NetCore使用Jwtbearer给WebAPI添加访问控制
现在JWT代替session来做访问控制已经成为大部分webapi的做法,今天我们也来尝试一下
WebAPI使用NetCore2.1创建,无身份认证信息
nuget安装包
IdentityModel 选择稳定版3.9.0 Microsoft.AspNetCore.Authorization 版本2.1.1 Microsoft.AspNetCore.Authentication.JwtBearer 版本2.1.1
Startup注入服务
public void ConfigureServices(IServiceCollection services) { services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1); #region Auth services.AddAuthentication(x => { x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(o => { o.TokenValidationParameters = new TokenValidationParameters { NameClaimType = JwtClaimTypes.Name, RoleClaimType = JwtClaimTypes.Role, ValidIssuer = "http://localhost:44319", ValidAudience = "api", IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("this is a security key")) /***********************************TokenValidationParameters的参数默认值***********************************/ // RequireSignedTokens = true, // SaveSigninToken = false, // ValidateActor = false, // 将下面两个参数设置为false,可以不验证Issuer和Audience,但是不建议这样做。 // ValidateAudience = true, // ValidateIssuer = true, // ValidateIssuerSigningKey = false, // 是否要求Token的Claims中必须包含Expires // RequireExpirationTime = true, // 允许的服务器时间偏移量 // ClockSkew = TimeSpan.FromSeconds(300), // 是否验证Token有效期,使用当前时间与Token的Claims中的NotBefore和Expires对比 // ValidateLifetime = true }; }); #endregion } // This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } else { app.UseHsts(); } app.UseAuthentication(); app.UseHttpsRedirection(); app.UseMvc(); }
之后验证用户返回token信息
新建TokenController的WebAPI控制器
根据用户post的用户账号和密码从数据库查询数据
这里我们加入根据账号密码从db匹配到了数据
然后返回token数据
上下代码标红部分需要保持一致,这个是token需要用来做校验的,如果不一致可能出现token无效 签名无效等问题
// private MainDBContext _context; [HttpPost] public async Task<IActionResult> GenToken(UserModel model) { //get username and pwd from this model ,then get data from db //var user = _context.Users.FirstOrDefault(l => l.Name == model.Name && l.Pwd == model.PassWord); //If there is data in the database var user = new UserModel() { ID = 1, Email = "example@live.com", Name = "tester", PassWord = "123456" }; //if user null ,return if (user == null) return Unauthorized(); var tokenHandler = new JwtSecurityTokenHandler(); var key = Encoding.ASCII.GetBytes("this is a security key"); var authTime = DateTime.UtcNow; var expiresAt = authTime.AddDays(7); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new Claim[] { new Claim(JwtClaimTypes.Audience,"api"), new Claim(JwtClaimTypes.Issuer,"http://localhost:44319"), new Claim(JwtClaimTypes.Id, user.ID.ToString()), new Claim(JwtClaimTypes.Name, user.Name) }), Expires = expiresAt, SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature) }; var token = tokenHandler.CreateToken(tokenDescriptor); var tokenString = tokenHandler.WriteToken(token); return Ok(new { access_token = tokenString, token_type = "Bearer", profile = new { sid = user.ID, name = user.Name, auth_time = new DateTimeOffset(authTime).ToUnixTimeSeconds(), expires_at = new DateTimeOffset(expiresAt).ToUnixTimeSeconds() } }); }
PostMan测试获取token
这样可以成功获取token,下面来做权限校验
在需要授权的api上新增 [Authorize] 标记
比如万年values控制器
我们分别使用携带token和不携带token访问values接口
1 携带token访问,返回了想要的数据
2 未携带token,返回401
这样就达到了我们想要的效果,以上做个记录.
简单的demo
github:https://github.com/ermpark/authapidemo