Ignore JWT Bearer token signature (i.e. don't validate token)

后端未结

关注

 3  1935

I have an API that sits behind an API Gateway. The API Gateway validates the bearer token before passing the request along to the API.

My API the uses the the asp.net co

相关标签:

3条回答

醉话见心

2021-02-05 17:32
You may setup token validation using JwtBearerOptions.TokenValidationParameters. You could check all available parameters from the class definition.

Contains a set of parameters that are used by a Microsoft.IdentityModel.Tokens.SecurityTokenHandler when validating a Microsoft.IdentityModel.Tokens.SecurityToken.

Set All ValidateXXX and RequireXXX bool properties to false if you want to disable validation at all:
```
.AddJwtBearer("<authenticationScheme>", configureOptions =>
{
   options.TokenValidationParameters.ValidateActor = false;
   options.TokenValidationParameters.ValidateAudience = false;
   options.TokenValidationParameters.ValidateIssuerSigningKey = false;
   ...
}
```
As an another option you can override the default token signature validation by setting own implementation to JwtBearerOptions.SignatureValidator:
```
// Gets or sets a delegate that will be used to validate the signature of the token.
//
// Remarks:
//  If set, this delegate will be called to signature of the token, instead of normal
//  processing.
public SignatureValidator SignatureValidator { get; set; }
```
where SignatureValidator delegate is defined as:
```
public delegate SecurityToken SignatureValidator(string token, TokenValidationParameters validationParameters);
```
0 讨论(0)
发布评论:

提交评论
- 加载中...

悲哀的现实

2021-02-05 17:34

Try this. Finally, I got it to work after so much of trying.

public TokenValidationParameters CreateTokenValidationParameters()
{
    var result = new TokenValidationParameters
    {
    ValidateIssuer = false,
    ValidIssuer = ValidIssuer,

    ValidateAudience = false,
    ValidAudience = ValidAudience,

    ValidateIssuerSigningKey = false,
    //IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(SecretKey)),
    //comment this and add this line to fool the validation logic
    SignatureValidator = delegate(string token, TokenValidationParameters parameters)
    {
        var jwt = new JwtSecurityToken(token);

        return jwt;
    },

    RequireExpirationTime = true,
    ValidateLifetime = true,

    ClockSkew = TimeSpan.Zero,
    };

    result.RequireSignedTokens = false;

    return result;
}

0 讨论(0)

-上瘾入骨i

2021-02-05 17:36

I was able to clean up the code a bit, showing that we can just change the flag and with a bit more consistency when setting the flags.

services.AddAuthentication(o =>
{
    o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
    .AddJwtBearer(o =>
    {
        o.RequireHttpsMetadata = false;
        o.SaveToken = true;
        o.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = false,
            ValidateAudience = false,
            ValidateIssuerSigningKey = false,
            ValidateLifetime = false,
            RequireExpirationTime = false,
            RequireSignedTokens = false
        };
    });

0 讨论(0)