这块儿当时在IdentityServer4和JWT之间犹豫了一下,后来考虑到现状,出于3个原因,暂时放弃了IdentityServer4选择了JWT:
(1)目前这个前端框架更适配JWT;
(2)前后端分离的项目,如果上IdentityServer4,还要折腾点儿工作,比如前端配置、多余的回调等;
(3)跨度太大,团队、系统、历史数据接入都是问题,解决是可以解决,但时间有限,留待后续吧;
当然,只是暂时放弃,理想中的最佳实践还是IdentityServer4做统一鉴权的。
2、JWT认证实现
(1)Common项目下定义JWTConfig配置对象
(2)系统配置文件中增加JWT参数配置
此处配置与(1)中的配置对象是对应的。
(3)JWT处理程序及相关服务注册
1 services.Configure<JWTConfig>(Configuration.GetSection("JWT")); 2 var jwtConfig = Configuration.GetSection("JWT").Get<JWTConfig>(); 3 services.AddAuthentication(options => 4 { 5 options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; 6 options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; 7 }) 8 .AddJwtBearer(options => 9 { 10 options.TokenValidationParameters = new TokenValidationParameters 11 { 12 ValidateIssuer = true, 13 ValidIssuer = jwtConfig.Issuer, 14 ValidateIssuerSigningKey = true, 15 IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtConfig.SymmetricSecurityKey)), 16 ValidateAudience = false, 17 ValidateLifetime = true, 18 ClockSkew = TimeSpan.FromMinutes(5) 19 }; 20 options.Events = new JwtBearerEvents 21 { 22 OnTokenValidated = context => 23 { 24 var userContext = context.HttpContext.RequestServices.GetService<UserContext>(); 25 var claims = context.Principal.Claims; 26 userContext.ID = long.Parse(claims.First(x => x.Type == JwtRegisteredClaimNames.Sub).Value); 27 userContext.Account = claims.First(x => x.Type == ClaimTypes.NameIdentifier).Value; 28 userContext.Name = claims.First(x => x.Type == ClaimTypes.Name).Value; 29 userContext.Email = claims.First(x => x.Type == JwtRegisteredClaimNames.Email).Value; 30 userContext.RoleId = claims.First(x => x.Type == ClaimTypes.Role).Value; 31 32 return Task.CompletedTask; 33 } 34 }; 35 }); 36 JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();