WebAPI身份认证Token
1、安装JWT包
#vscode
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer --version 6.0.11
#vs2022
Install-Package Microsoft.AspNetCore.Authentication.JwtBearer -Version 6.0.11
2、JWTHelper
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
namespace BaseWebApi
{
public class JwtHelper
{
public JwtHelper(IConfiguration configuration)
{
Configuration = configuration;
}
/// <summary>
/// 配置属性
/// </summary>
public IConfiguration Configuration { get; }
/// <summary>
/// 生成access_token
/// </summary>
/// <param name="claims">传入Claim类型的键值对</param>
/// <returns>access_token</returns>
public string GenerateAccessToken(List<Claim> claims)
{
IConfigurationSection jwtConfig = Configuration.GetSection("JWT");
//秘钥,就是标头,这里用Hmacsha256算法,需要256bit的密钥
#pragma warning disable CS8604 // 引用类型参数可能为 null。
SigningCredentials securityKey = new SigningCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(jwtConfig.GetValue<string>("Secret"))), SecurityAlgorithms.HmacSha256);
#pragma warning restore CS8604 // 引用类型参数可能为 null。
//Claim,JwtRegisteredClaimNames中预定义了好多种默认的参数名,也可以像下面的Guid一样自己定义键名.
//ClaimTypes也预定义了好多类型如role、email、name。Role用于赋予权限,不同的角色可以访问不同的接口
//相当于有效载荷
#pragma warning disable CS8604 // 引用类型参数可能为 null。
List<Claim> baseClaims = new List<Claim>{
new Claim(JwtRegisteredClaimNames.Iss,jwtConfig.GetValue<string>("Issuer")),
new Claim(JwtRegisteredClaimNames.Aud,jwtConfig.GetValue<string>("Audience")),
new Claim("Guid",Guid.NewGuid().ToString("D")),
//new Claim(ClaimTypes.Role,"admin"),
};
#pragma warning restore CS8604 // 引用类型参数可能为 null。
claims = claims.Union<Claim>(baseClaims).ToList<Claim>();//合并Claim,删除重复项目
SecurityToken securityToken = new JwtSecurityToken(
signingCredentials: securityKey,
expires: DateTime.Now.AddMinutes(Convert.ToInt32(jwtConfig.GetValue<string>("Expired"))),//过期时间
claims: claims
);
//生成jwt令牌
return new JwtSecurityTokenHandler().WriteToken(securityToken);
}
/// <summary>
/// 解析token
/// </summary>
/// <param name="token">要解析的token</param>
/// <returns>解析后的token字符串</returns>
public string DecryptToken(string token)
{
JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
JwtSecurityToken jwtToken = jwtHandler.ReadJwtToken(token);
return jwtToken.ToString();
}
/// <summary>
/// 生成刷新access_token的refresh_token
/// </summary>
/// <param name="claims">传入Claim类型的键值对</param>
/// <returns>refresh_token</returns>
public string GenerateRefreshToken(List<Claim> claims)
{
IConfigurationSection jwtConfig = Configuration.GetSection("JWT");
//秘钥,就是标头,这里用Hmacsha256算法,需要256bit的密钥
#pragma warning disable CS8604 // 引用类型参数可能为 null。
SigningCredentials securityKey = new SigningCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(jwtConfig.GetValue<string>("RefreshSecret"))), SecurityAlgorithms.HmacSha256);
#pragma warning restore CS8604 // 引用类型参数可能为 null。
//Claim,JwtRegisteredClaimNames中预定义了好多种默认的参数名,也可以像下面的Guid一样自己定义键名.
//ClaimTypes也预定义了好多类型如role、email、name。Role用于赋予权限,不同的角色可以访问不同的接口
//相当于有效载荷
#pragma warning disable CS8604 // 引用类型参数可能为 null。
List<Claim> baseClaims = new List<Claim>{
new Claim(JwtRegisteredClaimNames.Iss,jwtConfig.GetValue<string>("Issuer")),
new Claim(JwtRegisteredClaimNames.Aud,jwtConfig.GetValue<string>("Audience")),
new Claim("Guid",Guid.NewGuid().ToString("D")),
//new Claim(ClaimTypes.Role,"admin"),
};
#pragma warning restore CS8604 // 引用类型参数可能为 null。
claims = claims.Union<Claim>(baseClaims).ToList<Claim>();//合并Claim,删除重复项目
SecurityToken securityToken = new JwtSecurityToken(
signingCredentials: securityKey,
expires: DateTime.Now.AddHours(Convert.ToInt32(jwtConfig.GetValue<string>("RefreshExpired"))),//过期时间
claims: claims
);
//生成jwt令牌
return new JwtSecurityTokenHandler().WriteToken(securityToken);
}
/// <summary>
/// 验证refresh_token是否过期
/// </summary>
/// <param name="refreshToken">刷新的refresh_token</param>
/// <returns>返回是否有效</returns>
public bool ValidationToken(string refreshToken)
{
IConfigurationSection jwtConfig = Configuration.GetSection("JWT");
//生成密钥
#pragma warning disable CS8600 // 将 null 字面量或可能为 null 的值转换为非 null 类型。
string symmetricKeyAsBase64 = jwtConfig.GetValue<string>("RefreshSecret");
#pragma warning restore CS8600 // 将 null 字面量或可能为 null 的值转换为非 null 类型。
#pragma warning disable CS8604 // 引用类型参数可能为 null。
byte[] keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
#pragma warning restore CS8604 // 引用类型参数可能为 null。
SymmetricSecurityKey signingKey = new SymmetricSecurityKey(keyByteArray);
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
try
{
handler.ValidateToken(refreshToken, new TokenValidationParameters
{
ValidateIssuerSigningKey = true,//是否验证签名,不验证的画可以篡改数据,不安全
IssuerSigningKey = signingKey,//解密的密钥
ValidateIssuer = true,//是否验证发行人,就是验证载荷中的Iss是否对应ValidIssuer参数
ValidIssuer = jwtConfig.GetValue<string>("Issuer"),//发行人
ValidateAudience = true,//是否验证订阅人,就是验证载荷中的Aud是否对应ValidAudience参数
ValidAudience = jwtConfig.GetValue<string>("Audience"),//订阅人
ValidateLifetime = true,//是否验证过期时间,过期了就拒绝访问
ClockSkew = TimeSpan.Zero,//这个是缓冲过期时间,也就是说,即使我们配置了过期时间,这里也要考虑进去,过期时间+缓冲,默认好像是7分钟,你可以直接设置为0
RequireExpirationTime = true,
}, out SecurityToken securityToken);
return true;
}
catch
{
return false;
}
}
}
}
3、appsetting.json中配置
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"JWT": {
//中华人民共和国MD5值
"Secret": "0D8F3B469FE4D1F87D5DDC2ED5B25A79",
//中国MD5值
"RefreshSecret": "CF0832DEDF7457BBCBFA00BBD87B300A",
"Audience": "yang.webapi",
"Issuer": "yang.webapi",
//token的有效时间/分钟
"Expired": 10,
//刷新token的有效时间/小时
"RefreshExpired": 1
},
"AllowedHosts": "*"
}
4、StartUp中添加(3.1)
ConfigureServices中添加
//依赖注入
services.AddSingleton<JwtHelper>();
//JWt注册
//获取配置文件
var JWTConfig = Configuration.GetSection("JWT");
//生成密钥
var symmetricKeyAsBase64 = JWTConfig.GetValue<string>("Secret");
var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
var signingKey = new SymmetricSecurityKey(keyByteArray);
//认证参数
services.AddAuthentication("Bearer")
.AddJwtBearer(o =>
{
o.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,//是否验证签名,不验证的画可以篡改数据,不安全
IssuerSigningKey = signingKey,//解密的密钥
ValidateIssuer = true,//是否验证发行人,就是验证载荷中的Iss是否对应ValidIssuer参数
ValidIssuer = JWTConfig.GetValue<string>("Issuer"),//发行人
ValidateAudience = true,//是否验证订阅人,就是验证载荷中的Aud是否对应ValidAudience参数
ValidAudience = JWTConfig.GetValue<string>("Audience"),//订阅人
ValidateLifetime = true,//是否验证过期时间,过期了就拒绝访问
ClockSkew = TimeSpan.Zero,//这个是缓冲过期时间,也就是说,即使我们配置了过期时间,这里也要考虑进去,过期时间+缓冲,默认好像是7分钟,你可以直接设置为0
RequireExpirationTime = true,
};
o.Events = new JwtBearerEvents()
{
OnChallenge = context =>
{
context.HandleResponse();
context.Response.Clear();
context.Response.ContentType = "application/json";
context.Response.StatusCode = 401;
context.Response.WriteAsync(new { message = "授权未通过", status = false, code = 401 }.ToString());
return Task.CompletedTask;
}
};
});
在services.AddSwaggerGen中添加Authorization功能
//注册Swagger生成器,定义一个和多个Swagger 文档
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v6", new OpenApiInfo
{
Version = "v6",
Title = "第一个Asp.Net Core 3.1 WebApi",
Description = "一个简单的TestsWebApi测试",
TermsOfService = new Uri("https://www.baidu.com"),
Contact = new OpenApiContact
{
Name = "璀璨的疯子",
Email = "1024@qq.com",
Url = new Uri("https://www.baidu.com")
},
License = new OpenApiLicense
{
Name = "璀璨的疯子",
Url = new Uri("https://www.baidu.com")
}
});
//Swaggers中开启Authorization:token认证
c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme()
{
Description = "JWT授权token前面需要加上字段Bearer与一个空格,如Bearer token",
Name = "Authorization",
In = ParameterLocation.Header,
Type = SecuritySchemeType.ApiKey,
BearerFormat = "JWT",
Scheme = "Bearer"
});
//添加全局安全条件
c.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference {
Type = ReferenceType.SecurityScheme,
Id = "Bearer"
}
},
new string[] { }
}
});
// using System.Reflection;
var xmlFilename = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml";
c.IncludeXmlComments(Path.Combine(AppContext.BaseDirectory, xmlFilename));
});
Configure中添加
app.UseRouting();
//身份认证
app.UseAuthentication();
//授权
app.UseAuthorization();
4、在Program中注入(.net6)
builder.Services.AddSingleton<JwtHelper>();
//JWt注册
//获取配置文件
var JWTConfig = builder.Configuration.GetSection("JWT");
//生成密钥
var symmetricKeyAsBase64 = JWTConfig.GetValue<string>("Secret");
var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
var signingKey = new SymmetricSecurityKey(keyByteArray);
//认证参数
builder.Services.AddAuthentication("Bearer")
.AddJwtBearer(o =>
{
o.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,//是否验证签名,不验证的画可以篡改数据,不安全
IssuerSigningKey = signingKey,//解密的密钥
ValidateIssuer = true,//是否验证发行人,就是验证载荷中的Iss是否对应ValidIssuer参数
ValidIssuer = JWTConfig.GetValue<string>("Issuer"),//发行人
ValidateAudience = true,//是否验证订阅人,就是验证载荷中的Aud是否对应ValidAudience参数
ValidAudience = JWTConfig.GetValue<string>("Audience"),//订阅人
ValidateLifetime = true,//是否验证过期时间,过期了就拒绝访问
ClockSkew = TimeSpan.Zero,//这个是缓冲过期时间,也就是说,即使我们配置了过期时间,这里也要考虑进去,过期时间+缓冲,默认好像是7分钟,你可以直接设置为0
RequireExpirationTime = true,
};
o.Events = new JwtBearerEvents()
{
OnChallenge = context =>
{
context.HandleResponse();
context.Response.Clear();
context.Response.ContentType = "application/json";
context.Response.StatusCode = 401;
context.Response.WriteAsync(new { message = "授权未通过", status = false, code = 401 }.ToString());
return Task.CompletedTask;
}
};
});
builder.Services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v6", new OpenApiInfo
{
Version = "v6",
Title = "第一个Asp.Net Core 3.1 WebApi",
Description = "一个简单的TestsWebApi测试",
TermsOfService = new Uri("https://www.baidu.com"),
Contact = new OpenApiContact
{
Name = "璀璨的疯子",
Email = "1024@qq.com",
Url = new Uri("https://www.baidu.com")
},
License = new OpenApiLicense
{
Name = "璀璨的疯子",
Url = new Uri("https://www.baidu.com")
}
});
//Swaggers中开启Authorization:token认证
c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme()
{
Description = "JWT授权token前面需要加上字段Bearer与一个空格,如Bearer token",
Name = "Authorization",
In = ParameterLocation.Header,
Type = SecuritySchemeType.ApiKey,
BearerFormat = "JWT",
Scheme = "Bearer"
});
//添加全局安全条件
c.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference {
Type = ReferenceType.SecurityScheme,
Id = "Bearer"
}
},
new string[] { }
}
});
var xmlFilename = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml";
c.IncludeXmlComments(Path.Combine(AppContext.BaseDirectory, xmlFilename));
});
//身份认证
app.UseAuthentication();
//授权
app.UseAuthorization();
5、效果
控制器代码
private readonly ILogger<WeatherForecastController> _logger;
private readonly JwtHelper jwt;
public WeatherForecastController(ILogger<WeatherForecastController> logger,JwtHelper jwt)
{
_logger = logger;
this.jwt = jwt;
}
/// <summary>
/// 获取Token
/// </summary>
/// <returns></returns>
[HttpGet, Route("GetToken")]
public IActionResult GetToken()
{
return Json(new
{
code = "200",
message = "成功",
data = new Dictionary<string, string>() {
{ "aeecss_token", jwt.GenerateAccessToken(new List<Claim>() { new Claim("Admin", "Admin") }).ToString()},
{ "refresh_token", jwt.GenerateRefreshToken(new List<Claim>() { new Claim("Admin", "Admin") }).ToString()}
}
});
}
/// <summary>
/// 刷新token
/// </summary>
/// <param name="refreshToken">刷新的token</param>
/// <returns></returns>
[HttpGet, Route("RefreshToken")]
public object RefreshToken(string refreshToken)
{
if (!string.IsNullOrWhiteSpace(refreshToken))
{
if (jwt.ValidationToken(refreshToken))
{
return new { data = new { aeecss_token = jwt.GenerateRefreshToken(new List<Claim>() { new Claim("Admin", "Admin") }).ToString() }, message = "成功", code = 200 };
}
}
return new { message = "授权未通过", data = "", code = 401 };
}
/// <summary>
/// 解析token
/// </summary>
/// <param name="DesToken"></param>
/// <returns></returns>
[HttpPost, Route("DesToken")]
public IActionResult DesToken([FromBody] string DesToken)
{
return Json(new { code = "200", message = "成功", data = jwt.DecryptToken(DesToken) });
}
6、控制台程序生成和解析Token
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
/// <summary>
/// 生成token
/// </summary>
/// <param name="claims">要加密的Claim集合</param>
/// <param name="key">token加密秘钥</param>
/// <param name="expires">token过期时间</param>
/// <returns></returns>
public static string GenerateToken(List<Claim> claims, string key, DateTime expires)
{
byte[] secBytes = Encoding.UTF8.GetBytes(key);
var secKey = new SymmetricSecurityKey(secBytes);
var credentials = new SigningCredentials(secKey, SecurityAlgorithms.HmacSha256Signature);
var tokenDescriptor = new JwtSecurityToken(claims: claims,
expires: expires, signingCredentials: credentials);
return new JwtSecurityTokenHandler().WriteToken(tokenDescriptor);
}
/// <summary>
/// 解析token
/// </summary>
/// <param name="tokenCode">要解析的token</param>
/// <returns></returns>
public static void AnalysisToken(string tokenCode)
{
string[] segments = tokenCode.Split('.');
string head = JwtDecode(segments[0]);
string payload = JwtDecode(segments[1]);
Console.WriteLine("---head---");
Console.WriteLine(head);
Console.WriteLine("---payload---");
Console.WriteLine(payload);
}
public static string JwtDecode(string s)
{
s = s.Replace('-', '+').Replace('_', '/');
switch (s.Length % 4)
{
case 2:
s += "==";
break;
case 3:
s += "=";
break;
}
var bytes = Convert.FromBase64String(s);
return Encoding.UTF8.GetString(bytes);
}
Main方法中测试
List<Claim> claims = new List<Claim>() {
new Claim(ClaimTypes.NameIdentifier, "admin"),
new Claim(ClaimTypes.Role,"1997"),
new Claim("AdminRole","1997"),
new Claim("AdminName","裁决")
};
//秘钥
string key = "BB3647441FFA4B5DB4E64A29B53CE525909111";
//token过期时间
DateTime expires = DateTime.Now.AddMinutes(7);
//生成token
string token=GenerateToken(claims, key, expires);
//打印token
Console.WriteLine(token);
//解析token
AnalysisToken(token);