Я хочу использовать аутентификацию на основе файлов cookie и jwt в своей программе, используя аутентификацию пользователя для доступа к mvc контроллеру с логином и JWT для доступа к ресурсу WebApi.

Я попытался использовать два из них Сначаламой клиент может войти и аутентифицироваться с помощью куки, используя имя пользователя и пароль.Второй ресурс доступа из приложения с WebApi с Token Bearer, но я получаю ошибку!

В моем файле startup.cs у меня есть:

public void ConfigureServices(IServiceCollection services)

            services.Configure<CookiePolicyOptions>(options =>
                options.CheckConsentNeeded = context => true;
                options.MinimumSameSitePolicy = SameSiteMode.None;
                options.ConsentCookie.Name = "Cookie";
            services.ConfigureApplicationCookie(options =>
                options.Cookie.Name = "Cookie";
                options.ClaimsIssuer = Configuration["Authentication:ClaimsIssuer"];

            services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN");

            services.AddDbContext<ApplicationDbContext>(options =>

            services.AddIdentity<ApplicationUser, ApplicationRole>()

            services.Configure<IdentityOptions>(options =>
                // Password settings.
                options.Password.RequireDigit = true;
                options.Password.RequireLowercase = true;
                options.Password.RequireNonAlphanumeric = false;
                options.Password.RequireUppercase = false;
                options.Password.RequiredLength = 5;
                options.Password.RequiredUniqueChars = 1;

                // Lockout settings.
                options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5);
                options.Lockout.MaxFailedAccessAttempts = 5;
                options.Lockout.AllowedForNewUsers = true;

                // User settings.
                options.User.AllowedUserNameCharacters =
                options.User.RequireUniqueEmail = false;


            services.AddAuthentication(options =>
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;

                .AddCookie(options =>
                    options.Cookie.Name = "Cookie";
                    options.ClaimsIssuer = Configuration["Authentication:ClaimsIssuer"];
                .AddMicrosoftAccount(microsoftOptions =>
                     microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ApplicationId"];
                     microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:Password"];
                .AddGoogle(googleOptions => 
                    googleOptions.ClientId = "XXXXXXXXXXX.apps.googleusercontent.com";
                    googleOptions.ClientSecret = "g4GZ2#...GD5Gg1x";
                    googleOptions.ClaimActions.MapJsonKey(ClaimTypes.Gender, "gender");
                    googleOptions.SaveTokens = true;
                    googleOptions.Events.OnCreatingTicket = ctx =>
                        List<AuthenticationToken> tokens = ctx.Properties.GetTokens()
                            as List<AuthenticationToken>;
                        tokens.Add(new AuthenticationToken()
                            Name = "TicketCreated",
                            Value = DateTime.UtcNow.ToString()
                        return Task.CompletedTask;
                .AddJwtBearer(options =>
                    options.ClaimsIssuer = Configuration["Authentication:ClaimsIssuer"];
                    options.SaveToken = true;
                    options.Authority = Configuration["Authentication:Authority"];
                    options.Audience = Configuration["Authentication:Audience"];
                    options.RequireHttpsMetadata = false;
                    options.TokenValidationParameters = new TokenValidationParameters()

                        ValidateIssuerSigningKey = true,

                        ValidateIssuer = true,
                        ValidIssuer = Configuration["Authentication:ValidIssuer"],

                        ValidateAudience = true,
                        ValidAudience = Configuration["Authentication:ValidAudience"],

                        ValidateLifetime = true,

                        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Authentication:SecurityKey"]))




И я получил токен в этом контроллере:

        public async Task<IActionResult> GetToken(TokenLoginModel model)

            if (!ModelState.IsValid) return BadRequest("Token failed to generate");
            var user = await _usermanager.FindByNameAsync(model.UserName);
            //var user = true;// (model.Password == "password" && model.Username == "username");
            if (user != null && await _usermanager.CheckPasswordAsync(user, model.Password))
                var claims = new[]{
                    new Claim("ClaimsIssuer", _configuration.GetSection("Authentication:ClaimsIssuer").Value),
                new Claim(Microsoft.IdentityModel.JsonWebTokens.JwtRegisteredClaimNames.Sub,user.UserName),
                new Claim(Microsoft.IdentityModel.JsonWebTokens.JwtRegisteredClaimNames.Jti,Guid.NewGuid().ToString())
                string SecurKey = Startup.StaticConfig.GetSection("Authentication:SecurityKey").Value;
                var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SecurKey));
                var token = new JwtSecurityToken(
                    issuer: _configuration.GetSection("Authentication:ValidIssuer").Value,
                    audience: _configuration.GetSection("Authentication:Audience").Value,
                    expires: DateTime.UtcNow.AddDays(30),
                    claims: claims,
                    signingCredentials: new Microsoft.IdentityModel.Tokens.SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256)
                return Ok(new
                    token = new JwtSecurityTokenHandler().WriteToken(token),
                    expiration = token.ValidTo
            return Unauthorized();


Я реализую элемент управления, который создает токен, нопри попытке авторизации я получаю эту ошибку:

An unhandled exception occurred while processing the request.

HttpRequestException: Response status code does not indicate success: 404 (Not Found).

IOException: IDX20804: Unable to retrieve document from: 'https://localhost:44383/oauth2/default/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)

InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://localhost:44383/oauth2/default/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel)

Чтобы добавить поддержку JWT, мы добавили AddCookie и AddJwtBearer. Наличие веб-сайтов, которым требуется токен в заголовке, было бы головной болью, особенно для проектов, которые не являются чисто SPA или API. Так что я действительно хотел, чтобы была поддержка и Cookies, и JWT.

В файле startup.cs у вас есть:

    public class Startup
    public Startup(IConfiguration configuration)
      Configuration = configuration;
    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
      services.AddDbContext<DualAuthContext>(options =>

      services.AddIdentity<ApplicationUser, IdentityRole>()

      // Enable Dual Authentication 
        .AddCookie(cfg => cfg.SlidingExpiration = true)
        .AddJwtBearer(cfg =>
          cfg.RequireHttpsMetadata = false;
          cfg.SaveToken = true;
          cfg.TokenValidationParameters = new TokenValidationParameters()
            ValidIssuer = Configuration["Tokens:Issuer"],
            ValidAudience = Configuration["Tokens:Issuer"],
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Tokens:Key"]))

      // Add application services.
      services.AddTransient<IEmailSender, EmailSender>();

И метод In Configure:

public void Configure(IApplicationBuilder app, IHostingEnvironment env, DataSeeder seeder)

После этого в вашем контроллере, который вы использовали JWT, вы должны добавить JWT Bearer AuthenticationSchemes для атрибута Authorize следующим образом:

[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
  public class ProtectedController : Controller
    public ProtectedController()

    public IActionResult Get()
      return Ok(new[] { "One", "Two", "Three" });

Ссылка: Две схемы авторизации в ASP.NET Core 2

Это очень просто и полезно для использования.

Ниже моя конфигурация с использованием OpenIdConnect В твоем стартапе .cs




    .AddIdentity<User, ApplicationRole>(options =>
        options.Password.RequireDigit = false;
        options.Password.RequiredLength = 4;
        options.Password.RequireLowercase = false;
        options.Password.RequireNonAlphanumeric = false;
        options.Password.RequireUppercase = false;

        //lock out attempt
        options.Lockout.AllowedForNewUsers = true;
        options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(30);
        options.Lockout.MaxFailedAccessAttempts = 3;

services.Configure<CookiePolicyOptions>(options =>
    // This lambda determines whether user consent for non-essential cookies is needed for a given request.
    options.CheckConsentNeeded = context => true;
    options.MinimumSameSitePolicy = SameSiteMode.None;

//The default value is 14 days.
services.ConfigureApplicationCookie(options =>
    options.ExpireTimeSpan = TimeSpan.FromHours(1);

// Configure Identity to use the same JWT claims as OpenIddict instead
// of the legacy WS-Federation claims it uses by default (ClaimTypes),
// which saves you from doing the mapping in your authorization controller.
services.Configure<IdentityOptions>(options =>
    options.ClaimsIdentity.UserNameClaimType = OpenIdConnectConstants.Claims.Name;
    options.ClaimsIdentity.UserIdClaimType = OpenIdConnectConstants.Claims.Subject;
    options.ClaimsIdentity.RoleClaimType = OpenIdConnectConstants.Claims.Role;

    // Register the OpenIddict core services.
    .AddCore(options =>
        // Register the Entity Framework stores and models.
    // Register the OpenIddict server handler.
    .AddServer(options =>
        // Register the ASP.NET Core MVC binder used by OpenIddict.
        // Note: if you don't call this method, you won't be able to
        // bind OpenIdConnectRequest or OpenIdConnectResponse parameters.

        // Enable the token endpoint.

        // Enable the password and the refresh token flows.

        // Accept anonymous clients (i.e clients that don't send a client_id).

        // During development, you can disable the HTTPS requirement.

        // Note: to use JWT access tokens instead of the default
        // encrypted format, the following lines are required:


// Register the OpenIddict validation handler.
// Note: the OpenIddict validation handler is only compatible with the
// default token format or with reference tokens and cannot be used with
// JWT tokens. For JWT tokens, use the Microsoft JWT bearer handler.


        .AddJwtBearer(options =>
            options.Authority = configuration["Authentication:Authority"];
            options.Audience = "resource_server";
            options.RequireHttpsMetadata = false;
            options.TokenValidationParameters = new TokenValidationParameters
                NameClaimType = OpenIdConnectConstants.Claims.Subject,
                RoleClaimType = OpenIdConnectConstants.Claims.Role

// Alternatively, you can also use the introspection middleware.
// Using it is recommended if your resource server is in a
// different application/separated from the authorization server.
// services.AddAuthentication()
//     .AddOAuthIntrospection(options =>
//     {
//         options.Authority = new Uri("http://localhost:54895/");
//         options.Audiences.Add("resource_server");
//         options.ClientId = "resource_server";
//         options.ClientSecret = "875sqd4s5d748z78z7ds1ff8zz8814ff88ed8ea4z4zzd";
//         options.RequireHttpsMetadata = false;
//     });

