在(10)文章中,已经生成了token,那么就需要验证token是否正确。
比如
(1)、自己的token自己解析是否能成功
(2)、别人的token(我们不知道别人生成规则是弄不到的哦,如果知道规则了其实是不是也相当于我们自己创建的了,哈哈)
.....
不废话了,上代码
1、代码:
//创建的
public string GenerateToken(JwtClaim jwtClaim)
{
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_key));
var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
var claims = new[]
{
new Claim("Id",jwtClaim.Id),
new Claim("NickName",jwtClaim.NickName),
new Claim("Name",jwtClaim.Name),
new Claim("UserType",jwtClaim.UserType),
//权限
new Claim("Roles",jwtClaim.Roles),
new Claim("Menus",jwtClaim.Menus),
};
var token = new JwtSecurityToken(
issuer: _issuer,
audience: _audience,
claims: claims,
notBefore: DateTime.Now,
expires: DateTime.Now.AddMinutes(120),
signingCredentials: credentials);
var result = new JwtSecurityTokenHandler().WriteToken(token);
验证测试
//var a1 = ValidateToken(result);
//var a2 = ValidateToken2(result);
return result;
}
//验证1
public bool ValidateToken(string token)
{
var tokenHandler = new JwtSecurityTokenHandler();
try
{
var jmType = SecurityAlgorithms.HmacSha256;
var parameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = _issuer,
ValidAudience = _audience,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_key)),
ClockSkew = TimeSpan.Zero
};
var t = tokenHandler.ValidateToken(token, parameters, out SecurityToken validatedToken);
var tf = validatedToken is JwtSecurityToken jwtToken && jwtToken.Header.Alg.Equals(jmType);
return tf;
}
catch (Exception)
{
return false;
}
}
//验证2
public async Task<bool> ValidateToken2(string token)
{
var handler = new JwtSecurityTokenHandler();
try
{
//解析令牌
TokenValidationParameters t = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = _issuer,
ValidAudience = _audience,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_key)),
ClockSkew = TimeSpan.Zero
};
var e = await handler.ValidateTokenAsync(token, t);
return e.IsValid;
}
catch (Exception ex)
{
Console.WriteLine($"Error validating token: {ex.Message}");
return false; // 令牌无效
}
}
上边提供了两种解析的方法,并在创建时就对其进行解析。
2、测试:(测试解析都是通过的,不赘述了)
3、PS注意:
3.1、Claim中尽量不要带入敏感信息,比如密码等,因为随便一个token都可以知道你的Claim中的信息,防止别别有用心的利用了。(可以用jwt.io.com查看的)
3.2、如果上边代码是放在service层,记得引入Microsoft.AspNetCore.Authentication.JwtBearer。(不然像我开始一直解析不成功,提示:
{"IDX10225: Lifetime validation failed. The token is missing an Expiration Time. Tokentype: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'."})