JWT笔记
在.Net Core或者.Net 5.0以上项目中,Startup.cs中ConfigureServices方法下配置JWT
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
string publicKey = _userConfiguration.PublicKey; ;
var helper = new RSAHelper(RSAType.RSA2, Encoding.UTF8, null, publicKey);
var rsa = helper.CreateRsaProviderFromPublicKey(publicKey);
var key = new RsaSecurityKey(rsa);
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuerSigningKey = true,//是否验证签名,不验证的话可以篡改数据,不安全
ValidateIssuer = true,//是否验证签发人
ValidIssuer = "http://localhost:5000/",//验证一个签发人
//ValidIssuers= new List<string>()//验证多个签发人之一
//{
// "http://localhost:6000/",
// "http://localhost:6001/",
//},
ValidateAudience = true,//是否验证接收人
//ValidAudience="",//验证一个接收人
ValidAudiences = new List<string>()//验证多个接收人之一
{
"http://localhost.8000/",
"http://localhost.9000/",
},
ValidateLifetime = true,//是否验证过期时间,过期了就拒绝访问
IssuerSigningKey = key,//解密的密钥
ClockSkew = TimeSpan.Zero,//这个是缓冲过期时间,也就是说,即使我们配置了过期时间,这里也要考虑进去,过期时间+缓冲,可以直接设置为0
RequireExpirationTime = true,
};
});
在.Net Core或者.Net 5.0以上项目中,Startup.cs中Configure方法下配置开启认证
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseRouting();
app.UseAuthentication();//开启认证,一定要先开启认证
app.UseAuthorization();//授权中间件
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
下面开始Token的生成,在合适的位置,例如登录成功后
private string GenerateJwtTokenRsa()
{
Claim[] claims = new[]
{
new Claim("UserType", "普通用户"),
new Claim("UserName", result.Data.UserName),
new Claim("UserIndexType", "UserInfo"),
new Claim("Id", result.Data.Id),
new Claim(ClaimTypes.Role,"ducaibao"),//开启Role认证,限制角色权限,比如说管理员和用户能调用的api不一致
new Claim(ClaimTypes.Role,"tglj"),//开启Role认证,限制角色权限,比如说管理员和用户能调用的api不一致
//需配合特性使用
//[Authorize(Roles = "ducaibao")]
//[Authorize(Roles = "tglj")]
//需要多个角色可以通过ConfigureServices方法增加对于角色
//services.AddAuthorization(option =>
//{
// option.AddPolicy("all", policy => policy.RequireRole(“ducaibao”,“tglj”);
//});
//[Authorize(Policy = "all")]
};
RSAHelper helper = new RSAHelper(RSAType.RSA2, Encoding.UTF8, _userConfiguration.PrivateKey, _userConfiguration.PublicKey);
var rsa = helper.CreateRsaProviderFromPrivateKey(_userConfiguration.PrivateKey);
var key = new RsaSecurityKey(rsa);
var credentials = new SigningCredentials(key, SecurityAlgorithms.RsaSha512);
var token = new JwtSecurityToken(
claims: claims,//有效载荷参数
expires: DateTime.Now.AddHours(_userConfiguration.Expire_Hour),//过期时间
issuer: "http://localhost:5000/",//签发人
audience: "http://ducaibao.cn/",//接收人
signingCredentials: credentials);
return new JwtSecurityTokenHandler().WriteToken(token);
}
此时可以给Controller打上特性开启认证,可以直接在Controller上打,也可以单独给每个方法打特性,
然后调用需要token的api带上返回的token就好了
[Authorize]//认证
[AllowAnonymous]//跳过认证
跨域问题
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options => options.AddPolicy("CorsPolicy",
builder =>
{
builder.AllowAnyMethod()
.AllowAnyHeader()
.SetIsOriginAllowed(_ => true) // =AllowAnyOrigin()
.AllowCredentials();
}));
}
// 使用跨域配置
// 在Configure中配置
app.UseCors("CorsPolicy");