Мобильная версия[*] Identity API (OpenIddict Server) - проблемы JWT Tokens
Voucher API (защищенный ресурс) - подтверждает JWT Tokens с использованием addJwtbearer
Конфигурация API Identity API
В моей программе. CS I настраиваю OpenIdct с сертификатами подписания/шифрования.
Код: Выделить всё
opt.AddSigningCertificate(new X509Certificate2(signingCertPath, signingCertPassword));
opt.AddEncryptionCertificate(new X509Certificate2(encryptionCertPath, encryptionCertPassword));
< /code>
Я также генерирую саморегистрированный сертификат HTTPS локально с Sans < /p>
using (var httpsAlgorithm = RSA.Create(keySizeInBits: 2048))
{
var httpsSubject = new X500DistinguishedName("CN=localhost, O=Local Development, C=US");
var httpsRequest = new CertificateRequest(httpsSubject, httpsAlgorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
// Key usage for HTTPS
httpsRequest.CertificateExtensions.Add(new X509KeyUsageExtension(
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, critical: true));
// Enhanced key usage for server authentication
httpsRequest.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(
new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, // Server Authentication
critical: true));
// Subject Alternative Names
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName("127.0.0.1");
sanBuilder.AddDnsName("identity-api"); // Docker service name
sanBuilder.AddIpAddress(System.Net.IPAddress.Loopback);
sanBuilder.AddIpAddress(System.Net.IPAddress.Parse("127.0.0.1"));
httpsRequest.CertificateExtensions.Add(sanBuilder.Build());
var httpsCertificate = httpsRequest.CreateSelfSigned(validFrom, validTo);
string httpsPassword = "testpassword!";
File.WriteAllBytes("https-certs/https-cert.pfx", httpsCertificate.Export(X509ContentType.Pfx, httpsPassword));
}
Код: Выделить всё
FROM mcr.microsoft.com/dotnet/aspnet:9.0-bookworm-slim AS base
USER root
WORKDIR /app
EXPOSE 8080
EXPOSE 8081
# Copy HTTPS certificates
# (mounted via docker-compose)
RUN mkdir -p /app/https-certs && chmod 700 /app/https-certs
FROM build AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "Rock.Identity.API.dll"]
< /code>
docker-compose.ymlКод: Выделить всё
services:
identity-api:
build:
context: .
dockerfile: Dockerfile
ports:
- "3400:8080"
- "3401:8081"
environment:
- DOTNET_ENVIRONMENT=Production
- ASPNETCORE_URLS=http://+:8080;https://+:8081
- ASPNETCORE_Kestrel__Certificates__Default__Path=/app/https-certs/https-cert.pfx
- ASPNETCORE_Kestrel__Certificates__Default__Password=testpassword!
volumes:
- ./https-certs:/app/https-certs:ro
networks:
- identity-network
< /code>
[b]Initial issue[/b] (when running Voucher API in Visual Studio)
At first, when I ran the Identity API in Docker and Voucher API locally in Visual Studio, I got this error:
IDX10500: Signature validation failed. No security keys were provided to validate the signature.
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignatureAndIssuerSecurityKey(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
To resolve I installed the self-signed certificate called https-cert.pfxтекущая проблема (когда оба API работают в докере) чASTI):
FROM mcr.microsoft.com/dotnet/aspnet:9.0 AS base
WORKDIR /app
EXPOSE 8080
EXPOSE 8081
FROM mcr.microsoft.com/dotnet/sdk:9.0 AS build
ARG BUILD_CONFIGURATION=Release
COPY ["src/Api/Renault.Voucher.API/Renault.Voucher.API.csproj", "src/Api/Renault.Voucher.API/"]
# (other projects copied here)
RUN dotnet restore "./src/Api/Renault.Voucher.API/Renault.Voucher.API.csproj"
COPY . .
WORKDIR "/src/Api/Renault.Voucher.API"
RUN dotnet build "./Renault.Voucher.API.csproj" -c $BUILD_CONFIGURATION -o /app/build
FROM build AS publish
ARG BUILD_CONFIGURATION=Release
RUN dotnet publish "./Renault.Voucher.API.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "Renault.Voucher.API.dll"]
< /code>
Do I need to install the same self-signed certificate inside the Voucher API Docker container? If yes how can I do it?
Подробнее здесь: https://stackoverflow.com/questions/797 ... g-certific
