.NET 5 Web 中的 JWT 授权和刷新令牌 API
JWT Authorization and Refresh token in .NET 5 Web API
我已经在 .NET 5 Web API 项目和 Angular 11 的前端创建了 JWT authorization/authentication 服务,我遇到的一个问题是刷新令牌功能。当我发送刷新令牌请求时。 I am using Validate Token function which is in JwtSecurityTokenHandler class provided by Microsoft and it throws exception if token is expired already,所以我的问题是,我应该在它过期之前发送刷新令牌请求吗?如果不是,我如何在验证令牌功能中禁用令牌过期检查,或者我应该编写我自己的该功能版本?
您可以轻松禁用令牌过期检查。只需创建新的 TokenValidationParameters
并将 ValidateLifetime
设置为 false。像这样
public ClaimsPrincipal GetPrincipalFromExpiredToken(string jwtToken)
{
var tokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = true,
ValidAudience = configuration["security:audience"],
ValidIssuer = configuration["security:issuer"],
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
IssuerSigningKey = GetIssuerSigningKey(),
ValidateLifetime = false //here we are saying that we don't care about the token's expiration date
};
var tokenHandler = new JwtSecurityTokenHandler();
var principal = tokenHandler.ValidateToken(jwtToken, tokenValidationParameters, out SecurityToken securityToken);
var jwtSecurityToken = securityToken as JwtSecurityToken;
if (jwtSecurityToken == null || !jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256, StringComparison.InvariantCultureIgnoreCase))
throw new SecurityTokenException("Invalid token");
return principal;
}
我已经在 .NET 5 Web API 项目和 Angular 11 的前端创建了 JWT authorization/authentication 服务,我遇到的一个问题是刷新令牌功能。当我发送刷新令牌请求时。 I am using Validate Token function which is in JwtSecurityTokenHandler class provided by Microsoft and it throws exception if token is expired already,所以我的问题是,我应该在它过期之前发送刷新令牌请求吗?如果不是,我如何在验证令牌功能中禁用令牌过期检查,或者我应该编写我自己的该功能版本?
您可以轻松禁用令牌过期检查。只需创建新的 TokenValidationParameters
并将 ValidateLifetime
设置为 false。像这样
public ClaimsPrincipal GetPrincipalFromExpiredToken(string jwtToken)
{
var tokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = true,
ValidAudience = configuration["security:audience"],
ValidIssuer = configuration["security:issuer"],
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
IssuerSigningKey = GetIssuerSigningKey(),
ValidateLifetime = false //here we are saying that we don't care about the token's expiration date
};
var tokenHandler = new JwtSecurityTokenHandler();
var principal = tokenHandler.ValidateToken(jwtToken, tokenValidationParameters, out SecurityToken securityToken);
var jwtSecurityToken = securityToken as JwtSecurityToken;
if (jwtSecurityToken == null || !jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256, StringComparison.InvariantCultureIgnoreCase))
throw new SecurityTokenException("Invalid token");
return principal;
}