我有一个受 Azure AD 保护的 .Net 5 Web API。我想要完成的是在授权失败时提供自定义错误消息。例如，

• 如果用户忘记在请求中添加 Authorization 标头，我想告诉用户该标头是必需的。
• 如果令牌已过期，我想确切地告诉用户这一点，而不是简单地返回 401 状态代码而没有详细信息。

简单地将 [Authorize] 属性放在控制器和/或操作之前是行不通的，因为它返回 401 状态代码并且不包含有关此错误的任何详细信息。

我搜索了它，发现我必须编写一个自定义授权过滤器，使用它应该可以完成我正在寻找的东西。

使用此 blog post，我能够编写自定义授权过滤器，但是我仍然无法找到如何验证令牌并返回适当的错误消息。

这是我目前编写的代码：

Startup.cs

public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        AuthorizationPolicy policy = new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme).RequireAuthenticatedUser().Build();
        _ = services.AddAuthorization(options =>
        {
            options.DefaultPolicy = policy;
        });
        _ = services.AddControllers(options =>
        {
            options.Filters.Add(new CustomTokenAuthorizationFilter(policy));
        });
        _ = services.AddSwaggerGen(c =>
        {
            c.SwaggerDoc("v1",new OpenApiInfo { Title = "API",Version = "v1" });
        });
        _ = services
            .AddMicrosoftIdentityWebApiAuthentication(Configuration,"ApiSettings");
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app,IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            _ = app.UseDeveloperExceptionPage();
            _ = app.UseSwagger();
            _ = app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json","API v1"));
        }


        _ = app.UseConfigureRequestHeaders();

        _ = app.UseHttpsRedirection();

        _ = app.UseRouting();

        //_ = app.UseAuthentication();

        _ = app.UseAuthorization();

        _ = app.UseEndpoints(endpoints =>
        {
            _ = endpoints.MapControllers();
        });
    }
}

CustomAuthorizationFilter.cs

public class CustomTokenAuthorizationFilter : AuthorizeFilter
{
    public CustomTokenAuthorizationFilter(AuthorizationPolicy policy) : base(policy)
    {

    }

    public override async Task OnAuthorizationAsync(AuthorizationFilterContext context)
    {
        if (context == null)
        {
            throw new ArgumentNullException(nameof(context));
        }

        // Allow Anonymous skips all authorization
        if (context.Filters.Any(item => item is IAllowAnonymousFilter))
        {
            return;
        }
        var policyEvaluator = context.HttpContext.RequestServices.GetRequiredService<IPolicyEvaluator>();
        var authenticateResult = await policyEvaluator.AuthenticateAsync(Policy,context.HttpContext);
        var authorizeResult = await policyEvaluator.AuthorizeAsync(Policy,authenticateResult,context.HttpContext,context);
        return;
    }
}

使用此代码，当我的令牌出现问题时，authenticateResult.Succeeded 属性为 false，authorizeResult.Challenged 属性为 true。

如何找出导致授权失败的原因？任何帮助将不胜感激。

我正在使用 Microsoft 建议的 Microsoft.Identity.Web NuGet 包。

解决方法