Ignore JWT Bearer token signature (i.e. don't validate token)

后端 未结 3 1939
鱼传尺愫
鱼传尺愫 2021-02-05 17:20

I have an API that sits behind an API Gateway. The API Gateway validates the bearer token before passing the request along to the API.

My API the uses the the asp.net co

相关标签:
3条回答
  • 2021-02-05 17:32

    You may setup token validation using JwtBearerOptions.TokenValidationParameters. You could check all available parameters from the class definition.

    Contains a set of parameters that are used by a Microsoft.IdentityModel.Tokens.SecurityTokenHandler when validating a Microsoft.IdentityModel.Tokens.SecurityToken.

    Set All ValidateXXX and RequireXXX bool properties to false if you want to disable validation at all:

    .AddJwtBearer("<authenticationScheme>", configureOptions =>
    {
       options.TokenValidationParameters.ValidateActor = false;
       options.TokenValidationParameters.ValidateAudience = false;
       options.TokenValidationParameters.ValidateIssuerSigningKey = false;
       ...
    }
    

    As an another option you can override the default token signature validation by setting own implementation to JwtBearerOptions.SignatureValidator:

    // Gets or sets a delegate that will be used to validate the signature of the token.
    //
    // Remarks:
    //  If set, this delegate will be called to signature of the token, instead of normal
    //  processing.
    public SignatureValidator SignatureValidator { get; set; }
    

    where SignatureValidator delegate is defined as:

    public delegate SecurityToken SignatureValidator(string token, TokenValidationParameters validationParameters);
    
    0 讨论(0)
  • 2021-02-05 17:34

    Try this. Finally, I got it to work after so much of trying.

    public TokenValidationParameters CreateTokenValidationParameters()
    {
        var result = new TokenValidationParameters
        {
        ValidateIssuer = false,
        ValidIssuer = ValidIssuer,
    
        ValidateAudience = false,
        ValidAudience = ValidAudience,
    
        ValidateIssuerSigningKey = false,
        //IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(SecretKey)),
        //comment this and add this line to fool the validation logic
        SignatureValidator = delegate(string token, TokenValidationParameters parameters)
        {
            var jwt = new JwtSecurityToken(token);
    
            return jwt;
        },
    
        RequireExpirationTime = true,
        ValidateLifetime = true,
    
        ClockSkew = TimeSpan.Zero,
        };
    
        result.RequireSignedTokens = false;
    
        return result;
    }
    
    0 讨论(0)
  • 2021-02-05 17:36

    I was able to clean up the code a bit, showing that we can just change the flag and with a bit more consistency when setting the flags.

    services.AddAuthentication(o =>
    {
        o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    })
        .AddJwtBearer(o =>
        {
            o.RequireHttpsMetadata = false;
            o.SaveToken = true;
            o.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = false,
                ValidateAudience = false,
                ValidateIssuerSigningKey = false,
                ValidateLifetime = false,
                RequireExpirationTime = false,
                RequireSignedTokens = false
            };
        });
    
    0 讨论(0)
提交回复
热议问题