ASP.NET Core JWT授权验证----注册JWT
- JWT 授权验证一、封装 JWT权限 认证服务
public static class Authentication_JWTSetup
{
public static void AddAuthentication_JWTSetup(this IServiceCollection services)
{
if (services == null) throw new ArgumentNullException(nameof(services));
//读取配置文件
var symmetricKeyAsBase64 = AppSettings.app(new string[] { "Audience", "Secret" });
var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
var signingKey = new SymmetricSecurityKey(keyByteArray);
var Issuer = AppSettings.app(new string[] { "Audience", "Issuer" });
var Audience = AppSettings.app(new string[] { "Audience", "Audience" });
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
// 令牌验证参数
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,//是否验证签名,不验证的画可以篡改数据,不安全
IssuerSigningKey = signingKey,//解密的密钥
ValidateIssuer = true,//是否验证发行人,就是验证载荷中的Iss是否对应ValidIssuer参数
ValidIssuer = Issuer,//发行人
ValidateAudience = true,//是否验证订阅人,就是验证载荷中的Aud是否对应ValidAudience参数
ValidAudience = Audience,//订阅人
ValidateLifetime = true,////是否验证过期时间,过期了就拒绝访问
ClockSkew = TimeSpan.FromSeconds(30),////这个是缓冲过期时间,也就是说,即使我们配置了过期时间,这里也要考虑进去,过期时间+缓冲,默认好像是7分钟,你可以直接设置为0
RequireExpirationTime = true,
};
// 开启Bearer认证
services.AddAuthentication(o =>
{
o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = nameof(ApiResponseHandler);
o.DefaultForbidScheme = nameof(ApiResponseHandler);
})
// 添加JwtBearer服务
.AddJwtBearer(o =>
{
//验证 [Authorize(AuthenticationSchemes = "Bearer")]
o.TokenValidationParameters = tokenValidationParameters;
o.Events = new JwtBearerEvents
{
OnMessageReceived = context =>
{
//前端chathub 调用
var accessToken = context.Request.Query["access_token"];
// If the request is for our hub...
var path = context.HttpContext.Request.Path;
if (!string.IsNullOrEmpty(accessToken) &&
(path.StartsWithSegments("/api2/chathub")))
{
// Read the token out of the query string
context.Token = accessToken;
}
return Task.CompletedTask;
},
OnChallenge = context =>
{
//无权限触发
context.Response.Headers.Add("Token-Error", context.ErrorDescription?? context.Error);
return Task.CompletedTask;
},
OnAuthenticationFailed = context =>
{
//验证失败触发
var jwtHandler = new JwtSecurityTokenHandler();
var token = context.Request.Headers["Authorization"].ObjToString().Replace("Bearer ", "");
if (token.IsNotEmptyOrNull() && jwtHandler.CanReadToken(token))
{
try
{
var jwtToken = jwtHandler.ReadJwtToken(token);
if (jwtToken.Issuer != Issuer)
{
context.Response.Headers.Add("Token-Error-Iss", "issuer is wrong!");
}
if (jwtToken.Audiences.FirstOrDefault() != Audience)
{
context.Response.Headers.Add("Token-Error-Aud", "Audience is wrong!");
}
}
catch (Exception ex)
{
;
context.Response.Headers.Add("Token-Error-Body", "TokenBody is wrong");
}
}
// 如果过期,则把添加到,返回头信息中
if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))
{
context.Response.Headers.Add("Token-Expired", "true");
}
return Task.CompletedTask;
}
};
})// [Authorize] 走自定义ApiResponseHandler
.AddScheme(nameof(ApiResponseHandler), o => { });
}
}二、定义处理类ApiResponseHandler
public class ApiResponseHandler : AuthenticationHandler{
public ApiResponseHandler(IOptionsMonitor options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock) : base(options, logger, encoder, clock)
{
}
protected override Task HandleAuthenticateAsync()
{
//return Task.FromResult(AuthenticateResult.NoResult());
}
protected override async Task HandleChallengeAsync(AuthenticationProperties properties)
{
Response.ContentType = "application/json";
Response.StatusCode = StatusCodes.Status401Unauthorized;
await Response.WriteAsync(JsonConvert.SerializeObject((new ApiResult { Code=401,Msg= "很抱歉,您无权访问该接口,请确保已经登录!" })));
}
protected override async Task HandleForbiddenAsync(AuthenticationProperties properties)
{
Response.ContentType = "application/json";
Response.StatusCode = StatusCodes.Status403Forbidden;
await Response.WriteAsync(JsonConvert.SerializeObject((new ApiResult { Code = 403, Msg = "很抱歉,您的访问权限等级不够,联系管理员!" })));
}
}三、调用封装
builder.Services.AddAuthentication_JWTSetup(); app.UseAuthentication(); app.UseAuthorization();
