JWT是什么?校验逻辑?授权过程?这里就不过多的阐述了,直接上代码
在appsettings.json中配置jwt参数的值
SecretKey必须大于16个字符
1 { 2 "Logging": { 3 "LogLevel": { 4 "Default": "Information", 5 "Microsoft.AspNetCore": "Warning" 6 } 7 }, 8 "AllowedHosts": "*", 9 "AppSettings": { 10 //数据库连接字符串 11 "ConnectionString": "server=192.168.132.131;uid=sa;pwd=6014359wQ@!;database=MagCoreDB", 12 "JwtSetting": { 13 "Issuer": "jwtIssuer", //颁发者 14 "Audience": "jwtAudience", //可以给哪些客户端使用 15 "SecretKey": "yehjsiwkjhuhgyehsnd" //加密Key 16 } 17 } 18 }
Nuget安装以下三个包:
在web.core.model中新建类TokenModel:
1 /// <summary> 2 /// 令牌 3 /// </summary> 4 public class TokenModel 5 { 6 /// <summary> 7 /// Id 8 /// </summary> 9 public string Uid { get; set; } 10 /// <summary> 11 /// 角色 12 /// </summary> 13 public string Role { get; set; } 14 15 }
新建JwtHelper.cs帮助类
1 public class JwtHelper 2 { 3 /// <summary> 4 /// 颁发JWT字符串 5 /// </summary> 6 /// <param name="tokenModel"></param> 7 /// <returns></returns> 8 public static string IssueJwt(TokenModel tokenModel) 9 { 10 //获取Appsetting配置 11 string iss = AppSettings.app(new string[] { "AppSettings", "JwtSetting", "Issuer" }); 12 string aud = AppSettings.app(new string[] { "AppSettings", "JwtSetting", "Audience" }); 13 string secret = AppSettings.app(new string[] { "AppSettings", "JwtSetting", "SecretKey" }); 14 15 //var claims = new Claim[] //old 16 var claims = new List<Claim> 17 { 18 /* 19 * 特别重要: 20 1、这里将用户的部分信息,比如 uid 存到了Claim 中,如果你想知道如何在其他地方将这个 uid从 Token 中取出来,请看下边的SerializeJwt() 方法,或者在整个解决方案,搜索这个方法,看哪里使用了! 21 2、你也可以研究下 HttpContext.User.Claims ,具体的你可以看看 Policys/PermissionHandler.cs 类中是如何使用的。 22 */ 23 new Claim(JwtRegisteredClaimNames.Jti, tokenModel.Uid.ToString()), 24 new Claim(JwtRegisteredClaimNames.Iat, $"{new DateTimeOffset(DateTime.Now).ToUnixTimeSeconds()}"), 25 new Claim(JwtRegisteredClaimNames.Nbf,$"{new DateTimeOffset(DateTime.Now).ToUnixTimeSeconds()}") , 26 //这个就是过期时间,目前是过期1000秒,可自定义,注意JWT有自己的缓冲过期时间 27 new Claim (JwtRegisteredClaimNames.Exp,$"{new DateTimeOffset(DateTime.Now.AddSeconds(1000)).ToUnixTimeSeconds()}"), 28 new Claim(ClaimTypes.Expiration, DateTime.Now.AddSeconds(1000).ToString()), 29 new Claim(JwtRegisteredClaimNames.Iss,iss), 30 new Claim(JwtRegisteredClaimNames.Aud,aud), 31 32 }; 33 34 // 可以将一个用户的多个角色全部赋予; 35 claims.AddRange(tokenModel.Role.Split(',').Select(s => new Claim(ClaimTypes.Role, s))); 36 37 38 39 //秘钥 (SymmetricSecurityKey 对安全性的要求,密钥的长度太短会报出异常) 40 var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret)); 41 var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256); 42 43 var jwt = new JwtSecurityToken( 44 issuer: iss, 45 claims: claims, 46 signingCredentials: creds); 47 48 var jwtHandler = new JwtSecurityTokenHandler(); 49 var encodedJwt = jwtHandler.WriteToken(jwt); 50 51 return encodedJwt; 52 } 53 54 /// <summary> 55 /// 解析 56 /// </summary> 57 /// <param name="jwtStr"></param> 58 /// <returns></returns> 59 public static TokenModel SerializeJwt(string jwtStr) 60 { 61 var jwtHandler = new JwtSecurityTokenHandler(); 62 JwtSecurityToken jwtToken = jwtHandler.ReadJwtToken(jwtStr); 63 object role; 64 try 65 { 66 jwtToken.Payload.TryGetValue(ClaimTypes.Role, out role); 67 } 68 catch (Exception e) 69 { 70 Console.WriteLine(e); 71 throw; 72 } 73 var tm = new TokenModel 74 { 75 Uid = jwtToken.Id.ToString(), 76 Role = role != null ? role.ToString() : "", 77 }; 78 return tm; 79 } 80 }
在HomeController中新建Login接口来获取Token
1 /// <summary> 2 /// 获取Token 3 /// </summary> 4 /// <param name="rolename"></param> 5 /// <param name="password"></param> 6 /// <returns></returns> 7 [HttpGet] 8 [AllowAnonymous] 9 public async Task<IActionResult> Login(string rolename, string password) 10 { 11 string jwtStr = string.Empty; 12 bool suc = false; 13 14 if (rolename != null && password != null) 15 { 16 if (rolename != "Admin" && password != "123456") 17 { 18 jwtStr = "输入不正确!"; 19 } 20 else 21 { 22 // 将用户id和角色名,作为单独的自定义变量封装进 token 字符串中。 23 TokenModel tokenModel = new TokenModel { Uid = "1", Role = rolename }; 24 jwtStr = JwtHelper.IssueJwt(tokenModel);//登录,获取到一定规则的 Token 令牌 25 suc = true; 26 } 27 } 28 else 29 { 30 jwtStr = "输入不能为空!"; 31 } 32 33 return Ok(new 34 { 35 success = suc, 36 token = jwtStr 37 }); 38 }
运行项目,输入Admin,123456,获取Token:
JWT权限验证,就需要开启验证,然后输入token令牌,然后在SwaggerSetUp.cs的AddSwaggerSetup方法的AddSwaggerGen服务中,添加代码:
1 services.AddSwaggerGen(c => 2 { 3 c.SwaggerDoc("V1", new OpenApiInfo 4 { 5 // {ApiName} 定义成全局变量,方便修改 6 Version = "V1", 7 Title = $"{ApiName} 接口文档——.NetCore 6.0", 8 Description = $"{ApiName} HTTP API V1", 9 //Contact = new OpenApiContact { Name = ApiName, Email = "Blog.Core@xxx.com", Url = new Uri("https://www.jianshu.com/u/94102b59cc2a") }, 10 //License = new OpenApiLicense { Name = ApiName, Url = new Uri("https://www.jianshu.com/u/94102b59cc2a") } 11 }); 12 c.OrderActionsBy(o => o.RelativePath); 13 14 var xmlPath = Path.Combine(AppContext.BaseDirectory, "Mag.Core.API.xml");//这个就是刚刚配置的xml文件名 15 c.IncludeXmlComments(xmlPath, true);//默认的第二个参数是false,这个是controller的注释,记得修改 16 var xmlModelPath = Path.Combine(AppContext.BaseDirectory, "Mag.Core.Model.xml");//这个就是Model层的xml文件名 17 c.IncludeXmlComments(xmlModelPath); 18 19 // 在header中添加token,传递到后台 20 c.OperationFilter<SecurityRequirementsOperationFilter>(); 21 22 #region Token绑定到ConfigureServices 23 c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme 24 { 25 Description = "JWT授权(数据将在请求头中进行传输) 直接在下框中输入Bearer {token}(注意两者之间是一个空格)\"", 26 Name = "Authorization",//jwt默认的参数名称 27 In = ParameterLocation.Header,//jwt默认存放Authorization信息的位置(请求头中) 28 Type = SecuritySchemeType.ApiKey 29 }); 30 #endregion 31 });
运行项目,就可以看见JWT验证入口:
在SetUp文件夹里面新建注册方法AuthorizationSetup.cs
1 public static class AuthorizationSetup 2 { 3 public static void AddAuthorizationSetup(this IServiceCollection services) 4 { 5 if (services == null) throw new ArgumentNullException(nameof(services)); 6 7 // 1【授权】、这个和上边的异曲同工,好处就是不用在controller中,写多个 roles 。 8 // 然后这么写 [Authorize(Policy = "Admin")] 9 services.AddAuthorization(options => 10 { 11 options.AddPolicy("User", policy => policy.RequireRole("User").Build()); 12 options.AddPolicy("System", policy => policy.RequireRole("System").Build()); 13 options.AddPolicy("SystemOrAdmin", policy => policy.RequireRole("Admin", "System")); 14 15 }); 16 17 //读取配置文件 18 var symmetricKeyAsBase64 = AppSettings.app(new string[] { "AppSettings", "JwtSetting", "SecretKey" }); 19 var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64); 20 var signingKey = new SymmetricSecurityKey(keyByteArray); 21 var Issuer = AppSettings.app(new string[] { "AppSettings", "JwtSetting", "Issuer" }); 22 var Audience = AppSettings.app(new string[] { "AppSettings", "JwtSetting", "Audience" }); 23 24 25 26 // 令牌验证参数 27 var tokenValidationParameters = new TokenValidationParameters 28 { 29 ValidateIssuerSigningKey = true, 30 IssuerSigningKey = signingKey, 31 ValidateIssuer = true, 32 ValidIssuer = Issuer,//发行人 33 ValidateAudience = true, 34 ValidAudience = Audience,//订阅人 35 ValidateLifetime = true, 36 ClockSkew = TimeSpan.FromSeconds(30), 37 RequireExpirationTime = true, 38 }; 39 40 //2.1【认证】、core自带官方JWT认证 41 // 开启Bearer认证 42 services.AddAuthentication("Bearer") 43 // 添加JwtBearer服务 44 .AddJwtBearer(o => 45 { 46 o.TokenValidationParameters = tokenValidationParameters; 47 o.Events = new JwtBearerEvents 48 { 49 OnAuthenticationFailed = context => 50 { 51 // 如果过期,则把<是否过期>添加到,返回头信息中 52 if (context.Exception.GetType() == typeof(SecurityTokenExpiredException)) 53 { 54 context.Response.Headers.Add("Token-Expired", "true"); 55 } 56 return Task.CompletedTask; 57 } 58 }; 59 }); 60 61 62 63 } 64 }
在program.cs里面注册服务,开启服务
//jwt授权验证
builder.Services.AddAuthorizationSetup();app.UseAuthentication();
在BaseApiController里面设置全局权限验证:
没有验证权限会提示401:
设置获取token的时候 [AllowAnonymous],无需验证:
设置测试方法:需要System的权限才能访问:
上面我们是用的Admin的权限,所以会提示403错误
新增解析Token的方法:
1 /// <summary> 2 /// 解析Token 3 /// </summary> 4 /// <returns></returns> 5 [HttpGet] 6 [Authorize] 7 public IActionResult ParseToken() 8 { 9 //需要截取Bearer 10 var tokenHeader = HttpContext.Request.Headers["Authorization"].ToString().Replace("Bearer ", ""); 11 var user = JwtHelper.SerializeJwt(tokenHeader); 12 return Ok(user); 13 14 }
解析出来的role是Admin。
![[XDCTF 2015]filemanager](https://img2024.cnblogs.com/blog/3475290/202407/3475290-20240702184326121-389816894.png)
