1、建.NetCore的WebApi项目,安装包IdentityModel,Microsoft.AspNetCore.Authentication.JwtBearer,Microsoft.AspNetCore.Authorization
2、注册服务和中间件
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Tokens;
using System;
using System.Text;
using System.Threading.Tasks;
namespace WebApiJwt.Utils
{
public static class AuthorizationSetup
{
public static void AddAuthorizationSetup(this IServiceCollection services)
{
if (services == null) throw new ArgumentNullException(nameof(services));
// 策略
services.AddAuthorization(options =>
{
options.AddPolicy("Admin", policy => policy.RequireRole("Admin", "System"));
});
//读取配置文件
var symmetricKeyAsBase64 = ConfigHelper.GetSectionValue("JwtSetting:SecretKey");
var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
var signingKey = new SymmetricSecurityKey(keyByteArray);
var Issuer = ConfigHelper.GetSectionValue("JwtSetting:Issuer");
var Audience = ConfigHelper.GetSectionValue("JwtSetting:Audience");
// 令牌验证参数
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,//是否验证签名,不验证的画可以篡改数据,不安全
IssuerSigningKey = signingKey,//解密的密钥
ValidateIssuer = true,//是否验证发行人,就是验证载荷中的Iss是否对应ValidIssuer参数
ValidIssuer = Issuer,//发行人
ValidateAudience = true,//是否验证订阅人,就是验证载荷中的Aud是否对应ValidAudience参数
ValidAudience = Audience,//订阅人
ValidateLifetime = true,//是否验证过期时间,过期了就拒绝访问
ClockSkew = TimeSpan.Zero,//缓冲过期时间,真正过期时间=配置过期时间+缓冲过期时间,默认5分钟
RequireExpirationTime = true,//token需要设置过期时间
};
// 开启Bearer认证,添加JwtBearer服务
services.AddAuthentication(o =>
{
o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.TokenValidationParameters = tokenValidationParameters;
o.Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
// 如果过期,则把<是否过期>添加到,返回头信息中
if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))
{
context.Response.Headers.Add("Token-Expired", "true");
}
return Task.CompletedTask;
}
};
});
}
}
}
Startup.cs
注册服务:services.AddAuthorizationSetup();
添加中间件:app.UseAuthentication(); app.UseAuthorization();
3、生成Token
using Microsoft.IdentityModel.Tokens;
using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Security.Claims;
using System.Text;
using WebApiJwt.Models;
namespace WebApiJwt.Utils
{
public class JwtHelper
{
/// <summary>
/// 颁发JWT字符串
/// </summary>
/// <param name="tokenModel"></param>
/// <returns></returns>
public static object IssueJwt(TokenModel tokenModel)
{
DateTime authTime = DateTime.UtcNow;
string iss = ConfigHelper.GetSectionValue("JwtSetting:Issuer");//颁发者
string aud = ConfigHelper.GetSectionValue("JwtSetting:Audience");//可以给哪些客户端使用
string secret = ConfigHelper.GetSectionValue("JwtSetting:SecretKey");//加密的Key
//token有效期 分钟
DateTime expiresAt = authTime.AddMinutes(Convert.ToDouble(ConfigHelper.GetSectionValue("JwtSetting:ExpireMinutes")));
//设置Claim
var claims = new List<Claim>
{
//claim默认配置
new Claim(JwtRegisteredClaimNames.Jti, tokenModel.UserId.ToString()),
new Claim(JwtRegisteredClaimNames.Iat, $"{new DateTimeOffset(authTime).ToUnixTimeSeconds()}"),
new Claim(JwtRegisteredClaimNames.Nbf,$"{new DateTimeOffset(authTime).ToUnixTimeSeconds()}") ,
//过期时间,JWT有缓冲过期时间,所以过期时间到了会延迟一会儿再过期,影响不大。
new Claim(JwtRegisteredClaimNames.Exp,$"{new DateTimeOffset(expiresAt).ToUnixTimeSeconds()}"),
new Claim(ClaimTypes.Expiration, expiresAt.ToString()),
new Claim(JwtRegisteredClaimNames.Iss,iss),//颁发者
new Claim(JwtRegisteredClaimNames.Aud,aud),//可以给哪些客户端使用
new Claim(ClaimTypes.Name, tokenModel.UserName),
new Claim(ClaimTypes.Email, tokenModel.Email)
};
//设置Claim角色
claims.AddRange(tokenModel.Role.Split(',').Select(s => new Claim(ClaimTypes.Role, s)));
//秘钥 (SymmetricSecurityKey 对安全性的要求,密钥的长度太短会报出异常)
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var jwtSecurityToken = new JwtSecurityToken(issuer: iss, claims: claims, signingCredentials: creds);
var jwtHandler = new JwtSecurityTokenHandler();
var encodedJwt = jwtHandler.WriteToken(jwtSecurityToken);
//存储 Token 信息
var jwt = new
{
UserId = tokenModel.UserId,
Token = encodedJwt,
Auths = new DateTimeOffset(authTime).ToUnixTimeSeconds(),
Expires = new DateTimeOffset(expiresAt).ToUnixTimeSeconds(),
Success = true
};
return jwt;
}
/// <summary>
/// 解析
/// </summary>
/// <param name="jwtStr"></param>
/// <returns></returns>
public static TokenModel SerializeJwt(string jwtStr)
{
var jwtHandler = new JwtSecurityTokenHandler();
if (!jwtHandler.CanReadToken(jwtStr)) { return null; }
string iss = ConfigHelper.GetSectionValue("JwtSetting:Issuer");
JwtSecurityToken jwtToken = jwtHandler.ReadJwtToken(jwtStr);
if (jwtToken.Issuer != iss)
{
return null;//不正确
}
if (jwtToken.ValidTo < DateTime.UtcNow)
{
return null;//过期
}
object role, userName, email;
try
{
jwtToken.Payload.TryGetValue(ClaimTypes.Role, out role);
jwtToken.Payload.TryGetValue(ClaimTypes.Name, out userName);
jwtToken.Payload.TryGetValue(ClaimTypes.Email, out email);
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
var tm = new TokenModel
{
UserId = jwtToken.Id.ToString(),
Role = role != null ? role.ToString() : "",
UserName = userName != null ? userName.ToString() : "",
Email = email != null ? email.ToString() : ""
};
return tm;
}
}
}
配置
"JwtSetting": {
"Issuer": "jwtIssuer", //颁发者
"Audience": "jwtAudience", //可以给哪些客户端使用
"SecretKey": "abcdabcdabcdabcdabcdabcdabcdabcd", //加密的Key,长度最少要32位,不然报错。
"ExpireMinutes": "3" //token有效期3分钟
}
辅助
using Microsoft.Extensions.Configuration;
using System;
namespace WebApiJwt.Utils
{
public class ConfigHelper
{
public readonly static IConfiguration configuration;
static ConfigHelper()
{
configuration = new ConfigurationBuilder()
.SetBasePath(Environment.CurrentDirectory)
.AddJsonFile("appsettings.json", true, true)
.AddInMemoryCollection()
.Build();
}
public static string GetSectionValue(string key)
{
return configuration[key];
}
public static string connectionString
{
get { return configuration["ConnectionStrings:Default"]; }
}
}
}
4、ApiController
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Newtonsoft.Json;
using WebApiJwt.Models;
using WebApiJwt.Utils;
namespace WebApiJwt.Controllers
{
[Route("api/[controller]/[action]")]
[ApiController]
public class AuthorizeController : ControllerBase
{
/// <summary>
/// 生成令牌
/// </summary>
/// <returns></returns>
[HttpGet]
public string GenToken()
{
TokenModel tokenModel = new TokenModel { UserId = "1001", Role = "Admin", Email = "908085411@qq.com", UserName = "邢帅杰" };
string jwtToken = JsonConvert.SerializeObject(JwtHelper.IssueJwt(tokenModel));
return jwtToken;
}
/// <summary>
/// 需要Admin权限
/// </summary>
/// <returns></returns>
[HttpGet]
[Authorize(Roles = "Admin")]
//[Authorize(Policy = "Admin")]//使用策略来映射多个角色
public IActionResult Admin()
{
return Ok("admin........");
}
/// <summary>
/// 解析Token
/// </summary>
/// <returns></returns>
[HttpGet]
[Authorize]
public IActionResult AnalysisToken()
{
var tokenHeader = HttpContext.Request.Headers["Authorization"].ToString().Replace("Bearer ", "");
var user = JwtHelper.SerializeJwt(tokenHeader);
return Ok(user);
}
}
}
5、 生成:https://localhost:44393/api/Authorize/GenToken,解析:https://localhost:44393/api/Authorize/AnalysisToken,在header中添加 Authorization:Bearer token
参考:
https://www.cnblogs.com/danvic712/p/10331976.html
https://blog.csdn.net/weixin_42045719/article/details/91973878
http://cn.voidcc.com/question/p-vckjdtzx-hv.html
https://www.cnblogs.com/danvic712/p/10331976.html
https://blog.csdn.net/baidu_35726140/article/details/84867520
https://www.cnblogs.com/xwc1996/p/14058115.html
