使用keycloack授权dotnet core web api时,得到401错误,没有任何信息。

问题描述 投票:0回答:1

我正在为我的dotnet核心应用程序(3.1版本)设置认证和授权。我设置了一个keycloak服务器作为我的身份提供者。我从keycloak获得了一个JWT令牌,我在调用api方法时使用了它。我总是收到401错误。我检查了几乎所有的Keycloak配置,但我无法找到问题所在。

我的JWT令牌是 

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJza0dldkJuZnhieWlCSF9sOC1ZSEpxVnk2bm8yV3c0eG14a0xjeVlvMXRzIn0.eyJqdGkiOiJlNjI3NTA3MC05MTA0LTRhMGQtOGYxNC1mNzdkY2FjMjYzMDUiLCJleHAiOjE1ODg1MjMxMTcsIm5iZiI6MCwiaWF0IjoxNTg4NTE5NTE3LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZ2FkZ2VvbiIsImF1ZCI6WyJmdHMtcG9ydGFsIiwiYWNjb3VudCJdLCJzdWIiOiJiMzIxYTA0Ny0zNzBkLTRlOTMtOWQ0MS1jZmRjYWMyN2I1ZjYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJmdHMtcG9ydGFsIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiYmEzNmRiYjctMGYyOC00MDY4LWIwYmQtMDUxMmQxN2Q1MzEyIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiZnRzLXBvcnRhbCI6eyJyb2xlcyI6WyJmdHNfYWRtaW4iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJBZG1pbmlzdHJhdG9ycyIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJmdHNfcG9ydGFsIGVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJQcml5ZXNoIEsiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJwa2FyYXRoYSIsImdpdmVuX25hbWUiOiJQcml5ZXNoIiwiZmFtaWx5X25hbWUiOiJLIiwiZW1haWwiOiJwcml5ZXNoa2FyYXRoYUBnbWFpbC5jb20iLCJmdHMtcnVsZXMiOlsiZnRzX2FkbWluIl19.gFjqPSmyXvk78OhbPJ853upCHIHZdsAsjT1Psc7pzBqv30unH0EyCk3chTK0_87J-5bH2QAEyShKc0QVENMEL2PEhIKvgI7hdqT7oBKiTu3Ux2U5c2KbL9Dbism7nhr9FidrrkxtOsJUyR9hbZCGLnrmoHJEkNMvp3usS4HO1AxwaCSKUVXyNy3FmQJnY_R33IdSaiKsaLCJg57SIak1SexPnlUyFT6_yvbyKLjgpuL3Uk5TasQ3A8GVM2RRGVZa-s9L75rsFflkmRtAvCQca3QCRq8vHl929q6yy2TSrNlVLCeQxdK3Yapk-k_KSFS0dkoCgSQ3F5oGOECxPw-pBg

我的Startup.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Fts.App.Definitions;
using Fts.App.Services;
using Fts.Data.Defnitions;
using Fts.Data.Repository;
using Lbs.FtsClient;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;

namespace Fts.Api
{
    public class Startup
    {
        public Startup()
        {
            Configuration = new ConfigurationBuilder().AddJsonFile("appsettings.json").Build();
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;

            }).AddJwtBearer("Bearer",o =>
            {
                o.Authority = Configuration["Jwt:Authority"];
                o.Audience = Configuration["Jwt:Audience"];
                o.RequireHttpsMetadata = false;

                o.Events = new JwtBearerEvents()
                {
                    OnAuthenticationFailed = c =>
                    {
                        c.NoResult();

                        c.Response.StatusCode = 500;
                        c.Response.ContentType = "text/plain";

                        return c.Response.WriteAsync(c.Exception.ToString());
                    }
                };
            });
            services.AddAuthorization(options =>
            {
                options.AddPolicy("apiadmin", policy => policy.RequireClaim("fts-rules", "[fts_admin]"));
            });

            services.AddTransient<IUserRepository, UserRepositiry>();
            services.AddTransient<IDbAccess, DbAccess>();
            services.AddTransient<ISiteRepository, SiteRepository>();
            services.AddTransient<IAssetRepository, AssetRepository>();
            services.AddTransient<IAssetService, AssetService>();
            services.AddTransient<IFtsWebService, FtsWebService>();
            services.AddControllers();
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            app.UseCors(builder =>
                    builder.WithOrigins("http://localhost:4200").AllowAnyMethod().AllowAnyHeader());

            app.UseHttpsRedirection();

            app.UseRouting();

            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }
    }
}

我在我的控制器中添加了以下内容。

[Authorize(Roles = "apiadmin")]
[ApiController]
[Route("[controller]")]

请帮助我解决这个问题。

谢谢你的帮助

asp.net-core authentication authorization keycloak openid-connect
1个回答
0
投票

你应该在你的web api应用中添加认证中间件,否则JWT不记名认证将无法工作。

app.UseRouting();
app.UseAuthentication();  <-- add this line 
app.UseAuthorization();
0
投票

首先尝试没有角色要求的授权。替换

[Authorize(Roles = "apiadmin")]


[Authorize]

这可能不会奏效,因为你没有 

app.UseAuthentication();

在Startup.Configure方法中。试着添加一下,看看是否有效。

第二,在Authorize属性中返回你的角色需求。你的令牌中没有apiadmin角色。进入Keycloak,选择你的客户端,然后进入Mappers标签。创建新的映射器,将其命名为角色,并选择映射器类型 "用户境界角色"。检查你的用户是否有apiadmin角色。获取新的令牌,并检查你是否有 "角色 "声明,以及apiadmin角色是否在其中。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.