Asp.net core 如何正确验证Cognito JWT和空访问群体,并在之后进行身份验证?
我使用aps.net内核和JWT身份验证,发现aws cognito返回了错误的令牌。相反,它在访问令牌中返回客户机id。 我使用Nuget库Asp.net core 如何正确验证Cognito JWT和空访问群体,并在之后进行身份验证?,asp.net-core,amazon-cognito,jwt-auth,Asp.net Core,Amazon Cognito,Jwt Auth,我使用aps.net内核和JWT身份验证,发现aws cognito返回了错误的令牌。相反,它在访问令牌中返回客户机id。 我使用Nuget库 AWSSDK.核心 AWSSDK.CognitoIdentity提供程序 Amazon.Extensions.CognitoAuthentication 结果是一样的。例如,枫叶: 访问令牌是: { "sub": "9ed87b45-da04-4fda-bc74-XXXXXXXXXXXX", "event_id": "469880d0-8b1
- AWSSDK.核心
- AWSSDK.CognitoIdentity提供程序
- Amazon.Extensions.CognitoAuthentication
{
"sub": "9ed87b45-da04-4fda-bc74-XXXXXXXXXXXX",
"event_id": "469880d0-8b17-417a-88d7-XXXXXXXXXXXX",
"token_use": "access",
"scope": "aws.cognito.signin.user.admin",
"auth_time": 1583252488,
"iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_XXXXXXXX",
"exp": 1583256088,
"iat": 1583252488,
"jti": "c1ca9561-51ce-4b57-9f51-3355363fb4f6",
"client_id": "AppClientIDXXXXXXXXXXXXX",
"username": "testname"
}
毕竟我发现id令牌返回的是'aud'
{
"sub": "9ed87b45-da04-4fda-bc74-XXXXXXXXXXXX",
"aud": "AppClientIDXXXXXXXXXXXXX",
"email_verified": true,
"event_id": "469880d0-8b17-417a-88d7-XXXXXXXXXXXX",
"token_use": "id",
"auth_time": 1583252488,
"iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_XXXXXXXX",
"cognito:username": "testname",
"exp": 1583256088,
"iat": 1583252488,
"email": "testname@mail.no"
}
我使用了两种添加jwt身份验证的方法。这对我不起作用。
例1:
services.AddAuthentication(选项=>
{
options.DefaultAuthenticateScheme=JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme=JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(选项=>
{
options.TokenValidationParameters=新的TokenValidationParameters
{
ValidateSuersigningKey=true,
IssuerSigningKeyResolver=(s、securityToken、标识符、参数)=>
{
var json=new WebClient().DownloadString(parameters.validisuser+“/.well-known/jwks.json”);
返回JsonConvert.DeserializeObject(json).Keys;
},
validateisuer=true,
ValidisUser=$”https://cognito-idp.{region}.amazonaws.com/{poolId}”,
ValidateAudience=true,
ValidAudience=appClientId,
};
});
例2:
services.AddAuthentication(选项=>
{
options.DefaultAuthenticateScheme=JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme=JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(选项=>
{
options.publications=appClientId;
选项。权限=$”https://cognito-idp.{region}.amazonaws.com/{poolId}”;
});
我的身份验证码
使用AWSSDK.CognitoIdentityProvider
var initiateAuthRequest=new initiateAuthRequest()
{
ClientId=myClientId,
AuthFlow=AuthFlowType.USER\u PASSWORD\u AUTH,
};
initiateAuthRequest.AuthParameters.Add(“用户名”,user.USERNAME);
initiateAuthRequest.AuthParameters.Add(“密码”,user.PASSWORD);
var authResponse=await_cognitoIdentityProvider.InitiateAuthAsync(initiateAuthRequest);
使用Amazon.Extensions.CognitoAuthentication
var provider=new amazoncognitionidentityprovider客户端(new EnvironmentVariablesAWSCredentials(),myRegion);
var userPool=newcognitouserpool(myPool、myClient、provider);
var usr=新的CognitoUser(user.Username、myClient、userPool、provider);
AuthFlowResponse authResponse=等待usr.StartWithSrpAuthAsync(
新的InitiatesPauthRequest(){Password=user.Password}).ConfigureAwait(false);
如何获取有效的JWT令牌?如何正确验证令牌
更新:
在示例1中,如果我将ValidateAudience设置为false并删除ValidaudAudience,则得到401错误
validateudience=false,
//有效期=appClientId
我的Startup.cs是
公共类启动
{
公共启动(IConfiguration配置)
{
配置=配置;
}
公共静态IConfiguration配置{get;private set;}
public void配置服务(IServiceCollection服务)
{
var region=Configuration[Resources.AWSRegion];
var poolId=Configuration[Resources.AWSPoolId];
var-appClientId=Configuration[Resources.AWSClientId];
services.AddSingleton(provider=>新的AmazonCognitoIdentityProviderClient(RegionEndpoint.USEast2));
services.AddControllers();
services.AddAuthentication(选项=>
{
options.DefaultAuthenticateScheme=JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme=JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(选项=>
{
options.TokenValidationParameters=新的TokenValidationParameters
{
ValidateSuersigningKey=true,
IssuerSigningKeyResolver=(s、securityToken、标识符、参数)=>
{
var json=new WebClient().DownloadString(parameters.validisuser+“/.well-known/jwks.json”);
返回JsonConvert.DeserializeObject(json).Keys;
},
validateisuer=true,
ValidisUser=$”https://cognito-idp.{region}.amazonaws.com/{poolId}”,
ValidateAudience=true,
有效期=appClientId
};
});
services.AddAuthorization();
}
公共无效配置(IApplicationBuilder应用程序,IHostingEnvironment环境)
{
if(env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(端点=>
{
endpoints.MapControllers();
});
app.UseAuthentication();
}
}
这对我来说是可行的,我使用id令牌而不是访问令牌
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.TokenValidationParameters = GetCognitoTokenValidationParams();
});
}
private TokenValidationParameters GetCognitoTokenValidationParams()
{
var cognitoIssuer = $"https://cognito-idp.{Configuration["AWS:Region"]}.amazonaws.com/{Configuration["AWS:UserPoolId"]}";
var jwtKeySetUrl = $"{cognitoIssuer}/.well-known/jwks.json";
var cognitoAudience = Configuration["AWS:UserPoolClientId"];
return new TokenValidationParameters
{
IssuerSigningKeyResolver = (s, securityToken, identifier, parameters) =>
{
// get JsonWebKeySet from AWS
var json = new WebClient().DownloadString(jwtKeySetUrl);
return JsonConvert.DeserializeObject<JsonWebKeySet>(json).Keys;
},
ValidIssuer = cognitoIssuer,
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateLifetime = true,
ValidAudience = cognitoAudience
};
}
public void配置服务(IServiceCollection服务)
{
services.AddAuthentication(选项=>
{
options.DefaultAuthenticateScheme=JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme=JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(选项=>
{
options.TokenValidationParameters=GetCognitoTokenValidationParams();
});
}
私有TokenValidationParameters GetCognitoTokenValidationParams()
{
var cognitoIssuer=$”https://cognito-idp.{Configuration[“AWS:Region”]}.amazonaws.com/{Configuration[“AWS:UserPoolId”]};
var jwtKeySetUrl=$“{cognitoIssuer}/.well-known/jwks.json”;
var cognitoviewer=Configuration[“AWS:UserPoolClientId”];
返回新的TokenValidationParameters
{
IssuerSigningKeyResolver=(s、securityToken、标识符、参数)=>
{