使用扩展的 MVC Core Identity 用户实现自定义声明
Implementing custom claim with extended MVC Core Identity user
如何在 MVC Core 2.0(使用 AspNetCore.identity)中创建自定义授权声明来验证自定义用户布尔值 属性?我扩展了 IdentityUser (ApplicationUser) 以包含一个布尔值 "IsDeveloper"。我正在使用基于声明的身份验证并想添加自定义声明,但不确定从哪里开始。我如何创建一个自定义声明将:
- 查找当前(自定义)Core.Identity 用户。
- 评估自定义身份用户 bool 值?
我理解核心身份声明 MSDN: Claims Based Authentication,但对自定义声明不熟悉,所以我不确定从哪里开始。我找到的在线文档不起作用或不适合我的情况。
因此,您需要在某处创建自定义声明,然后通过自定义策略或手动检查它。
1) 添加自定义声明
JwtBearer 认证
你可以这样做:
在 returns jwt-token 的控制器操作中,您可以添加 custom claim:
[HttpGet]
public dynamic GetToken(string login, string password)
{
var handler = new JwtSecurityTokenHandler();
var sec = "12312313212312313213213123123132123123132132132131231313212313232131231231313212313213132123131321313213213131231231213213131311";
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(sec));
var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
var user = GetUserFromDb(login);
var identity = new ClaimsIdentity(new GenericIdentity(user.Email), new[] { new Claim("user_id", user.Id) });
if (user.IsDeveloper)
identity.AddClaim(new Claim("IsDeveloper", "true"));
var token = handler.CreateJwtSecurityToken(subject: identity,
signingCredentials: signingCredentials,
audience: "ExampleAudience",
issuer: "ExampleIssuer",
expires: DateTime.UtcNow.AddSeconds(100));
return handler.WriteToken(token);
}
ASP.NET核心身份认证
您需要实施自定义 IUserClaimsPrincipalFactory 或使用 UserClaimsPrincipalFactory 作为基础 class:
public class ApplicationClaimsIdentityFactory: Microsoft.AspNetCore.Identity.UserClaimsPrincipalFactory <ApplicationUser>
{
UserManager<ApplicationUser> _userManager;
public ApplicationClaimsIdentityFactory(UserManager<ApplicationUser> userManager,
IOptions<IdentityOptions> optionsAccessor):base(userManager, optionsAccessor)
{}
public async override Task<ClaimsPrincipal> CreateAsync(ApplicationUser user)
{
var principal = await base.CreateAsync(user);
if (user.IsDeveloper)
{
((ClaimsIdentity)principal.Identity).AddClaims(new[] {
new Claim("IsDeveloper", "true")
});
}
return principal;
}
}
那么你需要在Startup.ConfigureServices中注册:
services.AddScoped<IUserClaimsPrincipalFactory<ApplicationUser>, ApplicationClaimsIdentityFactory>();
2) 检查声明
自定义策略
在Startup.ConfigureServices中:
services.AddAuthorization(options =>
{
options.AddPolicy("Developer", policy =>
policy.RequireClaim("IsDeveloper", "true"));
});
并为开发者保护您的行为:
[Authorize(Policy = "Developer"), HttpGet]
public string DeveloperSecret()
{
return "Hello Developer"
}
手动检查声明
控制器中的某处:
bool isDeveloper = User.Claims.Any(c => c.Type == "IsDeveloper" && c.Value == "true")
如果您使用其他身份验证,想法应该相同。
如何在 MVC Core 2.0(使用 AspNetCore.identity)中创建自定义授权声明来验证自定义用户布尔值 属性?我扩展了 IdentityUser (ApplicationUser) 以包含一个布尔值 "IsDeveloper"。我正在使用基于声明的身份验证并想添加自定义声明,但不确定从哪里开始。我如何创建一个自定义声明将:
- 查找当前(自定义)Core.Identity 用户。
- 评估自定义身份用户 bool 值?
我理解核心身份声明 MSDN: Claims Based Authentication,但对自定义声明不熟悉,所以我不确定从哪里开始。我找到的在线文档不起作用或不适合我的情况。
因此,您需要在某处创建自定义声明,然后通过自定义策略或手动检查它。
1) 添加自定义声明
JwtBearer 认证
你可以这样做:
在 returns jwt-token 的控制器操作中,您可以添加 custom claim:
[HttpGet]
public dynamic GetToken(string login, string password)
{
var handler = new JwtSecurityTokenHandler();
var sec = "12312313212312313213213123123132123123132132132131231313212313232131231231313212313213132123131321313213213131231231213213131311";
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(sec));
var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
var user = GetUserFromDb(login);
var identity = new ClaimsIdentity(new GenericIdentity(user.Email), new[] { new Claim("user_id", user.Id) });
if (user.IsDeveloper)
identity.AddClaim(new Claim("IsDeveloper", "true"));
var token = handler.CreateJwtSecurityToken(subject: identity,
signingCredentials: signingCredentials,
audience: "ExampleAudience",
issuer: "ExampleIssuer",
expires: DateTime.UtcNow.AddSeconds(100));
return handler.WriteToken(token);
}
ASP.NET核心身份认证
您需要实施自定义 IUserClaimsPrincipalFactory 或使用 UserClaimsPrincipalFactory 作为基础 class:
public class ApplicationClaimsIdentityFactory: Microsoft.AspNetCore.Identity.UserClaimsPrincipalFactory <ApplicationUser>
{
UserManager<ApplicationUser> _userManager;
public ApplicationClaimsIdentityFactory(UserManager<ApplicationUser> userManager,
IOptions<IdentityOptions> optionsAccessor):base(userManager, optionsAccessor)
{}
public async override Task<ClaimsPrincipal> CreateAsync(ApplicationUser user)
{
var principal = await base.CreateAsync(user);
if (user.IsDeveloper)
{
((ClaimsIdentity)principal.Identity).AddClaims(new[] {
new Claim("IsDeveloper", "true")
});
}
return principal;
}
}
那么你需要在Startup.ConfigureServices中注册:
services.AddScoped<IUserClaimsPrincipalFactory<ApplicationUser>, ApplicationClaimsIdentityFactory>();
2) 检查声明
自定义策略
在Startup.ConfigureServices中:
services.AddAuthorization(options =>
{
options.AddPolicy("Developer", policy =>
policy.RequireClaim("IsDeveloper", "true"));
});
并为开发者保护您的行为:
[Authorize(Policy = "Developer"), HttpGet]
public string DeveloperSecret()
{
return "Hello Developer"
}
手动检查声明
控制器中的某处:
bool isDeveloper = User.Claims.Any(c => c.Type == "IsDeveloper" && c.Value == "true")
如果您使用其他身份验证,想法应该相同。