GetTokenAsync returns ASP.NET Core 2.1 中的 2 个受众使用 auth0

Question

我正在使用 ASP.NET Core 2.1 和 Auth0。

当我尝试检索 acces_token 以访问我自己的 API 时，我使用

string accessToken = await HttpContext.GetTokenAsync("access_token");

奇怪的是，当我将令牌粘贴到 https://jwt.io/ 时，它显示已添加观众。问题是不允许有两个观众，因此令牌无效。添加的受众以 /userinfo

结尾

谁能解释一下为什么我的访问令牌中有两个受众？

我在ConfigureServices中使用如下代码

// Add authentication services
services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect("Auth0", options =>
{
    // Set the authority to your Auth0 domain
    options.Authority = $"https://{Configuration["Auth0:Domain"]}";

    // Configure the Auth0 Client ID and Client Secret
    options.ClientId = Configuration["Auth0:ClientId"];
    options.ClientSecret = Configuration["Auth0:ClientSecret"];

    // Set response type to code
    options.ResponseType = "code";

    // Configure the scope
    options.Scope.Clear();
    options.Scope.Add("openid");

    // Set the callback path, so Auth0 will call back to http://localhost:5000/signin-auth0
    // Also ensure that you have added the URL as an Allowed Callback URL in your Auth0 dashboard
    options.CallbackPath = new PathString("/signin-auth0");

    // Configure the Claims Issuer to be Auth0
    options.ClaimsIssuer = "Auth0";

    // Saves tokens to the AuthenticationProperties
    options.SaveTokens = true;

    options.Events = new OpenIdConnectEvents
    {
        // handle the logout redirection
        OnRedirectToIdentityProviderForSignOut = (context) =>
        {
            var logoutUri = $"https://{Configuration["Auth0:Domain"]}/v2/logout?client_id={Configuration["Auth0:ClientId"]}";

            var postLogoutUri = context.Properties.RedirectUri;
            if (!string.IsNullOrEmpty(postLogoutUri))
            {
                if (postLogoutUri.StartsWith("/"))
                {
                    // transform to absolute
                    var request = context.Request;
                    postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
                }
                logoutUri += $"&returnTo={ Uri.EscapeDataString(postLogoutUri)}";
            }

            context.Response.Redirect(logoutUri);
            context.HandleResponse();

            return Task.CompletedTask;
        },
        OnRedirectToIdentityProvider = context =>
        {
            context.ProtocolMessage.SetParameter("audience", "MY_OWN_AUDIENCE_URL");

            return Task.FromResult(0);
        }    
    };
});

Answer 1

Can someone please explain why there are two audiences in my acces token?

第二个受众是 userinfo 端点。 userinfo endpoint is part of the OpenID Connect protocol；它公开了最终用户的个人资料信息，并且由于 openid 范围而存在。

当 Auth0 收到授权请求时，它会检查请求的 audience 和 scope 参数。如果 audience 是自定义 API，并且 scope 包含 openid，则 access_token 将包含两个受众：一个用于您的自定义 [=30] =]，另一个用于 Auth0 用户信息端点。

这是来自 https://auth0.com/docs/tokens/access-token

的支持引述

When the audience is set to a custom API and the scope parameter includes the openid value, then the generated Access Token will be a JWT valid for both retrieving the user's profile and for accessing the custom API. The aud claim of this JWT will include two values: YOUR_AUTH0_DOMAIN/userinfo and your custom API's unique identifier.

Answer 2

正在工作

我在启动 class 的 ConfigureServices 中放置了下一个代码。在配置列表中，我放置了来自 Auth0 userinfo API 的观众和我自己的 API.

// Multiple audiences
options.TokenValidationParameters = new TokenValidationParameters
{
    ValidateAudience = true,
    ValidAudiences = Configuration.GetSection("Auth0:Audiences").Get<List<string>>(),
    ValidateLifetime = true
};