Swashbuckle .NET Core 2中的JWT承载授权

本文介绍了Swashbuckle .NET Core 2中的JWT承载授权的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我为我的应用使用由身份验证服务生成的令牌.那里没有问题.现在，我引入了Swashbuckle来记录我的API，通过使用此代码向JWT发送每个请求，我可以按照以下方式进行身份验证；

I use tokens generated by an authentication service for my app. No problems there. Now I have introduced Swashbuckle to document my API an I can authenticate as follows by sending the JWT with every request using this code;

services.AddSwaggerGen(c => { var a = new ApiKeyScheme(); //c.AddSecurityDefinition("Bearer", new ApiKeyScheme() //{ In = "header", Description = "Please insert JWT with Bearer into field", Name = "Authorization", Type = "apiKey" }); c.OperationFilter<AuthorizationHeaderParameterOperationFilter>(); c.SwaggerDoc("v2", new Info { Version = "v2", Title = "MyTitle", Description = "An interface for ...", TermsOfService = "None", Contact = new Contact() { Name = "MyApp", Email = "a@example", Url = "www.example" } }); // Set the comments path for the Swagger JSON and UI. var basePath = AppContext.BaseDirectory; var xmlPath = Path.Combine(basePath, "cpDataCore.xml"); c.IncludeXmlComments(xmlPath); }); public class AuthorizationHeaderParameterOperationFilter : IOperationFilter { public void Apply(Operation operation, OperationFilterContext context) { var filterPipeline = context.ApiDescription.ActionDescriptor.FilterDescriptors; var isAuthorized = filterPipeline.Select(filterInfo => filterInfo.Filter).Any(filter => filter is AuthorizeFilter); var allowAnonymous = filterPipeline.Select(filterInfo => filterInfo.Filter).Any(filter => filter is IAllowAnonymousFilter); if (isAuthorized && !allowAnonymous) { if (operation.Parameters == null) operation.Parameters = new List<IParameter>(); operation.Parameters.Add(new NonBodyParameter { Name = "Authorization", In = "header", Description = "access token", Required = true, Type = "string" }); } } }

哪个给了我以下标题-如预期

Which gives me the following header - as expected

accept:application/json Accept-Encoding:gzip, deflate, br Accept-Language:en-AU,en;q=0.9 Authorization:Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9naXZlbm5hbWUiOiJEZW5uaXMiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9zdXJuYW1lIjoiR2FzY29pZ25lIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZSI6ImRlbm5pc2ciLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9zaWQiOiI1NCIsIlJlZnJlc2hUb2tlbiI6IjY5OTA1NTFmLTNhOTQtNDVmYi1hYjc2LTZlOTQyNGE3NjJmOCIsIkFsbERhdGFSZWFkT25seUZvckFwcHJvdmVycyI6IlRydWUiLCJQcm9qZWN0SUQiOiI2IiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoic3lzYWRtaW4iLCJuYmYiOjE1MTk2MzY2NDIsImV4cCI6MTUxOTYzODQ0MiwiaXNzIjoiaHR0cHM6Ly9kYXRhLmNpdmlscHJvc29mdHdhcmUuY29tLyIsImF1ZCI6Imh0dHBzOi8vcm1zLmNpdmlscHJvc29mdHdhcmUuY29tLyJ9.nBEZgzcmZVGhFJmKI8u7p7g7xPU13HEAGJu_lrWylnc Connection:keep-alive Cookie:username=demo; jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9naXZlbm5hbWUiOiJUcm95IiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvc3VybmFtZSI6IkVsZGVyIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZSI6InRyb3kiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9zaWQiOiI1IiwiUmVmcmVzaFRva2VuIjoiMTNhNzRmNDQtNmVmOC00MDQ3LTlmYWYtOWQ3MzI4MmNhZjQ4IiwiUHJvamVjdElEIjoiLTEiLCJuYmYiOjE1MDUwOTc3MjEsImV4cCI6MTUwNTA5ODYyMSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo2MDAwMC8iLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjYwMDAwLyJ9.8You0XiUlvdHb2TRuDzaiXv6r74v7ga1Av_Z3ikmblU Host:localhost:60000 Referer:localhost:60000/swagger/ User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36

尽管如此，我不确定Cookie的来源.这与我的代码无关.我只是忽略了它-到目前为止一切都很好.

Although, I am not sure where the Cookie is coming from. That is nothing to do with my code. I just ignore it - so far so good.

问题在于这意味着必须在每次请求时都输入令牌，这很麻烦.理想情况下，我想使用内置的swagger接口进行身份验证-根据几篇文章，我应该能够做到这一点；

The problem is that this means the token has to be entered with every request which is a pain. Ideally, I would want to authenticate using the inbuilt swagger interface - according to several articles, I should be able to do this;

c.AddSecurityDefinition("Bearer", new ApiKeyScheme() { In = "header", Description = "Please insert JWT with Bearer into field", Name = "Authorization", Type = "apiKey" });

这工作正常，我可以添加令牌，似乎似乎缺少将令牌添加到每个请求的标头的步骤.如果我只添加身份验证，那么这将为我提供以下标头，这当然会使身份验证失败.

This works fine, and I can add the token, there just seems to be a step I am missing to add the token to the header of every request. If I just add the auth, then this gives me the following header, which of course fails the authentication.

GET /api/ApprovalItemTypes HTTP/1.1 Host: localhost:60000 Connection: keep-alive accept: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36 Referer: localhost:60000/swagger/ Accept-Encoding: gzip, deflate, br Accept-Language: en-AU,en;q=0.9 Cookie: username=demo; jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW5_xxx__LTEiLCJuYmYiOjE1MDUwOTc3MjEsImV4cCI6MTUwNTA5ODYyMSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo2MDAwMC8iLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjYwMDAwLyJ9.8You0XiUlvdHb2TRuDzaiXv6r74v7ga1Av_Z3ikmblU

我还需要做些什么才能使请求包含每个后续请求的令牌?

What else do I need to do in order to get the request to include the token for every subsequent request?

推荐答案

如果您在方法中指定了过滤器，则Swagger将添加authorzation标头.如果您在全球范围内需要授权，我的猜测是招摇不认他们.

Swagger would add the authorzation header if you specified the filter on your methods. If you globally require authorization my guess is that swagger doesn't recognize them.

您需要在ConfigureServices中添加这样的SecurityRequirement:

You need to add a SecurityRequirement like this in your ConfigureServices:

c.AddSecurityRequirement(new Dictionary<string, IEnumerable<string>>() { { "Bearer", new string[]{ } } });

如果设置了令牌，这将要求每个请求发送标头.如果您在未发送标头之前未设置标头，但您的api描述旁边仍会带有挂锁符号.

This will require the header to be sent with every request if the token is set. If you didn't set the header before it'll not send it, but you'll still have the padlock sign next to your api description.