我遇到的问题是,我为JWT创建的声明在制作中的显示与我在本地开发框中的声明不同。这是我创建JWT并向其添加声明的代码:
[HttpPost]
[AllowAnonymous]
public async Task<IActionResult> Login([FromForm] LoginUser applicationUser)
{
var identity = await GetClaimsIdentity(applicationUser); //this function does the _loginManager.PasswordSignInAsync()
if (identity == null)
{
_logger.LogInformation($"Invalid username ({applicationUser.UserName}) or password ({applicationUser.Password})");
return BadRequest("Invalid credentials");
}
var claims = new List<Claim>
{
new Claim(JwtRegisteredClaimNames.Sub, applicationUser.UserName),
new Claim(JwtRegisteredClaimNames.Jti, await _jwtOptions.JtiGenerator()),
new Claim(JwtRegisteredClaimNames.Iat,
ToUnixEpochDate(_jwtOptions.IssuedAt).ToString(),
ClaimValueTypes.Integer64)
};
//add role claims
var user = _userManager.FindByNameAsync(identity.Name).Result;
var roles = _userManager.GetRolesAsync(user).Result;
//adding the user id to the claims so it can be used in requests
claims.Add(new Claim(ClaimTypes.Sid, user.Id));
foreach (string role in roles)
{
claims.Add(new Claim(ClaimTypes.Role, role));
}
// Create the JWT security token and encode it.
var jwt = new JwtSecurityToken(
issuer: _jwtOptions.Issuer,
audience: _jwtOptions.Audience,
claims: claims,
notBefore: _jwtOptions.NotBefore,
expires: _jwtOptions.Expiration,
signingCredentials: _jwtOptions.SigningCredentials);
var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);
// Serialize and return the response
var response = new
{
access_token = encodedJwt,
expires_in = (int)_jwtOptions.ValidFor.TotalSeconds,
username = applicationUser.UserName,
roles = roles
};
var json = JsonConvert.SerializeObject(response, _serializerSettings);
return new OkObjectResult(json);
}
当此代码在本地运行并且我记录用户的声明时,&#34; sid&#34;声明总是填充用户的id(guid),这是我需要的,以及&#34; nameidentifier&#34;声明始终包含用户的用户名:
User Claim[0]: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier Value: adminuser (96b821e8)
User Claim[1]: jti Value: 418b19b9-e502-4391-93e4-9a66e0d68d66 (80328ff0)
User Claim[2]: iat Value: 1486588748 (a5289382)
User Claim[3]: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid Value: c193d68b-da04-45ea-b546-8389d83076da (174611d7)
User Claim[4]: http://schemas.microsoft.com/ws/2008/06/identity/claims/role Value: Admin (2cdb3902)
User Claim[5]: nbf Value: 1486588748 (740f01f6)
User Claim[6]: exp Value: 1486675148 (e89329cb)
User Claim[7]: iss Value: SuperAwesomeTokenServer (63a724a0)
User Claim[8]: aud Value: http://localhost:50824/ (f7ca0b84)
当此代码在生产中运行并且我记录用户的声明时,&#34; sid&#34;声明是间歇性地填充用户的ID,有时甚至不存在,而&#34; nameidentifier&#34;声明始终保留用户的ID(guid):
User Claim[0]: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier Value: c193d68b-da04-45ea-b546-8389d83076da (9393a9dc)
User Claim[1]: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Value: adminuser (b9cd34dc)
User Claim[2]: AspNet.Identity.SecurityStamp Value: 9c060086-1fa9-42f0-8ebf-2fdb3b443d53 (f9355f36)
User Claim[3]: http://schemas.microsoft.com/ws/2008/06/identity/claims/role Value: Admin (4cbcb5b4)
此外,您可以看到,在prod中,它添加了一个&#34; name&#34;声明现在拥有用户的用户名。
所以3个问题:
为什么&#34; sid&#34;声称在产品中间歇性地丢失?
为什么&#34; nameidentifier&#34;声明在Dev和Prod之间有不同的价值?
为什么&#34;名称&#34;声明只出现在prod?
其他细节:
将MySql用于数据库。使用IIS在本地提供应用程序,使用Kestrel在生产中提供服务。