var jwtConfig = Configuration.GetSection("Jwt"); //生成密钥 var symmetricKeyAsBase64 = jwtConfig.GetValue<string>("Secret"); var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64); var signingKey = new SymmetricSecurityKey(keyByteArray); //认证参数 services.AddAuthentication("Bearer") .AddJwtBearer(o => { o.TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true,//是否验证签名,不验证的画可以改动数据,不安详 IssuerSigningKey = signingKey,//解密的密钥 ValidateIssuer = true,//是否验证刊行人,就是验证载荷中的Iss是否对应ValidIssuer参数 ValidIssuer = jwtConfig.GetValue<string>("Iss"),//刊行人 ValidateAudience = true,//是否验证订阅人,就是验证载荷中的Aud是否对应ValidAudience参数 ValidAudience = jwtConfig.GetValue<string>("Aud"),//订阅人 ValidateLifetime = true,//是否验证逾期时间,逾期了就拒绝会见 ClockSkew = TimeSpan.Zero,//这个是缓冲逾期时间,也就是说,纵然我们设置了逾期时间,这里也要思量进去,逾期时间+缓冲,默认仿佛是7分钟,你可以直接配置为0 RequireExpirationTime = true, }; });
在Configure要领中添加 app.UseAuthentication() 和 app.UseAuthorization() 留意位置需要安排的位置:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { if (env.IsDevelopment()){app.UseDeveloperExceptionPage();} app.UseHttpsRedirection(); app.UseRouting(); app.UseAuthentication(); app.UseAuthorization(); app.UseEndpoints(endpoints =>{ endpoints.MapControllers();}); }
4. 生成jwt令牌,在默认生成的节制器 WeatherForecastController 中添加如下生成令牌的要领:
[HttpPost] public IActionResult Authenticate() { var jwtConfig = Configuration.GetSection("Jwt"); //秘钥,就是标头,这里用Hmacsha256算法,需要256bit的密钥 var securityKey = new SigningCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(jwtConfig.GetValue<string>("Secret"))), SecurityAlgorithms.HmacSha256); //Claim,JwtRegisteredClaimNames中预界说了许多几何种默认的参数名,也可以像下面的Guid一样本身界说键名. //ClaimTypes也预界说了许多几何范譬喻role、email、name。Role用于赋予权限,差异的脚色可以会见差异的接口 //相当于有效载荷 var claims = new Claim[] { new Claim(JwtRegisteredClaimNames.Iss,jwtConfig.GetValue<string>("Iss")), new Claim(JwtRegisteredClaimNames.Aud,jwtConfig.GetValue<string>("Aud")), new Claim("Guid",Guid.NewGuid().ToString("D")), new Claim(ClaimTypes.Role,"system"), new Claim(ClaimTypes.Role,"admin"), }; SecurityToken securityToken = new JwtSecurityToken( signingCredentials: securityKey, expires: DateTime.Now.AddMinutes(2),//逾期时间 claims: claims ); //生成jwt令牌 return Content(new JwtSecurityTokenHandler().WriteToken(securityToken)); }
5. 利用jwt节制接口的会见,我们在一个接口上添加一个特性 [Authorize(Roles ="admin")],暗示需要有admin这个脚色的jwt令牌才气会见,没有roles参数的话暗示只要是可用的令牌就可以会见,多个role脚色可以叠加多个特性:
[HttpGet] [Authorize(Roles = "admin")] [Authorize(Roles = "system")] public IEnumerable<WeatherForecast> Get() { var rng = new Random(); return Enumerable.Range(1, 5).Select(index => new WeatherForecast { Date = DateTime.Now.AddDays(index), TemperatureC = rng.Next(-20, 55), Summary = Summaries[rng.Next(Summaries.Length)] }) .ToArray(); }
6.测试,然后我们用postman就可以测试了,可以看到很是乐成有数据。
认证的时候可以添加事件,如下面的认证失败露件、吸收参数事件可以获取url上的参数作为令牌而不是通过http的请求头的Authorization。
services.AddAuthentication("Bearer") .AddJwtBearer(o => { o.Events = new JwtBearerEvents() { OnMessageReceived = context => { context.Token = context.Request.Query["access_token"]; return Task.CompletedTask; }, OnAuthenticationFailed = context => { // 假如逾期,则把<是否逾期>添加到,返转头信息中 if (context.Exception.GetType() == typeof(SecurityTokenExpiredException)) { context.Response.Headers.Add("Token-Expired", "true"); } return Task.CompletedTask; } }; });
总结