我正在生成JWT以与我的WebApi项目一起使用。我将令牌设置为在一分钟内过期,以便我可以测试它是否在到期日期之后提交时拒绝令牌。.NetCore JwtBearerAuthentication不拒绝过期的令牌
CreateToken控制器
public async Task<IActionResult> CreateToken([FromBody] CredentialModel model)
{
var user = await _unitOfWork.UserManager.FindByNameAsync(model.UserName);
if (user == null) return BadRequest();
if (Hasher.VerifyHashedPassword(user, user.PasswordHash, model.Password) !=
PasswordVerificationResult.Success) return BadRequest();
var userClaims = awaitUserManager.GetClaimsAsync(user);
var claims = new[]
{
new Claim(JwtRegisteredClaimNames.Sub, user.UserName),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim(JwtRegisteredClaimNames.Iat, DateTime.UtcNow.ToString()),
new Claim(JwtRegisteredClaimNames.GivenName, user.FirstName),
new Claim(JwtRegisteredClaimNames.FamilyName, user.LastName),
new Claim(JwtRegisteredClaimNames.Email, user.Email)
}
.Union(userClaims);
var cert = new Certificate(Configuration["Tokens:Certificate"]);
var token = new JwtSecurityToken(
issuer: Configuration["Tokens:Issuer"],
audience: Configuration["Tokens:Audience"],
claims: claims,
expires: DateTime.UtcNow.AddMinutes(1),
signingCredentials: cert.Signature
);
return Ok(new
{
token = new JwtSecurityTokenHandler().WriteToken(token),
expiration = token.ValidTo
});
}
令牌认证 - 启动类
app.UseJwtBearerAuthentication(new JwtBearerOptions()
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
TokenValidationParameters = new TokenValidationParameters()
{
ValidIssuer = Configuration["Tokens:Issuer"],
ValidAudience = Configuration["Tokens:Audience"],
ValidateIssuerSigningKey = true,
IssuerSigningKey = new Certificate(Configuration["Tokens:Certificate"]).SecurityKey,
ValidateLifetime = true
},
});
虽然我设置validateLifetime =真托克斯(Tokes)没有否决两分钟后。它将继续接受令牌。是否有最低到期时间,我不知道或者我的设置错误?
我不认为你有这个代码的可运行版本,是吗?无论如何,我查找了'UseJwtBearerAuthentication'的文档,看起来它已被废弃:/ https://github.com/aspnet/Security/blob/99aa3bd35dd5fbe46a93eef8a2c8ab1f9fe8d05b/src/Microsoft.AspNetCore.Authentication.JwtBearer/JwtBearerAppBuilderExtensions。 cs –
@MariaInesParnisari是的,我的代码正在运行,令牌的签发和验证工作。除了我写入的用于导入不对称X509Certificate2的小型证书类以外,几乎所有的功能都在这里。它似乎并不总是验证到期。我看着你的链接,似乎不赞成。但我没有看到替代它的东西。 – Dblock247
我的意思是如果这个代码在GitHub中托管,所以我可以下载它并自己尝试。当您说验证有效时,您是否尝试过手动更改令牌的任何其他属性(例如受众)以查看验证失败? –