问题
I am trying to implement JWT authentication using OWIN middleware for my ASP.NET WebAPI 2.0.
I am through with the first task of obtaining the jwt token from the OAuthAuthorizationServer. The resource owner and token server are same i.e same WebAPI generates the token and should consume too to provide access to resources.
In my Global.asax file I have added the below code line
GlobalConfiguration.Configure(FilterConfig.Configure);
In my Filter.config I have added the following configure method which I pass above to the GlobalConfiguration.Configure method in the Global.asax file.
public static void Configure(HttpConfiguration config)
{
config.Filters.Add(new System.Web.Http.AuthorizeAttribute());
}
Adding this obviously secures all the apis from unauthorized access.
When I hit any api with Bearer token passed into the Authorization header I only get the message "authorization has been denied for this request" all the time.
Now the thing that is baffling me most is that this happens when I don't add the below code in my OWIN startup file
var config = new HttpConfiguration();
WebApiConfig.Register(config);
app.UseWebApi(config);
As soon as I add the above code in the startup file the authorization is somehow removed. And I can hit the api which was inaccessible before. It is accessible whether I pass the bearer token or not which it must not.
Can you guys point me in right direction. If it behaves like this then what does this suggest?
Updated
public void ConfigureAuth(IAppBuilder app)
{
var issuer = ConfigurationManager.AppSettings["issuer"];
var secret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["secret"]);
OAuthOptions = new OAuthAuthorizationServerOptions
{
// In production mode set AllowInsecureHttp = false
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/Token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30),
Provider = new CustomOAuthProvider(),
AccessTokenFormat = new CustomJwtFormat(issuer)
};
app.UseOAuthAuthorizationServer(OAuthOptions);
// Enable bearer authentication with jwt
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { "Any" },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer,secret)
}
});
var hh = ConfigureWebApi();
app.UseWebApi(hh);
}
private HttpConfiguration ConfigureWebApi()
{
var config = new HttpConfiguration();
var cors = new EnableCorsAttribute("http://localhost:50374", "*", "*");
config.EnableCors(cors);
config.Routes.MapHttpRoute(
"DefaultApi",
"api/{controller}/{action}/{id}",
new { id = RouteParameter.Optional });
config.Filters.Add(new System.Web.Http.AuthorizeAttribute());
return config;
}
来源:https://stackoverflow.com/questions/40019247/authorization-has-been-denied-for-this-request-using-jwt