.net core 2.0 JWT 令牌过期问题
Posted
技术标签:
【中文标题】.net core 2.0 JWT 令牌过期问题【英文标题】:.net core 2.0 JWT token expired issue 【发布时间】:2018-10-07 19:27:56 【问题描述】:我遇到了一个非常奇怪的问题,真的让我发疯了,对我来说没有任何意义。
让我解释一下: 我有一个 Angular 5 客户端正在使用的 .NET Core 2.0 Web API。 Web api 托管在 Azure AppService 中。身份验证是通过使用 AspnetCore.Authentication.JWTBearer 的 JWT Bearer 令牌(当前版本为 2.0.1) 应用程序在 auth/login 端点中创建 JWT 令牌。然后客户端就可以在以下调用中进行身份验证了。
但是,即使我指定令牌的时间跨度为 1080 分钟(一周),但在大约 8 小时后,假设令牌不再有效。我可以离开,(实际上我开始指定令牌在几个小时内有效)但是一旦令牌过期......这就是奇怪的东西出现的地方,应用程序在用户之后发出一个新令牌是再次登录,但是新的token没有认证说token已经过期了!,如果是刚刚创建的,怎么可能过期。 (我已经加倍检查,新收到的令牌被发送到服务器,而不是旧的)。
此外,如果我只是在 Azure 中重新启动应用程序服务,那么一切都会再次恢复正常,并接受新发布的 jwt 令牌。我认为这可能是 Azure 服务器和其他东西之间的时钟问题,所以我删除了 ClockSkew 属性并将其保留为 5 分钟,这是它的默认值,但没有运气。
我不知道是什么导致了这种奇怪的行为,但导致我的应用在白天的某个时刻无用,除非我进入 Azure 并重新启动应用服务。
我的代码如下,但我开始认为它可能是与 .net core 和 Azure 相关的错误?
你看出什么不对了吗? 感谢您的帮助!
这是我的 startup.cs 类
public class Startup
private string connectionString;
private const string SecretKey = "iNivDmHLpUA223sqsfhqGbMRdRj1PVkH";
// todo: get this from somewhere secure
private readonly SymmetricSecurityKey _signingKey = new
SymmetricSecurityKey(Encoding.ASCII.GetBytes(SecretKey));
public Startup(IConfiguration configuration)
Configuration = configuration;
public IConfiguration Configuration get;
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
connectionString = Configuration.GetSection("ConnectionString:Value").Value;
Console.WriteLine("Connection String: " + connectionString);
services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(connectionString));
//Initialize the UserManager instance and configuration
services.AddIdentity<AppUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
services.TryAddTransient<IHttpContextAccessor, HttpContextAccessor>();
// add identity
var builder = services.AddIdentityCore<AppUser>(o =>
// configure identity options
o.Password.RequireDigit = true;
o.Password.RequireLowercase = true;
o.Password.RequireUppercase = true;
o.Password.RequireNonAlphanumeric = true;
o.Password.RequiredLength = 6;
);
builder = new IdentityBuilder(builder.UserType, typeof(IdentityRole), builder.Services);
builder.AddEntityFrameworkStores<ApplicationDbContext>().AddDefaultTokenProviders();
//START JWT CONFIGURATION
services.AddSingleton<IJwtFactory, JwtFactory>();
// Get options from app settings
var jwtAppSettingOptions = Configuration.GetSection(nameof(JwtIssuerOptions));
// Configure JwtIssuerOptions
services.Configure<JwtIssuerOptions>(options =>
options.Issuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)];
options.Audience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)];
options.SigningCredentials = new SigningCredentials(_signingKey, SecurityAlgorithms.HmacSha256);
);
var tokenValidationParameters = new TokenValidationParameters
ValidateIssuer = true,
ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)],
ValidateIssuerSigningKey = true,
IssuerSigningKey = _signingKey,
ValidateAudience = true,
ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)],
RequireExpirationTime = false,
// ValidateLifetime = true,
// ClockSkew = TimeSpan.Zero //default son 5 minutos
;
services.AddAuthentication(options =>
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
).AddJwtBearer(configureOptions =>
configureOptions.ClaimsIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)];
configureOptions.TokenValidationParameters = tokenValidationParameters;
configureOptions.SaveToken = true;
);
// api user claim policy
// Enables [Authorize] decorator on controllers.
//more information here: https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.1
services.AddAuthorization(options =>
options.AddPolicy("ApiUser", policy => policy.RequireClaim(Constants.Strings.JwtClaimIdentifiers.Rol, Constants.Strings.JwtClaims.ApiAccess));
);
//END JWT CONFIGURATION
// Register the Swagger generator, defining one or more Swagger documents
services.AddSwaggerGen(c =>
c.SwaggerDoc("v1", new Info
Title = Configuration.GetSection("Swagger:Title").Value,
Version = "v1"
);
);
//Initialize auto mapper
services.AddAutoMapper();
services.AddCors();
//Initialize MVC
services.AddMvc();
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env,
UserManager<AppUser> userManager, RoleManager<IdentityRole> roleManager)
var cultureInfo = new CultureInfo("es-AR");
//cultureInfo.NumberFormat.CurrencySymbol = "€";
CultureInfo.DefaultThreadCurrentCulture = cultureInfo;
CultureInfo.DefaultThreadCurrentUICulture = cultureInfo;
if (env.IsDevelopment())
app.UseDeveloperExceptionPage();
app.UseExceptionHandler(
builder =>
builder.Run(
async context =>
context.Response.StatusCode = (int)HttpStatusCode.InternalServerError;
context.Response.Headers.Add("Access-Control-Allow-Origin", "*");
var error = context.Features.Get<IExceptionHandlerFeature>();
if (error != null)
context.Response.AddApplicationError(error.Error.Message);
await context.Response.WriteAsync(error.Error.Message).ConfigureAwait(false);
);
);
// Enable middleware to serve generated Swagger as a JSON endpoint.
app.UseSwagger();
// Enable middleware to serve swagger-ui (html, JS, CSS, etc.), specifying the Swagger JSON endpoint.
app.UseSwaggerUI(c =>
c.SwaggerEndpoint(
Configuration.GetSection("Swagger:Endpoint").Value,
Configuration.GetSection("Swagger:Title").Value);
);
app.UseAuthentication();
//Loads initial users and roles.
if (Configuration["seed"] == "true")
Console.WriteLine("Seeding database with connection string: " + connectionString);
Console.WriteLine();
IdentityDataInitializer.SeedData(userManager, roleManager);
Console.WriteLine("Finished seeding");
else
Console.WriteLine("seeding not configured");
app.UseDefaultFiles();
app.UseStaticFiles();
// Shows UseCors with CorsPolicyBuilder.
app.UseCors(builder =>
builder.WithOrigins(Configuration.GetSection("AllowedOrigins:Origin1").Value,
Configuration.GetSection("AllowedOrigins:Origin2").Value)
.AllowAnyHeader()
.AllowAnyMethod() //Permite también PREFLIGHTS / OPTIONS REQUEST!
);
Console.WriteLine("Allowed origin: " + Configuration.GetSection("AllowedOrigins:Origin1").Value);
Console.WriteLine("Allowed origin: " + Configuration.GetSection("AllowedOrigins:Origin2").Value);
app.UseMvc();
这是我的 JwtIssuerOptions.cs
public class JwtIssuerOptions
/// <summary>
/// 4.1.1. "iss" (Issuer) Claim - The "iss" (issuer) claim identifies the principal that issued the JWT.
/// </summary>
public string Issuer get; set;
/// <summary>
/// 4.1.2. "sub" (Subject) Claim - The "sub" (subject) claim identifies the principal that is the subject of the JWT.
/// </summary>
public string Subject get; set;
/// <summary>
/// 4.1.3. "aud" (Audience) Claim - The "aud" (audience) claim identifies the recipients that the JWT is intended for.
/// </summary>
public string Audience get; set;
/// <summary>
/// 4.1.4. "exp" (Expiration Time) Claim - The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
/// </summary>
public DateTime Expiration => IssuedAt.Add(ValidFor);
/// <summary>
/// 4.1.5. "nbf" (Not Before) Claim - The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.
/// </summary>
public DateTime NotBefore get; set; = DateTime.UtcNow;
/// <summary>
/// 4.1.6. "iat" (Issued At) Claim - The "iat" (issued at) claim identifies the time at which the JWT was issued.
/// </summary>
public DateTime IssuedAt get; set; = DateTime.UtcNow;
/// <summary>
/// Set the timespan the token will be valid for (default is 120 min)
/// </summary>
public TimeSpan ValidFor get; set; = TimeSpan.FromMinutes(1080);//una semana
/// <summary>
/// "jti" (JWT ID) Claim (default ID is a GUID)
/// </summary>
public Func<Task<string>> JtiGenerator =>
() => Task.FromResult(Guid.NewGuid().ToString());
/// <summary>
/// The signing key to use when generating tokens.
/// </summary>
public SigningCredentials SigningCredentials get; set;
将带有令牌的 json 发送到客户端的 Token.cs 类
public class Tokens
public static async Task<object> GenerateJwt(ClaimsIdentity identity, IJwtFactory jwtFactory, string userName, JwtIssuerOptions jwtOptions, JsonSerializerSettings serializerSettings)
var response = new
id = identity.Claims.Single(c => c.Type == "id").Value,
auth_token = await jwtFactory.GenerateEncodedToken(userName, identity),
expires_in = (int)jwtOptions.ValidFor.TotalSeconds
;
return response;
//return JsonConvert.SerializeObject(response, serializerSettings);
AuthController.cs
[Produces("application/json")]
[Route("api/[controller]")]
public class AuthController : Controller
private readonly UserManager<AppUser> _userManager;
private readonly IJwtFactory _jwtFactory;
private readonly JwtIssuerOptions _jwtOptions;
private readonly ILogger _logger;
public AuthController(UserManager<AppUser> userManager,
IJwtFactory jwtFactory,
IOptions<JwtIssuerOptions> jwtOptions,
ILogger<AuthController> logger)
_userManager = userManager;
_jwtFactory = jwtFactory;
_jwtOptions = jwtOptions.Value;
_logger = logger;
// POST api/auth/login
[HttpPost("login")]
public async Task<IActionResult> Post([FromBody]CredentialsViewModel credentials)
try
if (!ModelState.IsValid)
return BadRequest(ModelState);
var identity = await GetClaimsIdentity(credentials.UserName, credentials.Password);
if (identity == null)
// Credentials are invalid, or account doesn't exist
_logger.LogInformation(LoggingEvents.InvalidCredentials, "Invalid Credentials");
return BadRequest(Errors.AddErrorToModelState("login_failure", "Invalid username or password.", ModelState));
var jwt = await Tokens.GenerateJwt(identity, _jwtFactory, credentials.UserName, _jwtOptions, new JsonSerializerSettings Formatting = Formatting.Indented );
CurrentUser cu = Utils.GetCurrentUserInformation(identity.Claims.Single(c => c.Type == "id").Value, _userManager).Result;
if (cu != null)
cu.Jwt = jwt;
return new OkObjectResult(cu);
return StatusCode(500);
catch (System.Exception ex)
_logger.LogError(LoggingEvents.GenericError, ex.Message);
return StatusCode(500, ex);
private async Task<ClaimsIdentity> GetClaimsIdentity(string userName, string password)
try
if (string.IsNullOrEmpty(userName) || string.IsNullOrEmpty(password))
return await Task.FromResult<ClaimsIdentity>(null);
// get the user to verifty
ILogicUsers lusers = Business.UsersLogic(_userManager);
AppUser userToVerify = await lusers.FindByNameAsync(userName);
if (userToVerify == null)
return await Task.FromResult<ClaimsIdentity>(null);
// check the credentials
if (await lusers.CheckPasswordAsync(userToVerify, password))
return await Task.FromResult(_jwtFactory.GenerateClaimsIdentity(userName, userToVerify.Id));
// Credentials are invalid, or account doesn't exist
_logger.LogInformation(LoggingEvents.InvalidCredentials, "Invalid Credentials");
return await Task.FromResult<ClaimsIdentity>(null);
catch
throw;
【问题讨论】:
1080 分钟!= 一周。只有 18 小时。 10080 分钟是一周 你能告诉我们一个令牌,或者至少是一个令牌的 nbf 和 exp 声明吗? 嗨@Brad,你是绝对正确的,我改变了很多次ValidFor时间跨度,我感到困惑。不过,这似乎不是问题,因为 18 小时后令牌未获得授权,我无法继续使用该应用程序(与客户端浏览器无关)我最终重新启动了 azure 应用程序服务。 好吧,我想我找到了问题所在。 IssuedAt 属性是静态的,并且是第一次生成的令牌值。当令牌过期时,会生成一个新令牌,但使用第一个令牌的发出日期,这就是所有新生成的令牌都过期的原因。在 Azure 中重新启动 AppService 会导致清除静态值并正确创建第一个新令牌。这是正确的行。 public DateTime IssuedAt => DateTime.UtcNow;感谢您的帮助! 【参考方案1】:嗯,我想我找到了问题所在。
IssedAt 属性是静态的,并且正在获取第一次生成的令牌值。当令牌过期时,会生成一个新令牌,但使用第一个令牌的发出日期,这就是所有新生成的令牌都过期的原因。在 Azure 中重新启动 AppService 会导致清除静态值并正确创建第一个新令牌。
这是正确的行。
public DateTime IssuedAt => DateTime.UtcNow;
感谢您的帮助!
【讨论】:
我遇到了完全相同的问题。在“过期”-属性内,我刚刚返回了 IssuedAt.Add(ValidFor),这总是让我得到初始值。我想我们对 JwtIssuerOptions - 类使用了相同的代码示例。你从哪里弄来的?我们可能应该建议对此进行改进。就我而言,一位同事实现了这一点,所以我现在不能说这是从哪里来的。 是的,好主意。这个问题似乎来自本教程,fullstackmark.com/post/13/…,它在其中一个部分指向这个 repo github.com/mmacneil/AngularASPNETCore2WebApiAuth/blob/master/…以上是关于.net core 2.0 JWT 令牌过期问题的主要内容,如果未能解决你的问题,请参考以下文章
.Net Core 2.1 过期的 JWT 令牌响应 [发布与获取]