ASP.NET 核心中基于令牌的身份验证(已更新)
Token Based Authentication in ASP.NET Core (refreshed)
我正在使用 ASP.NET 核心应用程序。我正在尝试实施基于令牌的身份验证,但不知道如何使用新的 Security System.
我的场景:
客户端请求令牌。我的服务器应该授权用户和 return access_token,客户端将在以下请求中使用它。
这里有两篇关于实现我所需要的内容的精彩文章:
问题是 - 我不清楚如何在 ASP.NET Core 中做同样的事情。
我的问题是: 如何配置 ASP.NET Core Web Api 应用程序以使用基于令牌的身份验证?我应该追求什么方向?你有没有写过关于最新版本的文章,或者知道我在哪里可以找到?
谢谢!
要实现您所描述的,您将需要一个 OAuth2/OpenID 连接授权服务器和一个中间件来验证您的 API 的访问令牌。
Katana 曾经提供 OAuthAuthorizationServerMiddleware,但在 ASP.NET Core 中不再存在。
我建议看一下 AspNet.Security.OpenIdConnect.Server,您提到的教程使用的 OAuth2 授权服务器中间件的实验分支:有一个 OWIN/Katana 3 版本,以及支持 net451(.NET 桌面)和 netstandard1.4(与 .NET Core 兼容)的 ASP.NET 核心版本。
https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server
不要错过 MVC 核心示例,该示例展示了如何使用 AspNet.Security.OpenIdConnect.Server 配置 OpenID Connect 授权服务器以及如何验证由服务器中间件:https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc/Mvc.Server/Startup.cs
您还可以阅读此博客 post,它解释了如何实现资源所有者密码授予,这是 OAuth2 等同于基本身份验证的方法:http://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-implementing-the-resource-owner-password-credentials-grant/
Startup.cs
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication();
}
public void Configure(IApplicationBuilder app)
{
// Add a new middleware validating the encrypted
// access tokens issued by the OIDC server.
app.UseOAuthValidation();
// Add a new middleware issuing tokens.
app.UseOpenIdConnectServer(options =>
{
options.TokenEndpointPath = "/connect/token";
// Override OnValidateTokenRequest to skip client authentication.
options.Provider.OnValidateTokenRequest = context =>
{
// Reject the token requests that don't use
// grant_type=password or grant_type=refresh_token.
if (!context.Request.IsPasswordGrantType() &&
!context.Request.IsRefreshTokenGrantType())
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only grant_type=password and refresh_token " +
"requests are accepted by this
return Task.FromResult(0);
}
// Since there's only one application and since it's a public client
// (i.e a client that cannot keep its credentials private),
// call Skip() to inform the server the request should be
// accepted without enforcing client authentication.
context.Skip();
return Task.FromResult(0);
};
// Override OnHandleTokenRequest to support
// grant_type=password token requests.
options.Provider.OnHandleTokenRequest = context =>
{
// Only handle grant_type=password token requests and let the
// OpenID Connect server middleware handle the other grant types.
if (context.Request.IsPasswordGrantType())
{
// Do your credentials validation here.
// Note: you can call Reject() with a message
// to indicate that authentication failed.
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "[unique id]");
// By default, claims are not serialized
// in the access and identity tokens.
// Use the overload taking a "destinations"
// parameter to make sure your claims
// are correctly inserted in the appropriate tokens.
identity.AddClaim("urn:customclaim", "value",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
// Call SetScopes with the list of scopes you want to grant
// (specify offline_access to issue a refresh token).
ticket.SetScopes("profile", "offline_access");
context.Validate(ticket);
}
return Task.FromResult(0);
};
});
}
}
project.json
{
"dependencies": {
"AspNet.Security.OAuth.Validation": "1.0.0",
"AspNet.Security.OpenIdConnect.Server": "1.0.0"
}
}
祝你好运!
这实际上是 的副本,随着它受到更多关注,我倾向于保持更新。那里的评论可能对您也有用!
已针对 .Net Core 2 更新:
此答案的先前版本使用 RSA;如果您生成令牌的相同代码也在验证令牌,那真的没有必要。但是,如果您要分配责任,您可能仍想使用 Microsoft.IdentityModel.Tokens.RsaSecurityKey.
的实例来执行此操作
创建一些我们稍后会用到的常量;这是我所做的:
const string TokenAudience = "Myself";
const string TokenIssuer = "MyProject";
将此添加到您 Startup.cs 的 ConfigureServices。稍后我们将使用依赖注入来访问这些设置。我假设您的 authenticationConfiguration 是一个 ConfigurationSection 或 Configuration 对象,这样您就可以对调试和生产使用不同的配置。确保安全地存储您的密钥!它可以是任何字符串。
var keySecret = authenticationConfiguration["JwtSigningKey"];
var symmetricKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(keySecret));
services.AddTransient(_ => new JwtSignInHandler(symmetricKey));
services.AddAuthentication(options =>
{
// This causes the default authentication scheme to be JWT.
// Without this, the Authorization header is not checked and
// you'll get no results. However, this also means that if
// you're already using cookies in your app, they won't be
// checked by default.
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters.ValidateIssuerSigningKey = true;
options.TokenValidationParameters.IssuerSigningKey = symmetricKey;
options.TokenValidationParameters.ValidAudience = JwtSignInHandler.TokenAudience;
options.TokenValidationParameters.ValidIssuer = JwtSignInHandler.TokenIssuer;
});
我看到其他答案更改了其他设置,例如ClockSkew;默认设置使其适用于时钟不完全同步的分布式环境。这些是您唯一需要更改的设置。
设置身份验证。你应该在任何需要你的 User 信息的中间件之前有这一行,例如 app.UseMvc().
app.UseAuthentication();
请注意,这不会导致您的令牌与 SignInManager 或其他任何内容一起发出。您需要提供自己的 JWT 输出机制 - 见下文。
您可能想要指定一个 AuthorizationPolicy。这将允许您使用 [Authorize("Bearer")].
指定仅允许 Bearer 令牌作为身份验证的控制器和操作
services.AddAuthorization(auth =>
{
auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
.AddAuthenticationTypes(JwtBearerDefaults.AuthenticationType)
.RequireAuthenticatedUser().Build());
});
棘手的部分来了:构建令牌。
class JwtSignInHandler
{
public const string TokenAudience = "Myself";
public const string TokenIssuer = "MyProject";
private readonly SymmetricSecurityKey key;
public JwtSignInHandler(SymmetricSecurityKey symmetricKey)
{
this.key = symmetricKey;
}
public string BuildJwt(ClaimsPrincipal principal)
{
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(
issuer: TokenIssuer,
audience: TokenAudience,
claims: principal.Claims,
expires: DateTime.Now.AddMinutes(20),
signingCredentials: creds
);
return new JwtSecurityTokenHandler().WriteToken(token);
}
}
然后,在您想要令牌的控制器中,如下所示:
[HttpPost]
public string AnonymousSignIn([FromServices] JwtSignInHandler tokenFactory)
{
var principal = new System.Security.Claims.ClaimsPrincipal(new[]
{
new System.Security.Claims.ClaimsIdentity(new[]
{
new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Name, "Demo User")
})
});
return tokenFactory.BuildJwt(principal);
}
在这里,我假设你已经有了校长。如果您使用的是 Identity,则可以使用 IUserClaimsPrincipalFactory<> 将 User 转换为 ClaimsPrincipal。
测试一下:获取一个token,将其填入jwt.io处的表格中。我上面提供的说明还允许您使用配置中的秘密来验证签名!
如果您在 HTML 页面的部分视图中呈现此内容并结合 .Net 4.5 中的仅承载身份验证,您现在可以使用 ViewComponent做同样的事情。它与上面的 Controller Action 代码基本相同。
从 , I've created a fully working example of token-based authentication, working against ASP.NET Core (1.0.1). You can find the full code in this repository on GitHub (alternative branches for 1.0.0-rc1, beta8, beta7) 开始工作,但简而言之,重要的步骤是:
为您的应用程序生成密钥
在我的示例中,每次应用程序启动时我都会生成一个随机密钥,您需要生成一个并将其存储在某个地方并提供给您的应用程序。 See this file for how I'm generating a random key and how you might import it from a .json file. As suggested in the comments by @kspearrin, the Data Protection API 似乎是管理密钥 "correctly" 的理想人选,但我还没有想出这是否可行。如果你解决了,请提交拉取请求!
Startup.cs - 配置服务
在这里,我们需要为要签名的令牌加载一个私钥,我们还将使用它来验证所提供的令牌。我们将密钥存储在 class 级变量 key 中,我们将在下面的 Configure 方法中重复使用它。 TokenAuthOptions 是一个简单的 class,它包含我们在 TokenController 中创建密钥所需的签名身份、受众和发行者。
// Replace this with some sort of loading from config / file.
RSAParameters keyParams = RSAKeyUtils.GetRandomKey();
// Create the key, and a set of token options to record signing credentials
// using that key, along with the other parameters we will need in the
// token controlller.
key = new RsaSecurityKey(keyParams);
tokenOptions = new TokenAuthOptions()
{
Audience = TokenAudience,
Issuer = TokenIssuer,
SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.Sha256Digest)
};
// Save the token options into an instance so they're accessible to the
// controller.
services.AddSingleton<TokenAuthOptions>(tokenOptions);
// Enable the use of an [Authorize("Bearer")] attribute on methods and
// classes to protect.
services.AddAuthorization(auth =>
{
auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser().Build());
});
我们还设置了授权策略,允许我们在我们希望保护的端点和 class 上使用 [Authorize("Bearer")]。
Startup.cs - 配置
这里,我们需要配置JwtBearerAuthentication:
app.UseJwtBearerAuthentication(new JwtBearerOptions {
TokenValidationParameters = new TokenValidationParameters {
IssuerSigningKey = key,
ValidAudience = tokenOptions.Audience,
ValidIssuer = tokenOptions.Issuer,
// When receiving a token, check that it is still valid.
ValidateLifetime = true,
// This defines the maximum allowable clock skew - i.e.
// provides a tolerance on the token expiry time
// when validating the lifetime. As we're creating the tokens
// locally and validating them on the same machines which
// should have synchronised time, this can be set to zero.
// Where external tokens are used, some leeway here could be
// useful.
ClockSkew = TimeSpan.FromMinutes(0)
}
});
TokenController
在令牌控制器中,您需要有一个方法来使用在 Startup.cs 中加载的密钥生成签名密钥。我们已经在 Startup 中注册了一个 TokenAuthOptions 实例,所以我们需要在 TokenController 的构造函数中注入它:
[Route("api/[controller]")]
public class TokenController : Controller
{
private readonly TokenAuthOptions tokenOptions;
public TokenController(TokenAuthOptions tokenOptions)
{
this.tokenOptions = tokenOptions;
}
...
然后您需要在处理程序中为登录端点生成令牌,在我的示例中,我使用用户名和密码并使用 if 语句验证它们,但您需要做的关键是创建或加载基于声明的身份并为其生成令牌:
public class AuthRequest
{
public string username { get; set; }
public string password { get; set; }
}
/// <summary>
/// Request a new token for a given username/password pair.
/// </summary>
/// <param name="req"></param>
/// <returns></returns>
[HttpPost]
public dynamic Post([FromBody] AuthRequest req)
{
// Obviously, at this point you need to validate the username and password against whatever system you wish.
if ((req.username == "TEST" && req.password == "TEST") || (req.username == "TEST2" && req.password == "TEST"))
{
DateTime? expires = DateTime.UtcNow.AddMinutes(2);
var token = GetToken(req.username, expires);
return new { authenticated = true, entityId = 1, token = token, tokenExpires = expires };
}
return new { authenticated = false };
}
private string GetToken(string user, DateTime? expires)
{
var handler = new JwtSecurityTokenHandler();
// Here, you should create or look up an identity for the user which is being authenticated.
// For now, just creating a simple generic identity.
ClaimsIdentity identity = new ClaimsIdentity(new GenericIdentity(user, "TokenAuth"), new[] { new Claim("EntityID", "1", ClaimValueTypes.Integer) });
var securityToken = handler.CreateToken(new Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor() {
Issuer = tokenOptions.Issuer,
Audience = tokenOptions.Audience,
SigningCredentials = tokenOptions.SigningCredentials,
Subject = identity,
Expires = expires
});
return handler.WriteToken(securityToken);
}
应该就是这样。只需将 [Authorize("Bearer")] 添加到您想要保护的任何方法或 class ,如果您尝试在没有令牌的情况下访问它,您应该会收到错误消息。如果你想 return 一个 401 而不是 500 错误,你需要注册一个自定义异常处理程序 as I have in my example here.
您可以使用 OpenIddict 提供令牌(登录),然后在访问 API/Controller 时使用 UseJwtBearerAuthentication 验证它们。
这基本上就是您在 Startup.cs:
中需要的所有配置
配置服务:
services.AddIdentity<ApplicationUser, ApplicationRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders()
// this line is added for OpenIddict to plug in
.AddOpenIddictCore<Application>(config => config.UseEntityFramework());
配置
app.UseOpenIddictCore(builder =>
{
// here you tell openiddict you're wanting to use jwt tokens
builder.Options.UseJwtTokens();
// NOTE: for dev consumption only! for live, this is not encouraged!
builder.Options.AllowInsecureHttp = true;
builder.Options.ApplicationCanDisplayErrors = true;
});
// use jwt bearer authentication to validate the tokens
app.UseJwtBearerAuthentication(options =>
{
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
options.RequireHttpsMetadata = false;
// must match the resource on your token request
options.Audience = "http://localhost:58292/";
options.Authority = "http://localhost:58292/";
});
还有一两件小事,比如你的 DbContext 需要派生自 OpenIddictContext<ApplicationUser, Application, ApplicationRole, string>。
您可以在我的博客 post 上看到完整的解释(包括正在运行的 github 存储库):
http://capesean.co.za/blog/asp-net-5-jwt-tokens/
您可以查看 OpenId 连接示例,其中说明了如何处理不同的身份验证机制,包括 JWT 令牌:
https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Samples
如果您查看 Cordova 后端项目,API 的配置如下所示:
app.UseWhen(context => context.Request.Path.StartsWithSegments(new PathString("/api")),
branch => {
branch.UseJwtBearerAuthentication(options => {
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
options.RequireHttpsMetadata = false;
options.Audience = "localhost:54540";
options.Authority = "localhost:54540";
});
});
/Providers/AuthorizationProvider.cs 中的逻辑和该项目的 RessourceController 也值得一看 ;)。
此外,我已经使用 Aurelia 前端框架和 ASP.NET 内核实现了一个基于令牌的身份验证实现的单页应用程序。还有一个信号R持久连接。但是我没有做过任何数据库实现。
代码可以在这里看到:
https://github.com/alexandre-spieser/AureliaAspNetCoreAuth
希望这对您有所帮助,
最佳,
亚历克斯
我正在使用 ASP.NET 核心应用程序。我正在尝试实施基于令牌的身份验证,但不知道如何使用新的 Security System.
我的场景: 客户端请求令牌。我的服务器应该授权用户和 return access_token,客户端将在以下请求中使用它。
这里有两篇关于实现我所需要的内容的精彩文章:
问题是 - 我不清楚如何在 ASP.NET Core 中做同样的事情。
我的问题是: 如何配置 ASP.NET Core Web Api 应用程序以使用基于令牌的身份验证?我应该追求什么方向?你有没有写过关于最新版本的文章,或者知道我在哪里可以找到?
谢谢!
要实现您所描述的,您将需要一个 OAuth2/OpenID 连接授权服务器和一个中间件来验证您的 API 的访问令牌。
Katana 曾经提供 OAuthAuthorizationServerMiddleware,但在 ASP.NET Core 中不再存在。
我建议看一下 AspNet.Security.OpenIdConnect.Server,您提到的教程使用的 OAuth2 授权服务器中间件的实验分支:有一个 OWIN/Katana 3 版本,以及支持 net451(.NET 桌面)和 netstandard1.4(与 .NET Core 兼容)的 ASP.NET 核心版本。
https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server
不要错过 MVC 核心示例,该示例展示了如何使用 AspNet.Security.OpenIdConnect.Server 配置 OpenID Connect 授权服务器以及如何验证由服务器中间件:https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc/Mvc.Server/Startup.cs
您还可以阅读此博客 post,它解释了如何实现资源所有者密码授予,这是 OAuth2 等同于基本身份验证的方法:http://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-implementing-the-resource-owner-password-credentials-grant/
Startup.cs
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication();
}
public void Configure(IApplicationBuilder app)
{
// Add a new middleware validating the encrypted
// access tokens issued by the OIDC server.
app.UseOAuthValidation();
// Add a new middleware issuing tokens.
app.UseOpenIdConnectServer(options =>
{
options.TokenEndpointPath = "/connect/token";
// Override OnValidateTokenRequest to skip client authentication.
options.Provider.OnValidateTokenRequest = context =>
{
// Reject the token requests that don't use
// grant_type=password or grant_type=refresh_token.
if (!context.Request.IsPasswordGrantType() &&
!context.Request.IsRefreshTokenGrantType())
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only grant_type=password and refresh_token " +
"requests are accepted by this
return Task.FromResult(0);
}
// Since there's only one application and since it's a public client
// (i.e a client that cannot keep its credentials private),
// call Skip() to inform the server the request should be
// accepted without enforcing client authentication.
context.Skip();
return Task.FromResult(0);
};
// Override OnHandleTokenRequest to support
// grant_type=password token requests.
options.Provider.OnHandleTokenRequest = context =>
{
// Only handle grant_type=password token requests and let the
// OpenID Connect server middleware handle the other grant types.
if (context.Request.IsPasswordGrantType())
{
// Do your credentials validation here.
// Note: you can call Reject() with a message
// to indicate that authentication failed.
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "[unique id]");
// By default, claims are not serialized
// in the access and identity tokens.
// Use the overload taking a "destinations"
// parameter to make sure your claims
// are correctly inserted in the appropriate tokens.
identity.AddClaim("urn:customclaim", "value",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
// Call SetScopes with the list of scopes you want to grant
// (specify offline_access to issue a refresh token).
ticket.SetScopes("profile", "offline_access");
context.Validate(ticket);
}
return Task.FromResult(0);
};
});
}
}
project.json
{
"dependencies": {
"AspNet.Security.OAuth.Validation": "1.0.0",
"AspNet.Security.OpenIdConnect.Server": "1.0.0"
}
}
祝你好运!
这实际上是
已针对 .Net Core 2 更新:
此答案的先前版本使用 RSA;如果您生成令牌的相同代码也在验证令牌,那真的没有必要。但是,如果您要分配责任,您可能仍想使用 Microsoft.IdentityModel.Tokens.RsaSecurityKey.
创建一些我们稍后会用到的常量;这是我所做的:
const string TokenAudience = "Myself"; const string TokenIssuer = "MyProject";将此添加到您 Startup.cs 的
ConfigureServices。稍后我们将使用依赖注入来访问这些设置。我假设您的authenticationConfiguration是一个ConfigurationSection或Configuration对象,这样您就可以对调试和生产使用不同的配置。确保安全地存储您的密钥!它可以是任何字符串。var keySecret = authenticationConfiguration["JwtSigningKey"]; var symmetricKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(keySecret)); services.AddTransient(_ => new JwtSignInHandler(symmetricKey)); services.AddAuthentication(options => { // This causes the default authentication scheme to be JWT. // Without this, the Authorization header is not checked and // you'll get no results. However, this also means that if // you're already using cookies in your app, they won't be // checked by default. options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(options => { options.TokenValidationParameters.ValidateIssuerSigningKey = true; options.TokenValidationParameters.IssuerSigningKey = symmetricKey; options.TokenValidationParameters.ValidAudience = JwtSignInHandler.TokenAudience; options.TokenValidationParameters.ValidIssuer = JwtSignInHandler.TokenIssuer; });我看到其他答案更改了其他设置,例如
ClockSkew;默认设置使其适用于时钟不完全同步的分布式环境。这些是您唯一需要更改的设置。设置身份验证。你应该在任何需要你的
User信息的中间件之前有这一行,例如app.UseMvc().app.UseAuthentication();请注意,这不会导致您的令牌与
SignInManager或其他任何内容一起发出。您需要提供自己的 JWT 输出机制 - 见下文。您可能想要指定一个
指定仅允许 Bearer 令牌作为身份验证的控制器和操作AuthorizationPolicy。这将允许您使用[Authorize("Bearer")].services.AddAuthorization(auth => { auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder() .AddAuthenticationTypes(JwtBearerDefaults.AuthenticationType) .RequireAuthenticatedUser().Build()); });棘手的部分来了:构建令牌。
class JwtSignInHandler { public const string TokenAudience = "Myself"; public const string TokenIssuer = "MyProject"; private readonly SymmetricSecurityKey key; public JwtSignInHandler(SymmetricSecurityKey symmetricKey) { this.key = symmetricKey; } public string BuildJwt(ClaimsPrincipal principal) { var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256); var token = new JwtSecurityToken( issuer: TokenIssuer, audience: TokenAudience, claims: principal.Claims, expires: DateTime.Now.AddMinutes(20), signingCredentials: creds ); return new JwtSecurityTokenHandler().WriteToken(token); } }然后,在您想要令牌的控制器中,如下所示:
[HttpPost] public string AnonymousSignIn([FromServices] JwtSignInHandler tokenFactory) { var principal = new System.Security.Claims.ClaimsPrincipal(new[] { new System.Security.Claims.ClaimsIdentity(new[] { new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Name, "Demo User") }) }); return tokenFactory.BuildJwt(principal); }在这里,我假设你已经有了校长。如果您使用的是 Identity,则可以使用
IUserClaimsPrincipalFactory<>将User转换为ClaimsPrincipal。测试一下:获取一个token,将其填入jwt.io处的表格中。我上面提供的说明还允许您使用配置中的秘密来验证签名!
如果您在 HTML 页面的部分视图中呈现此内容并结合 .Net 4.5 中的仅承载身份验证,您现在可以使用
ViewComponent做同样的事情。它与上面的 Controller Action 代码基本相同。
从
为您的应用程序生成密钥
在我的示例中,每次应用程序启动时我都会生成一个随机密钥,您需要生成一个并将其存储在某个地方并提供给您的应用程序。 See this file for how I'm generating a random key and how you might import it from a .json file. As suggested in the comments by @kspearrin, the Data Protection API 似乎是管理密钥 "correctly" 的理想人选,但我还没有想出这是否可行。如果你解决了,请提交拉取请求!
Startup.cs - 配置服务
在这里,我们需要为要签名的令牌加载一个私钥,我们还将使用它来验证所提供的令牌。我们将密钥存储在 class 级变量 key 中,我们将在下面的 Configure 方法中重复使用它。 TokenAuthOptions 是一个简单的 class,它包含我们在 TokenController 中创建密钥所需的签名身份、受众和发行者。
// Replace this with some sort of loading from config / file.
RSAParameters keyParams = RSAKeyUtils.GetRandomKey();
// Create the key, and a set of token options to record signing credentials
// using that key, along with the other parameters we will need in the
// token controlller.
key = new RsaSecurityKey(keyParams);
tokenOptions = new TokenAuthOptions()
{
Audience = TokenAudience,
Issuer = TokenIssuer,
SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.Sha256Digest)
};
// Save the token options into an instance so they're accessible to the
// controller.
services.AddSingleton<TokenAuthOptions>(tokenOptions);
// Enable the use of an [Authorize("Bearer")] attribute on methods and
// classes to protect.
services.AddAuthorization(auth =>
{
auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser().Build());
});
我们还设置了授权策略,允许我们在我们希望保护的端点和 class 上使用 [Authorize("Bearer")]。
Startup.cs - 配置
这里,我们需要配置JwtBearerAuthentication:
app.UseJwtBearerAuthentication(new JwtBearerOptions {
TokenValidationParameters = new TokenValidationParameters {
IssuerSigningKey = key,
ValidAudience = tokenOptions.Audience,
ValidIssuer = tokenOptions.Issuer,
// When receiving a token, check that it is still valid.
ValidateLifetime = true,
// This defines the maximum allowable clock skew - i.e.
// provides a tolerance on the token expiry time
// when validating the lifetime. As we're creating the tokens
// locally and validating them on the same machines which
// should have synchronised time, this can be set to zero.
// Where external tokens are used, some leeway here could be
// useful.
ClockSkew = TimeSpan.FromMinutes(0)
}
});
TokenController
在令牌控制器中,您需要有一个方法来使用在 Startup.cs 中加载的密钥生成签名密钥。我们已经在 Startup 中注册了一个 TokenAuthOptions 实例,所以我们需要在 TokenController 的构造函数中注入它:
[Route("api/[controller]")]
public class TokenController : Controller
{
private readonly TokenAuthOptions tokenOptions;
public TokenController(TokenAuthOptions tokenOptions)
{
this.tokenOptions = tokenOptions;
}
...
然后您需要在处理程序中为登录端点生成令牌,在我的示例中,我使用用户名和密码并使用 if 语句验证它们,但您需要做的关键是创建或加载基于声明的身份并为其生成令牌:
public class AuthRequest
{
public string username { get; set; }
public string password { get; set; }
}
/// <summary>
/// Request a new token for a given username/password pair.
/// </summary>
/// <param name="req"></param>
/// <returns></returns>
[HttpPost]
public dynamic Post([FromBody] AuthRequest req)
{
// Obviously, at this point you need to validate the username and password against whatever system you wish.
if ((req.username == "TEST" && req.password == "TEST") || (req.username == "TEST2" && req.password == "TEST"))
{
DateTime? expires = DateTime.UtcNow.AddMinutes(2);
var token = GetToken(req.username, expires);
return new { authenticated = true, entityId = 1, token = token, tokenExpires = expires };
}
return new { authenticated = false };
}
private string GetToken(string user, DateTime? expires)
{
var handler = new JwtSecurityTokenHandler();
// Here, you should create or look up an identity for the user which is being authenticated.
// For now, just creating a simple generic identity.
ClaimsIdentity identity = new ClaimsIdentity(new GenericIdentity(user, "TokenAuth"), new[] { new Claim("EntityID", "1", ClaimValueTypes.Integer) });
var securityToken = handler.CreateToken(new Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor() {
Issuer = tokenOptions.Issuer,
Audience = tokenOptions.Audience,
SigningCredentials = tokenOptions.SigningCredentials,
Subject = identity,
Expires = expires
});
return handler.WriteToken(securityToken);
}
应该就是这样。只需将 [Authorize("Bearer")] 添加到您想要保护的任何方法或 class ,如果您尝试在没有令牌的情况下访问它,您应该会收到错误消息。如果你想 return 一个 401 而不是 500 错误,你需要注册一个自定义异常处理程序 as I have in my example here.
您可以使用 OpenIddict 提供令牌(登录),然后在访问 API/Controller 时使用 UseJwtBearerAuthentication 验证它们。
这基本上就是您在 Startup.cs:
配置服务:
services.AddIdentity<ApplicationUser, ApplicationRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders()
// this line is added for OpenIddict to plug in
.AddOpenIddictCore<Application>(config => config.UseEntityFramework());
配置
app.UseOpenIddictCore(builder =>
{
// here you tell openiddict you're wanting to use jwt tokens
builder.Options.UseJwtTokens();
// NOTE: for dev consumption only! for live, this is not encouraged!
builder.Options.AllowInsecureHttp = true;
builder.Options.ApplicationCanDisplayErrors = true;
});
// use jwt bearer authentication to validate the tokens
app.UseJwtBearerAuthentication(options =>
{
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
options.RequireHttpsMetadata = false;
// must match the resource on your token request
options.Audience = "http://localhost:58292/";
options.Authority = "http://localhost:58292/";
});
还有一两件小事,比如你的 DbContext 需要派生自 OpenIddictContext<ApplicationUser, Application, ApplicationRole, string>。
您可以在我的博客 post 上看到完整的解释(包括正在运行的 github 存储库): http://capesean.co.za/blog/asp-net-5-jwt-tokens/
您可以查看 OpenId 连接示例,其中说明了如何处理不同的身份验证机制,包括 JWT 令牌:
https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Samples
如果您查看 Cordova 后端项目,API 的配置如下所示:
app.UseWhen(context => context.Request.Path.StartsWithSegments(new PathString("/api")),
branch => {
branch.UseJwtBearerAuthentication(options => {
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
options.RequireHttpsMetadata = false;
options.Audience = "localhost:54540";
options.Authority = "localhost:54540";
});
});
/Providers/AuthorizationProvider.cs 中的逻辑和该项目的 RessourceController 也值得一看 ;)。
此外,我已经使用 Aurelia 前端框架和 ASP.NET 内核实现了一个基于令牌的身份验证实现的单页应用程序。还有一个信号R持久连接。但是我没有做过任何数据库实现。 代码可以在这里看到: https://github.com/alexandre-spieser/AureliaAspNetCoreAuth
希望这对您有所帮助,
最佳,
亚历克斯