasValue)
{
var code = context.Request.QueryString.Value.ToString();
var before = code.IndexOf("?code=") + "?code=".Length;
int after = code.LastIndexOf("&state");
string accessCode = code[before..after];
//Getting the token using the accessCode
var client = new RestClient(appSettings.Security.Jwt.TokenUrl);
var request = new RestRequest(Method.POST);
request.AddParameter("application/x-www-form-urlencoded", $"grant_type=authorization_code&code={accessCode}&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fswagger%2Findex.html&client_id=myid&client_secret=mysecret", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
var tokenKey = string.Empty;
var obj = new Token();
if (response.StatusCode == System.Net.HttpStatusCode.OK)
{
tokenKey = response.Content;
_token = JsonConvert.DeserializeObject<Token>(tokenKey);
//Getting user data from LinkedIn
client = new RestClient(appSettings.Security.Jwt.UserDataUrl);
request = new RestRequest(Method.GET);
request.AddHeader("Content-type", "application/json");
request.AddHeader("Authorization", $"Bearer {_token.Access_Token}");
IRestResponse response2 = client.Execute(request);
if (response2.StatusCode == System.Net.HttpStatusCode.OK)
{
//Getting email address from LinkedIn
client = new RestClient(appSettings.Security.Jwt.UserEmailApiUrl);
request = new RestRequest(Method.GET);
request.AddHeader("Content-type", "application/json");
request.AddHeader("Authorization", $"Bearer {_token.Access_Token}");
IRestResponse response3 = client.Execute(request);
var data = response2.Content;
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(appSettings.Security.Jwt.ClientSecret);
var tokenDescriptor = new SecurityTokenDescriptor
{
//For testing only, will use the actual data
Subject = new ClaimsIdentity(new[] { new Claim("Email", "test@test.com" ) }),
Expires = DateTime.UtcNow.AddMinutes(7),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
var t = tokenHandler.CreateToken(tokenDescriptor);
tokenHandler.WriteToken(t);
}
}
}
return Task.CompletedTask;
};
});
services.AddTransient<IConfigureOptions<SwaggerGenOptions>, ConfigureSwaggerGenOptions>();
services.AddSwaggerGen();
配置swaggergenoptions.cs
public void Configure(SwaggerGenOptions options)
{
options.OperationFilter<AuthorizeOperationFilter>();
options.SwaggerDoc("v1", new OpenApiInfo
{
Title = "My Api",
Version = "v1"
});
options.AddSecurityDefinition("OAuth2", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
{
AuthorizationCode = new OpenApiOAuthFlow
{
AuthorizationUrl = new Uri(_settings.Security.Jwt.AuthUrl),
Scopes = new Dictionary<string, string>
{
{ "r_liteprofile", "" },
{ "r_emailaddress", "" }
},
}
}
});
options.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference
{
Type = ReferenceType.SecurityScheme,
Id = "Bearer"
},
Scheme = "OAuth2",
Name = "Bearer",
In = ParameterLocation.Header
},
new List<string>()
}
});
}
public void Apply(OpenApiOperation operation, OperationFilterContext context)
{
var authAttributes = context.MethodInfo.DeclaringType.GetCustomAttributes(true)
.Union(context.MethodInfo.GetCustomAttributes(true))
.OfType<AuthorizeAttribute>();
if (authAttributes.Any())
{
operation.Responses.Add(StatusCodes.Status401Unauthorized.ToString(), new OpenApiResponse { Description = nameof(HttpStatusCode.Unauthorized) });
operation.Responses.Add(StatusCodes.Status403Forbidden.ToString(), new OpenApiResponse { Description = nameof(HttpStatusCode.Forbidden) });
}
if (authAttributes.Any())
{
operation.Security = new List<OpenApiSecurityRequirement>();
var oauth2SecurityScheme = new OpenApiSecurityScheme()
{
Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "OAuth2" },
};
operation.Security.Add(new OpenApiSecurityRequirement()
{
[oauth2SecurityScheme] = new[] { "OAuth2" }
});
}
}
最后,
中的方法
启动.cs
app.UseAuthentication();
app.UseAuthorization();
app
.UseSwagger()
.UseSwaggerUI(option =>
{
option.SwaggerEndpoint($"/swagger/v1/swagger.json", "v1");
option.OAuthClientId(appSettings.Security.Jwt.ClientId);
option.OAuth2RedirectUrl(appSettings.Security.Jwt.ReturnUrl);
option.OAuthAppName("LinkedIn");
option.OAuthUsePkce();
});
