根据Matt Dekrey的出色回答,我创建了一个完全有效的基于令牌的身份验证示例,它针对ASP.NET Core(1.0.1)。你可以找到完整的代码在这个仓库在GitHub上(替代分支1.0.0-RC1,beta8,β7的),但在短暂的,重要的步骤是:
为您的应用生成密钥
在我的示例中,我每次应用启动时都会生成一个随机密钥,您需要生成一个并将其存储在某个位置,然后将其提供给您的应用。有关如何生成随机密钥以及如何从.json文件导入它的信息,请参见此文件。正如@kspearrin在评论中所建议的那样,Data Protection API似乎是“正确”管理密钥的理想候选者,但是我还没有解决这个问题。如果解决了,请提交拉取请求!
Startup.cs-ConfigureServices
在这里,我们需要为签名的令牌加载一个私钥,当令牌出现时,我们还将用它来验证令牌。我们将密钥存储在类级别的变量中key
,该变量将在下面的Configure方法中重复使用。TokenAuthOptions是一个简单的类,其中包含我们在TokenController中创建密钥所需的签名身份,受众和发行者。
// Replace this with some sort of loading from config / file.
RSAParameters keyParams = RSAKeyUtils.GetRandomKey();
// Create the key, and a set of token options to record signing credentials
// using that key, along with the other parameters we will need in the
// token controlller.
key = new RsaSecurityKey(keyParams);
tokenOptions = new TokenAuthOptions()
{
Audience = TokenAudience,
Issuer = TokenIssuer,
SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.Sha256Digest)
};
// Save the token options into an instance so they're accessible to the
// controller.
services.AddSingleton<TokenAuthOptions>(tokenOptions);
// Enable the use of an [Authorize("Bearer")] attribute on methods and
// classes to protect.
services.AddAuthorization(auth =>
{
auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser().Build());
});
我们还设置了授权策略,以允许我们[Authorize("Bearer")]
在希望保护的端点和类上使用。
Startup.cs-配置
在这里,我们需要配置JwtBearerAuthentication:
app.UseJwtBearerAuthentication(new JwtBearerOptions {
TokenValidationParameters = new TokenValidationParameters {
IssuerSigningKey = key,
ValidAudience = tokenOptions.Audience,
ValidIssuer = tokenOptions.Issuer,
// When receiving a token, check that it is still valid.
ValidateLifetime = true,
// This defines the maximum allowable clock skew - i.e.
// provides a tolerance on the token expiry time
// when validating the lifetime. As we're creating the tokens
// locally and validating them on the same machines which
// should have synchronised time, this can be set to zero.
// Where external tokens are used, some leeway here could be
// useful.
ClockSkew = TimeSpan.FromMinutes(0)
}
});
令牌控制器
在令牌控制器中,您需要一种方法来使用Startup.cs中加载的密钥生成签名密钥。我们已经在Startup中注册了TokenAuthOptions实例,因此我们需要将其注入TokenController的构造函数中:
[Route("api/[controller]")]
public class TokenController : Controller
{
private readonly TokenAuthOptions tokenOptions;
public TokenController(TokenAuthOptions tokenOptions)
{
this.tokenOptions = tokenOptions;
}
...
然后,您需要在处理程序中为登录端点生成令牌,在我的示例中,我使用用户名和密码,并使用if语句验证它们,但是您需要做的关键是创建或加载声明身份并为此生成令牌:
public class AuthRequest
{
public string username { get; set; }
public string password { get; set; }
}
/// <summary>
/// Request a new token for a given username/password pair.
/// </summary>
/// <param name="req"></param>
/// <returns></returns>
[HttpPost]
public dynamic Post([FromBody] AuthRequest req)
{
// Obviously, at this point you need to validate the username and password against whatever system you wish.
if ((req.username == "TEST" && req.password == "TEST") || (req.username == "TEST2" && req.password == "TEST"))
{
DateTime? expires = DateTime.UtcNow.AddMinutes(2);
var token = GetToken(req.username, expires);
return new { authenticated = true, entityId = 1, token = token, tokenExpires = expires };
}
return new { authenticated = false };
}
private string GetToken(string user, DateTime? expires)
{
var handler = new JwtSecurityTokenHandler();
// Here, you should create or look up an identity for the user which is being authenticated.
// For now, just creating a simple generic identity.
ClaimsIdentity identity = new ClaimsIdentity(new GenericIdentity(user, "TokenAuth"), new[] { new Claim("EntityID", "1", ClaimValueTypes.Integer) });
var securityToken = handler.CreateToken(new Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor() {
Issuer = tokenOptions.Issuer,
Audience = tokenOptions.Audience,
SigningCredentials = tokenOptions.SigningCredentials,
Subject = identity,
Expires = expires
});
return handler.WriteToken(securityToken);
}
就是这样。只需将其添加[Authorize("Bearer")]
到要保护的任何方法或类中,如果在没有令牌的情况下尝试访问它,将会出现错误。如果要返回401错误而不是500错误,则需要注册一个自定义异常处理程序,如我在此处的示例所示。