【发布时间】:2018-07-29 18:15:12
【问题描述】:
我真的很困惑生成访问令牌并使用它。 Access Token的生成应该放在Controller还是中间件?如果有人向我解释这一点,我将不胜感激。
【问题讨论】:
标签: .net-core jwt access-token asp.net-core-webapi
【发布时间】:2018-07-29 18:15:12
【问题描述】:
这是一个例子,它可以帮助你或者至少给你一个提示,告诉你如何通过深入的概念来领导你的工作。不过,这不太安全,请阅读身份框架,这是推荐的方法。
您可以保持访问令牌动态(从数据库调用记录与从请求源发送的值匹配)或在中间件的 Web.Config 文件中硬编码一些。
例如(采用 Db 方法获取访问令牌):
db 表定义
Create table Tokens(
id int identity(1,1) primary key,
userId int,
TokenValue varchar(max),
IsActive bit
)
自定义模型:
public Class Error
{
public string ErrMsg {get; set;}
}
public Class ReturnData
{
public Error ErrorObj {get; set;}
public string UserName {get; set;}
public string AccessToken {get; set;}
}
public class User
{
public int UserId {get; set;}
public string UserName {get; set;}
public string Password {get; set;}
}
在 Api 控制器中:
public ReturnData GetData(User Creds)
{
ReturnData Data = new ReturnData();
string Pass = Decrypt(Creds.Password);
int i = //Code here to get the middle-ware access token from db table token and update token 'IsActive from 0 to 1' from database. 0 = false, 1 = true
if(i > 0)
{
Data.AccessToken = Encrypt(DbTokenValue);
Data.UserName = Creds.UserName;
}
else
{
Error err = new Error();
err.ErrMsg = "something happened";
Data.ErrorObj = err;
}
return Data;
}
然后将此令牌用于其余 api,通过比较来自 db 的令牌并授予执行操作的权限,以确保其为同一用户。
祝你好运。
【讨论】:
首先生成访问令牌、刷新令牌等都应该在真正的授权服务器中进行以获取更多信息 http://authguidance.com
但是说即使我也在我的应用程序中生成了 JWT 令牌...... 这就是我在 .net core 2.0 中所做的
在startup.cs中
配置服务
var securityKey = "asdasdasdasdasdasddsda123123132123123";// your own key
var key = Encoding.UTF8.GetBytes(securityKey);
var signingKey = new SymmetricSecurityKey(key);
var tokenValidationParameters = new TokenValidationParameters()
{
ValidAudiences = new string[]
{
tokenSetting.Audience
},
ValidIssuers = new string[]
{
tokenSetting.Issuer
},
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ClockSkew= TimeSpan.Zero
};
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
context.Response.Headers.Add("x-tokenstatus-header", "fail");// may be not necessary for you
return Task.CompletedTask;
}
};
options.Audience = tokenSetting.Audience;
options.RequireHttpsMetadata = tokenSetting.RequireHttpsMetadata;
options.TokenValidationParameters = tokenValidationParameters;
});
在
配置
app.UseTokenProvider(); // This is my own middleware
app.UseAuthentication();
app.UseMvc();
公共类 TokenProviderMiddleware {..}
public Task Invoke(HttpContext context, IUserService userService)
{
if (!IsAuthenticationRequest(context.Request.Path, context.Request.Method)) {
return this._next(context);
}
var securityKey = "asdasdasdasdasdasddsda123123132123123";// your own key
var key = Encoding.UTF8.GetBytes(securityKey);
var signingKey = new SymmetricSecurityKey(key);
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
var claimsIdentity = new ClaimsIdentity(listClaims, "Custom");
var securityTokenDescriptor = new SecurityTokenDescriptor()
{
Audience = this._tokenSettings.Audience,
Issuer = this._tokenSettings.Issuer,
Subject = claimsIdentity,
SigningCredentials = signingCredentials,
Expires = DateTime.UtcNow.AddMinutes(20),
};
var tokenHandler = new JwtSecurityTokenHandler();
var plainToken = tokenHandler.CreateToken(securityTokenDescriptor);
var signedAndEncodedToken = tokenHandler.WriteToken(plainToken);
// signedAndEncodedToken => contains your token you can do send it as response or anything you want
}
private bool IsAuthenticationRequest(string path, string method) {
if (HttpMethods.IsPost(method) && path?.IndexOf("/api/login", StringComparison.OrdinalIgnoreCase) >= 0) {
return true;
}
return false;
}
如果您需要澄清代码,请告诉我..
【讨论】: