InvalidOperationException:除非通过设置RequireHttpsMetadata = false禁用开发,否则MetadataAddress或Authority必须使用HTTPS。
我在哪里设置?
我试过了 Startup.ConfigureServices()
if (_hostingEnvironment.IsDevelopment())
services.AddMvc(opts => opts.RequireHttpsPermanent = false);
仍然收到错误。还尝试将其放在Web.Config中只是为了让我在本地调试。
if (_hostingEnvironment.IsDevelopment())
services.AddMvc(opts => opts.RequireHttpsPermanent = false);
都不起作用。我在MS上找不到任何有关此设置的文档!
我正在使用jwt承载身份验证。
您需要按照@kirk Larkin的建议,将JwtBearerOptions.RequireHttpsMetadata添加为false作为ConfigureServices。
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.Authority = Configuration["Auth0:Authority"];
options.Audience = Configuration["Auth0:Audience"];
options.RequireHttpsMetadata = false;
});
services.AddMvc();
}
options.Authority需要是安全的连接。省略协议将默认为 http,因此请务必将此 url 显式设置为 https。RequireHttpsMetadata=false应该只在开发场景中使用——所以你应该在将它设置为 false 之前检查托管环境。
小智 6
我想我应该添加一些代码来展示如何定义检查主机环境是否处于“开发”状态。这使得您的代码不易出现漏洞,因为您无需在投入生产之前对其进行更改。希望这也能帮助其他搜索此问题的人。
public IConfiguration Configuration { get; }
public IHostingEnvironment HostEnvironment { get; }
public Startup(IConfiguration configuration, IWebHostEnvironment hostEnvironment)
{
Configuration = configuration;
HostEnvironment = hostEnvironment;
}
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(opt =>
{
opt.Audience = Configuration["AAD:ResourceId"];
opt.Authority = $"{Configuration["AAD: Instance"]}{Configuration["AAD:TenantId"]}";
if (HostEnvironment.IsDevelopment())
{ // to make sure this is only used during development
opt.RequireHttpsMetadata = false;
}
});
}
// rest omitted