ASP.NET 核心 JWT 不记名令牌自定义验证
ASP.NET Core JWT Bearer Token Custom Validation
经过大量阅读,我找到了一种实现自定义 JWT 不记名令牌验证器的方法,如下所示。
Starup.cs:
public void Configure(IApplicationBuilder app, IHostingEnvironment env,
ILoggerFactory loggerFactory, IApplicationLifetime appLifetime)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseStaticFiles();
app.UseIdentity();
ConfigureAuth(app);
app.UseMvcWithDefaultRoute();
}
private void ConfigureAuth(IApplicationBuilder app)
{
var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration.GetSection("TokenAuthentication:SecretKey").Value));
var tokenValidationParameters = new TokenValidationParameters
{
// The signing key must match!
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
// Validate the JWT Issuer (iss) claim
ValidateIssuer = true,
ValidIssuer = Configuration.GetSection("TokenAuthentication:Issuer").Value,
// Validate the JWT Audience (aud) claim
ValidateAudience = true,
ValidAudience = Configuration.GetSection("TokenAuthentication:Audience").Value,
// Validate the token expiry
ValidateLifetime = true,
// If you want to allow a certain amount of clock drift, set that here:
ClockSkew = TimeSpan.Zero
};
var jwtBearerOptions = new JwtBearerOptions();
jwtBearerOptions.AutomaticAuthenticate = true;
jwtBearerOptions.AutomaticChallenge = true;
jwtBearerOptions.TokenValidationParameters = tokenValidationParameters;
jwtBearerOptions.SecurityTokenValidators.Clear();
//below line adds the custom validator class
jwtBearerOptions.SecurityTokenValidators.Add(new CustomJwtSecurityTokenHandler());
app.UseJwtBearerAuthentication(jwtBearerOptions);
var tokenProviderOptions = new TokenProviderOptions
{
Path = Configuration.GetSection("TokenAuthentication:TokenPath").Value,
Audience = Configuration.GetSection("TokenAuthentication:Audience").Value,
Issuer = Configuration.GetSection("TokenAuthentication:Issuer").Value,
SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256)
};
app.UseMiddleware<TokenProviderMiddleware>(Options.Create(tokenProviderOptions));
}
自定义验证器class:
public class CustomJwtSecurityTokenHandler : ISecurityTokenValidator
{
private int _maxTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
private JwtSecurityTokenHandler _tokenHandler;
public CustomJwtSecurityTokenHandler()
{
_tokenHandler = new JwtSecurityTokenHandler();
}
public bool CanValidateToken
{
get
{
return true;
}
}
public int MaximumTokenSizeInBytes
{
get
{
return _maxTokenSizeInBytes;
}
set
{
_maxTokenSizeInBytes = value;
}
}
public bool CanReadToken(string securityToken)
{
return _tokenHandler.CanReadToken(securityToken);
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
//How to access HttpContext/IP address from here?
var principal = _tokenHandler.ValidateToken(securityToken, validationParameters, out validatedToken);
return principal;
}
}
如果令牌被盗,我想添加一个额外的安全层来验证请求是否来自生成令牌的同一客户端。
问题:
- 有什么方法可以在
CustomJwtSecurityTokenHandler class 中访问 HttpContext 以便我可以根据当前 client/requestor 添加自定义验证?
- 有没有其他方法可以验证请求者的真实性 method/middleware?
在ASP.NET核心中,HttpContext可以使用IHttpContextAccessor服务获取。使用 DI 将 IHttpContextAccessor 实例传递给您的处理程序并获取 IHttpContextAccessor.HttpContext 属性.
的值
IHttpContextAccessor服务默认是没有注册的,所以你首先需要在你的Startup.ConfigureServices方法中添加如下内容:
services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();
然后修改你的CustomJwtSecurityTokenHandlerclass:
private readonly IHttpContextAccessor _httpContextAccessor;
public CustomJwtSecurityTokenHandler(IHttpContextAccessor httpContextAccessor)
{
_httpContextAccessor = httpContextAccessor;
_tokenHandler = new JwtSecurityTokenHandler();
}
...
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
var httpContext = _httpContextAccessor.HttpContext;
}
您还应该使用 DI 技术进行 JwtSecurityTokenHandler 实例化。如果您不熟悉所有这些内容,请查看 Dependency Injection 文档。
更新:如何手动解决依赖关系(更多信息)
修改 Configure 方法以使用 IServiceProvider serviceProvider:
public void Configure(IApplicationBuilder app, IHostingEnvironment env,
ILoggerFactory loggerFactory, IApplicationLifetime appLifetime,
IServiceProvider serviceProvider)
{
...
var httpContextAccessor = serviceProvider.GetService<IHttpContextAccessor>();
// and extend ConfigureAuth
ConfigureAuth(app, httpContextAccessor);
...
}
对于自定义 JWT 验证器,我创建了一个继承到 IOAuthBearerAuthenticationProvider 的 JWTCosumerProvider class。并实现 ValidateIdentity() 方法来检查我首先存储客户端IP地址的身份Claim,然后与当前请求Id地址进行比较。
public Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var requestIPAddress = context.Ticket.Identity.FindFirst(ClaimTypes.Dns)?.Value;
if (requestIPAddress == null)
context.SetError("Token Invalid", "The IP Address not right");
string clientAddress = JWTHelper.GetClientIPAddress();
if (!requestIPAddress.Equals(clientAddress))
context.SetError("Token Invalid", "The IP Address not right");
return Task.FromResult<object>(null);
}
JWTHelper.GetClientIPAddress()
internal static string GetClientIPAddress()
{
System.Web.HttpContext context = System.Web.HttpContext.Current;
string ipAddress = context.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
if (!string.IsNullOrEmpty(ipAddress))
{
string[] addresses = ipAddress.Split(',');
if (addresses.Length != 0)
{
return addresses[0];
}
}
return context.Request.ServerVariables["REMOTE_ADDR"];
}
希望对您有所帮助!
只是为了补充另一个解决方案而不注入 ISecurityTokenValidator,可能就像
在您的 ISecurityTokenValidator 实现中(在本例中为 CustomJwtSecurityTokenHandler)
public class CustomJwtSecurityTokenHandler : ISecurityTokenValidator {
...
//Set IHttpContextAccessor as public property to set later in Starup class
public IHttpContextAccessor _httpContextAccessor { get; set; };
//Remove injection of httpContextAccessor;
public CustomJwtSecurityTokenHandler()
{
_tokenHandler = new JwtSecurityTokenHandler();
}
...
并在 Startup class 中将 属性“CustomJwtSecurityTokenHandler”配置为全局成员
public readonly CustomJwtSecurityTokenHandler customJwtSecurityTokenHandler = new()
在 Startup 的 ConfigureServices 方法中 class 添加全局自定义 JwtSecurityTokenHandler。
public void ConfigureServices(IServiceCollection services)
{
...
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(
o =>
{
...
//Add the global ISercurityTokenValidator implementation
o.SecurityTokenValidators.Add(this.customJwtSecurityTokenHandler );
}
);
...
}
然后在 Startup 的 Configure 方法中 class 将 IHttpContextAccessor 实例传递给全局 customJwtSecurityTokenHandler (ISecurityTokenValidator)属性
public void Configure(IApplicationBuilder app, IHostingEnvironment env,
ILoggerFactory loggerFactory, IApplicationLifetime appLifetime,
IServiceProvider serviceProvider)
{
...
var httpContextAccessor = serviceProvider.GetService<IHttpContextAccessor>();
//And add to property, and not by constructor
customJwtSecurityTokenHandler.httpContextAccessor = httpContextAccessor;
...
}
在我的例子中,我已经在 ConfigureService 中配置了 SecurityTokenValidator,所以此时不存在任何 IServiceProvider 实例,然后在 Configure 方法中,您可以使用 IServiceProvider 来获取 IHttpContextAccessor
经过大量阅读,我找到了一种实现自定义 JWT 不记名令牌验证器的方法,如下所示。
Starup.cs:
public void Configure(IApplicationBuilder app, IHostingEnvironment env,
ILoggerFactory loggerFactory, IApplicationLifetime appLifetime)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseStaticFiles();
app.UseIdentity();
ConfigureAuth(app);
app.UseMvcWithDefaultRoute();
}
private void ConfigureAuth(IApplicationBuilder app)
{
var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration.GetSection("TokenAuthentication:SecretKey").Value));
var tokenValidationParameters = new TokenValidationParameters
{
// The signing key must match!
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
// Validate the JWT Issuer (iss) claim
ValidateIssuer = true,
ValidIssuer = Configuration.GetSection("TokenAuthentication:Issuer").Value,
// Validate the JWT Audience (aud) claim
ValidateAudience = true,
ValidAudience = Configuration.GetSection("TokenAuthentication:Audience").Value,
// Validate the token expiry
ValidateLifetime = true,
// If you want to allow a certain amount of clock drift, set that here:
ClockSkew = TimeSpan.Zero
};
var jwtBearerOptions = new JwtBearerOptions();
jwtBearerOptions.AutomaticAuthenticate = true;
jwtBearerOptions.AutomaticChallenge = true;
jwtBearerOptions.TokenValidationParameters = tokenValidationParameters;
jwtBearerOptions.SecurityTokenValidators.Clear();
//below line adds the custom validator class
jwtBearerOptions.SecurityTokenValidators.Add(new CustomJwtSecurityTokenHandler());
app.UseJwtBearerAuthentication(jwtBearerOptions);
var tokenProviderOptions = new TokenProviderOptions
{
Path = Configuration.GetSection("TokenAuthentication:TokenPath").Value,
Audience = Configuration.GetSection("TokenAuthentication:Audience").Value,
Issuer = Configuration.GetSection("TokenAuthentication:Issuer").Value,
SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256)
};
app.UseMiddleware<TokenProviderMiddleware>(Options.Create(tokenProviderOptions));
}
自定义验证器class:
public class CustomJwtSecurityTokenHandler : ISecurityTokenValidator
{
private int _maxTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
private JwtSecurityTokenHandler _tokenHandler;
public CustomJwtSecurityTokenHandler()
{
_tokenHandler = new JwtSecurityTokenHandler();
}
public bool CanValidateToken
{
get
{
return true;
}
}
public int MaximumTokenSizeInBytes
{
get
{
return _maxTokenSizeInBytes;
}
set
{
_maxTokenSizeInBytes = value;
}
}
public bool CanReadToken(string securityToken)
{
return _tokenHandler.CanReadToken(securityToken);
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
//How to access HttpContext/IP address from here?
var principal = _tokenHandler.ValidateToken(securityToken, validationParameters, out validatedToken);
return principal;
}
}
如果令牌被盗,我想添加一个额外的安全层来验证请求是否来自生成令牌的同一客户端。
问题:
- 有什么方法可以在
CustomJwtSecurityTokenHandlerclass 中访问HttpContext以便我可以根据当前 client/requestor 添加自定义验证? - 有没有其他方法可以验证请求者的真实性 method/middleware?
在ASP.NET核心中,HttpContext可以使用IHttpContextAccessor服务获取。使用 DI 将 IHttpContextAccessor 实例传递给您的处理程序并获取 IHttpContextAccessor.HttpContext 属性.
IHttpContextAccessor服务默认是没有注册的,所以你首先需要在你的Startup.ConfigureServices方法中添加如下内容:
services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();
然后修改你的CustomJwtSecurityTokenHandlerclass:
private readonly IHttpContextAccessor _httpContextAccessor;
public CustomJwtSecurityTokenHandler(IHttpContextAccessor httpContextAccessor)
{
_httpContextAccessor = httpContextAccessor;
_tokenHandler = new JwtSecurityTokenHandler();
}
...
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
var httpContext = _httpContextAccessor.HttpContext;
}
您还应该使用 DI 技术进行 JwtSecurityTokenHandler 实例化。如果您不熟悉所有这些内容,请查看 Dependency Injection 文档。
更新:如何手动解决依赖关系(更多信息
修改 Configure 方法以使用 IServiceProvider serviceProvider:
public void Configure(IApplicationBuilder app, IHostingEnvironment env,
ILoggerFactory loggerFactory, IApplicationLifetime appLifetime,
IServiceProvider serviceProvider)
{
...
var httpContextAccessor = serviceProvider.GetService<IHttpContextAccessor>();
// and extend ConfigureAuth
ConfigureAuth(app, httpContextAccessor);
...
}
对于自定义 JWT 验证器,我创建了一个继承到 IOAuthBearerAuthenticationProvider 的 JWTCosumerProvider class。并实现 ValidateIdentity() 方法来检查我首先存储客户端IP地址的身份Claim,然后与当前请求Id地址进行比较。
public Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var requestIPAddress = context.Ticket.Identity.FindFirst(ClaimTypes.Dns)?.Value;
if (requestIPAddress == null)
context.SetError("Token Invalid", "The IP Address not right");
string clientAddress = JWTHelper.GetClientIPAddress();
if (!requestIPAddress.Equals(clientAddress))
context.SetError("Token Invalid", "The IP Address not right");
return Task.FromResult<object>(null);
}
JWTHelper.GetClientIPAddress()
internal static string GetClientIPAddress()
{
System.Web.HttpContext context = System.Web.HttpContext.Current;
string ipAddress = context.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
if (!string.IsNullOrEmpty(ipAddress))
{
string[] addresses = ipAddress.Split(',');
if (addresses.Length != 0)
{
return addresses[0];
}
}
return context.Request.ServerVariables["REMOTE_ADDR"];
}
希望对您有所帮助!
只是为了补充另一个解决方案而不注入 ISecurityTokenValidator,可能就像
在您的 ISecurityTokenValidator 实现中(在本例中为 CustomJwtSecurityTokenHandler)
public class CustomJwtSecurityTokenHandler : ISecurityTokenValidator {
...
//Set IHttpContextAccessor as public property to set later in Starup class
public IHttpContextAccessor _httpContextAccessor { get; set; };
//Remove injection of httpContextAccessor;
public CustomJwtSecurityTokenHandler()
{
_tokenHandler = new JwtSecurityTokenHandler();
}
...
并在 Startup class 中将 属性“CustomJwtSecurityTokenHandler”配置为全局成员
public readonly CustomJwtSecurityTokenHandler customJwtSecurityTokenHandler = new()
在 Startup 的 ConfigureServices 方法中 class 添加全局自定义 JwtSecurityTokenHandler。
public void ConfigureServices(IServiceCollection services)
{
...
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(
o =>
{
...
//Add the global ISercurityTokenValidator implementation
o.SecurityTokenValidators.Add(this.customJwtSecurityTokenHandler );
}
);
...
}
然后在 Startup 的 Configure 方法中 class 将 IHttpContextAccessor 实例传递给全局 customJwtSecurityTokenHandler (ISecurityTokenValidator)属性
public void Configure(IApplicationBuilder app, IHostingEnvironment env,
ILoggerFactory loggerFactory, IApplicationLifetime appLifetime,
IServiceProvider serviceProvider)
{
...
var httpContextAccessor = serviceProvider.GetService<IHttpContextAccessor>();
//And add to property, and not by constructor
customJwtSecurityTokenHandler.httpContextAccessor = httpContextAccessor;
...
}
在我的例子中,我已经在 ConfigureService 中配置了 SecurityTokenValidator,所以此时不存在任何 IServiceProvider 实例,然后在 Configure 方法中,您可以使用 IServiceProvider 来获取 IHttpContextAccessor