以前在web端的身份認(rèn)證都是基于Cookie | Session的身份認(rèn)證, 在沒有更多的終端出現(xiàn)之前,這樣做也沒有什么問題,但在Web API時(shí)代,你所需要面對(duì)的就不止是瀏覽器了,還有各種客戶端,這樣就有了一個(gè)問題,這些客戶端是不知道cookie是什么鬼的。 (cookie其實(shí)是瀏覽器搞出來的小貓膩,用來保持會(huì)話的,但HTTP本身是無狀態(tài)的, 各種客戶端能提供的無非也就是HTTP操作的API)
而基于Token的身份認(rèn)證就是應(yīng)對(duì)這種變化而生的,它更開放,安全性也更高。
基于Token的身份認(rèn)證有很多種實(shí)現(xiàn)方式,但我們這里只使用微軟提供的API。
接下來的例子將帶領(lǐng)大家完成一個(gè)使用微軟JwtSecurityTokenHandler完成一個(gè)基于beare token的身份認(rèn)證。
注意:這種文章屬于Step by step教程,跟著做才不至于看暈,下載完整代碼分析代碼結(jié)構(gòu)才有意義。
前期準(zhǔn)備
推薦使用VS2015 Update3作為你的IDE
你需要安裝.NET Core的運(yùn)行環(huán)境以及開發(fā)工具
創(chuàng)建項(xiàng)目
在VS中新建項(xiàng)目,項(xiàng)目類型選擇ASP.NET Core Web Application(.NET Core), 輸入項(xiàng)目名稱為CSTokenBaseAuth
Coding
創(chuàng)建一些輔助類
在項(xiàng)目根目錄下創(chuàng)建一個(gè)文件夾Auth,并添加RSAKeyHelper.cs以及TokenAuthOption.cs兩個(gè)文件
在RSAKeyHelper.cs中
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
using System.Security.Cryptography;namespace CSTokenBaseAuth.Auth{ public class RSAKeyHelper { public static RSAParameters GenerateKey() { using (var key = new RSACryptoServiceProvider(2048)) { return key.ExportParameters(true); } } }} |
在TokenAuthOption.cs中
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
using System;using Microsoft.IdentityModel.Tokens;namespace CSTokenBaseAuth.Auth{ public class TokenAuthOption { public static string Audience { get; } = "ExampleAudience"; public static string Issuer { get; } = "ExampleIssuer"; public static RsaSecurityKey Key { get; } = new RsaSecurityKey(RSAKeyHelper.GenerateKey()); public static SigningCredentials SigningCredentials { get; } = new SigningCredentials(Key, SecurityAlgorithms.RsaSha256Signature); public static TimeSpan ExpiresSpan { get; } = TimeSpan.FromMinutes(20); }} |
Startup.cs
在ConfigureServices中添加如下代碼:
|
1
2
3
4
5
6
|
services.AddAuthorization(auth =>{ auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder() .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme?) .RequireAuthenticatedUser().Build());}); |
完整的代碼應(yīng)該是這樣
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
public void ConfigureServices(IServiceCollection services){ // Add framework services. services.AddApplicationInsightsTelemetry(Configuration); // Enable the use of an [Authorize("Bearer")] attribute on methods and classes to protect. services.AddAuthorization(auth => { auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder() .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme?) .RequireAuthenticatedUser().Build()); }); services.AddMvc();} |
在Configure方法中添加如下代碼
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
app.UseExceptionHandler(appBuilder => { appBuilder.Use(async (context, next) => { var error = context.Features[typeof(IExceptionHandlerFeature)] as IExceptionHandlerFeature; //when authorization has failed, should retrun a json message to client if (error != null && error.Error is SecurityTokenExpiredException) { context.Response.StatusCode = 401; context.Response.ContentType = "application/json"; await context.Response.WriteAsync(JsonConvert.SerializeObject( new { authenticated = false, tokenExpired = true } )); } //when orther error, retrun a error message json to client else if (error != null && error.Error != null) { context.Response.StatusCode = 500; context.Response.ContentType = "application/json"; await context.Response.WriteAsync(JsonConvert.SerializeObject( new { success = false, error = error.Error.Message } )); } //when no error, do next. else await next(); });}); |
這段代碼主要是Handle Error用的,比如當(dāng)身份認(rèn)證失敗的時(shí)候會(huì)拋出異常,而這里就是處理這個(gè)異常的。
接下來在相同的方法中添加如下代碼,
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
app.UseExceptionHandler(appBuilder => { appBuilder.Use(async (context, next) => { var error = context.Features[typeof(IExceptionHandlerFeature)] as IExceptionHandlerFeature; //when authorization has failed, should retrun a json message to client if (error != null && error.Error is SecurityTokenExpiredException) { context.Response.StatusCode = 401; context.Response.ContentType = "application/json"; await context.Response.WriteAsync(JsonConvert.SerializeObject( new { authenticated = false, tokenExpired = true } )); } //when orther error, retrun a error message json to client else if (error != null && error.Error != null) { context.Response.StatusCode = 500; context.Response.ContentType = "application/json"; await context.Response.WriteAsync(JsonConvert.SerializeObject( new { success = false, error = error.Error.Message } )); } //when no error, do next. else await next(); });}); |
應(yīng)用JwtBearerAuthentication
|
1
2
3
4
5
6
7
8
9
10
|
app.UseJwtBearerAuthentication(new JwtBearerOptions { TokenValidationParameters = new TokenValidationParameters { IssuerSigningKey = TokenAuthOption.Key, ValidAudience = TokenAuthOption.Audience, ValidIssuer = TokenAuthOption.Issuer, ValidateIssuerSigningKey = true, ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(0) }}); |
完整的代碼應(yīng)該是這樣
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
using System;using Microsoft.AspNetCore.Builder;using Microsoft.AspNetCore.Hosting;using Microsoft.Extensions.Configuration;using Microsoft.Extensions.DependencyInjection;using Microsoft.Extensions.Logging;using Microsoft.AspNetCore.Authorization;using Microsoft.AspNetCore.Authentication.JwtBearer;using CSTokenBaseAuth.Auth;using Microsoft.AspNetCore.Diagnostics;using Microsoft.IdentityModel.Tokens;using Microsoft.AspNetCore.Http;using Newtonsoft.Json;namespace CSTokenBaseAuth{ public class Startup { public Startup(IHostingEnvironment env) { var builder = new ConfigurationBuilder() .SetBasePath(env.ContentRootPath) .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true) .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true); if (env.IsEnvironment("Development")) { // This will push telemetry data through Application Insights pipeline faster, allowing you to view results immediately. builder.AddApplicationInsightsSettings(developerMode: true); } builder.AddEnvironmentVariables(); Configuration = builder.Build(); } public IConfigurationRoot Configuration { get; } // This method gets called by the runtime. Use this method to add services to the container public void ConfigureServices(IServiceCollection services) { // Add framework services. services.AddApplicationInsightsTelemetry(Configuration); // Enable the use of an [Authorize("Bearer")] attribute on methods and classes to protect. services.AddAuthorization(auth => { auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder() .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme?) .RequireAuthenticatedUser().Build()); }); services.AddMvc(); } // This method gets called by the runtime. Use this method to configure the HTTP request pipeline public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { loggerFactory.AddConsole(Configuration.GetSection("Logging")); loggerFactory.AddDebug(); app.UseApplicationInsightsRequestTelemetry(); app.UseApplicationInsightsExceptionTelemetry(); #region Handle Exception app.UseExceptionHandler(appBuilder => { appBuilder.Use(async (context, next) => { var error = context.Features[typeof(IExceptionHandlerFeature)] as IExceptionHandlerFeature; //when authorization has failed, should retrun a json message to client if (error != null && error.Error is SecurityTokenExpiredException) { context.Response.StatusCode = 401; context.Response.ContentType = "application/json"; await context.Response.WriteAsync(JsonConvert.SerializeObject( new { authenticated = false, tokenExpired = true } )); } //when orther error, retrun a error message json to client else if (error != null && error.Error != null) { context.Response.StatusCode = 500; context.Response.ContentType = "application/json"; await context.Response.WriteAsync(JsonConvert.SerializeObject( new { success = false, error = error.Error.Message } )); } //when no error, do next. else await next(); }); }); #endregion #region UseJwtBearerAuthentication app.UseJwtBearerAuthentication(new JwtBearerOptions { TokenValidationParameters = new TokenValidationParameters { IssuerSigningKey = TokenAuthOption.Key, ValidAudience = TokenAuthOption.Audience, ValidIssuer = TokenAuthOption.Issuer, ValidateIssuerSigningKey = true, ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(0) } }); #endregion app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Login}/{action=Index}"); }); } }} |
在Controllers中新建一個(gè)Web API Controller Class,命名為TokenAuthController.cs。我們將在這里完成登錄授權(quán)
在同文件下添加兩個(gè)類,分別用來模擬用戶模型,以及用戶存儲(chǔ),代碼應(yīng)該是這樣
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
public class User{ public Guid ID { get; set; } public string Username { get; set; } public string Password { get; set; }}public static class UserStorage{ public static List<User> Users { get; set; } = new List<User> { new User {ID=Guid.NewGuid(),Username="user1",Password = "user1psd" }, new User {ID=Guid.NewGuid(),Username="user2",Password = "user2psd" }, new User {ID=Guid.NewGuid(),Username="user3",Password = "user3psd" } };} |
接下來在TokenAuthController.cs中添加如下方法
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
private string GenerateToken(User user, DateTime expires){ var handler = new JwtSecurityTokenHandler(); ClaimsIdentity identity = new ClaimsIdentity( new GenericIdentity(user.Username, "TokenAuth"), new[] { new Claim("ID", user.ID.ToString()) } ); var securityToken = handler.CreateToken(new SecurityTokenDescriptor { Issuer = TokenAuthOption.Issuer, Audience = TokenAuthOption.Audience, SigningCredentials = TokenAuthOption.SigningCredentials, Subject = identity, Expires = expires }); return handler.WriteToken(securityToken);} |
該方法僅僅只是生成一個(gè)Auth Token,接下來我們來添加另外一個(gè)方法來調(diào)用它
在相同文件中添加如下代碼
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
[HttpPost]public string GetAuthToken(User user){ var existUser = UserStorage.Users.FirstOrDefault(u => u.Username == user.Username && u.Password == user.Password); if (existUser != null) { var requestAt = DateTime.Now; var expiresIn = requestAt + TokenAuthOption.ExpiresSpan; var token = GenerateToken(existUser, expiresIn); return JsonConvert.SerializeObject(new { stateCode = 1, requertAt = requestAt, expiresIn = TokenAuthOption.ExpiresSpan.TotalSeconds, accessToken = token }); } else { return JsonConvert.SerializeObject(new { stateCode = -1, errors = "Username or password is invalid" }); }} |
該文件完整的代碼應(yīng)該是這樣
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
using System;using System.Collections.Generic;using System.Linq;using System.Threading.Tasks;using Microsoft.AspNetCore.Mvc;using Newtonsoft.Json;using System.IdentityModel.Tokens.Jwt;using System.Security.Claims;using System.Security.Principal;using Microsoft.IdentityModel.Tokens;using CSTokenBaseAuth.Auth;namespace CSTokenBaseAuth.Controllers{ [Route("api/[controller]")] public class TokenAuthController : Controller { [HttpPost] public string GetAuthToken(User user) { var existUser = UserStorage.Users.FirstOrDefault(u => u.Username == user.Username && u.Password == user.Password); if (existUser != null) { var requestAt = DateTime.Now; var expiresIn = requestAt + TokenAuthOption.ExpiresSpan; var token = GenerateToken(existUser, expiresIn); return JsonConvert.SerializeObject(new { stateCode = 1, requertAt = requestAt, expiresIn = TokenAuthOption.ExpiresSpan.TotalSeconds, accessToken = token }); } else { return JsonConvert.SerializeObject(new { stateCode = -1, errors = "Username or password is invalid" }); } } private string GenerateToken(User user, DateTime expires) { var handler = new JwtSecurityTokenHandler(); ClaimsIdentity identity = new ClaimsIdentity( new GenericIdentity(user.Username, "TokenAuth"), new[] { new Claim("ID", user.ID.ToString()) } ); var securityToken = handler.CreateToken(new SecurityTokenDescriptor { Issuer = TokenAuthOption.Issuer, Audience = TokenAuthOption.Audience, SigningCredentials = TokenAuthOption.SigningCredentials, Subject = identity, Expires = expires }); return handler.WriteToken(securityToken); } } public class User { public Guid ID { get; set; } public string Username { get; set; } public string Password { get; set; } } public static class UserStorage { public static List<User> Users { get; set; } = new List<User> { new User {ID=Guid.NewGuid(),Username="user1",Password = "user1psd" }, new User {ID=Guid.NewGuid(),Username="user2",Password = "user2psd" }, new User {ID=Guid.NewGuid(),Username="user3",Password = "user3psd" } }; }} |
接下來我們來完成授權(quán)驗(yàn)證部分
在Controllers中新建一個(gè)Web API Controller Class,命名為ValuesController.cs
在其中添加如下代碼
|
1
2
3
4
5
6
7
8
|
public string Get(){ var claimsIdentity = User.Identity as ClaimsIdentity; var id = claimsIdentity.Claims.FirstOrDefault(c => c.Type == "ID").Value; return $"Hello! {HttpContext.User.Identity.Name}, your ID is:{id}";} |
為方法添加裝飾屬性
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
[HttpGet][Authorize("Bearer")]完整的文件代碼應(yīng)該是這樣using System.Linq;using Microsoft.AspNetCore.Mvc;using Microsoft.AspNetCore.Authorization;using System.Security.Claims;namespace CSTokenBaseAuth.Controllers{ [Route("api/[controller]")] public class ValuesController : Controller { [HttpGet] [Authorize("Bearer")] public string Get() { var claimsIdentity = User.Identity as ClaimsIdentity; var id = claimsIdentity.Claims.FirstOrDefault(c => c.Type == "ID").Value; return $"Hello! {HttpContext.User.Identity.Name}, your ID is:{id}"; } }} |
最后讓我們來添加視圖
在Controllers中新建一個(gè)Web Controller Class,命名為LoginController.cs
其中的代碼應(yīng)該是這樣
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
using Microsoft.AspNetCore.Mvc;namespace CSTokenBaseAuth.Controllers{ [Route("[controller]/[action]")] public class LoginController : Controller { public IActionResult Index() { return View(); } }} |
在項(xiàng)目Views目錄下新建一個(gè)名為Login的目錄,并在其中新建一個(gè)Index.cshtml文件。
代碼應(yīng)該是這個(gè)樣子
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
<html xmlns="http://www.w3.org/1999/xhtml"><head> <title></title></head><body> <button id="getToken">getToken</button> <button id="requestAPI">requestAPI</button> <script src="https://code.jquery.com/jquery-3.1.1.min.js"></script> <script> $(function () { var accessToken = undefined; $("#getToken").click(function () { $.post( "/api/TokenAuth", { Username: "user1", Password: "user1psd" }, function (data) { console.log(data); if (data.stateCode == 1) { accessToken = data.accessToken; $.ajaxSetup({ headers: { "Authorization": "Bearer " + accessToken } }); } }, "json" ); }) $("#requestAPI").click(function () { $.get("/api/Values", {}, function (data) { alert(data); }, "text"); }) }) </script></body></html> |
以上就是本文的全部內(nèi)容,希望對(duì)大家的學(xué)習(xí)有所幫助,也希望大家多多支持服務(wù)器之家。
原文鏈接:http://www.cnblogs.com/onecodeonescript/p/6061714.html
