希望任何人都可以帮助我解决以下非常令人沮丧的问题。令牌端点AllowInsecureHttp = false仍然接受http请求
我有我通过jwt身份验证保护的.NET WebApi。在设置OAuthAuthorizationServerOptions
对象时,我将我的令牌终点的属性AllowInsecureHttp
设置为false
。在IISExpress本地运行我的API并使用Postman测试它就像一个魅力。如果我将该属性设置为true
,并在我的终点上请求令牌,那么它将起作用,如果将其设置为false
,我会按预期得到404
。但是,当我将API发布到我的生产环境(Windows 2012/IIS8)并将属性设置为false
时,我可以通过https 和 http获得令牌。它似乎没有听取财产。
我运行API作为带有别名Api的应用程序,只有一个https绑定的域。我用下面的助手基类,我的API:
public class BaseWebApi<TDerivedOAuthProvider> where TDerivedOAuthProvider : BaseOAuthProvider, new()
{
public BaseWebApi(IAppBuilder app)
{
HttpConfiguration config = new HttpConfiguration();
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(DefaultAuthenticationTypes.ExternalBearer));
ConfigureOAuth(app);
WebApiConfig.Register(config);
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
app.UseWebApi(config);
}
private static void ConfigureOAuth(IAppBuilder app)
{
var allowInsecureHttp = Convert.ToBoolean(ConfigurationManager.AppSettings["jwt::allowInsecureHttp"].ToString());
var issuer = ConfigurationManager.AppSettings["jwt::issuer"].ToString();
var secret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["jwt::secret"].ToString());
var clients = ConfigurationManager.AppSettings["jwt::clients"].ToString().Split(new char[] { ',' });
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = allowInsecureHttp,
AuthenticationType = DefaultAuthenticationTypes.ExternalBearer,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(10),
Provider = new TDerivedOAuthProvider(),
RefreshTokenProvider = new BaseRefreshTokenProvider(),
AccessTokenFormat = new BaseJwtFormat(issuer),
};
// OAuth 2.0 Bearer Access Token Generation
app.UseOAuthAuthorizationServer(OAuthServerOptions);
// Api controllers with an [Authorize] attribute will be validated with JWT
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ExternalBearer,
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = clients,
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
}
});
}
}
变量allowInsecureHttp
,issuer
,secret
和clients
从配置文件填充。将硬编码为allowInsecureHttp
的值设置为false
或true
不会改变任何内容。
[assembly: OwinStartup(typeof(MyCustomAPI.Startup))]
namespace MyCustomAPI.API
{
public class Startup
{
public void Configuration(IAppBuilder app)
{
BaseWebApi<CustomOAuthProvider> webApi = new BaseWebApi<CustomOAuthProvider>(app);
}
}
}
希望任何人都可以点我:这个基类,然后通过我的实际API,它(旁边的实际API函数)还提供了一个CustomOAuthProvider
类处理的实际执行证书检查这个特定的API的实例正确的方向。抛开这个问题,API本身的工作是完美的,但我真的想强制SSL生产令牌。
干杯, 奈奎斯特