.NET Core HttpRequest中间件和AccessToken机制?
.NET Core HttpRequest Middleware and AccessToken mechanism?
我对生成访问令牌并使用它感到非常困惑。 Access Token的生成应该放在Controller中还是放在中间件中?如果有人向我解释一下,我将不胜感激。
这是一个示例,它应该可以帮助您或至少给您一些提示,让您了解如何通过深入了解事情的进展情况来领导您的工作。不过这不太安全,请阅读推荐的身份框架。
您可以保持访问令牌动态(从数据库中调用记录与请求源发送的值相匹配)或 hard-code 一些在中间件的 Web.Config 文件中。
例如(对访问令牌采用 Db 方法):
db Table定义
Create table Tokens(
id int identity(1,1) primary key,
userId int,
TokenValue varchar(max),
IsActive bit
)
自定义模型:
public Class Error
{
public string ErrMsg {get; set;}
}
public Class ReturnData
{
public Error ErrorObj {get; set;}
public string UserName {get; set;}
public string AccessToken {get; set;}
}
public class User
{
public int UserId {get; set;}
public string UserName {get; set;}
public string Password {get; set;}
}
在 Api 控制器中:
public ReturnData GetData(User Creds)
{
ReturnData Data = new ReturnData();
string Pass = Decrypt(Creds.Password);
int i = //Code here to get the middle-ware access token from db table token and update token 'IsActive from 0 to 1' from database. 0 = false, 1 = true
if(i > 0)
{
Data.AccessToken = Encrypt(DbTokenValue);
Data.UserName = Creds.UserName;
}
else
{
Error err = new Error();
err.ErrMsg = "something happened";
Data.ErrorObj = err;
}
return Data;
}
然后将此令牌用于其余的 api,通过比较来自 db 的令牌并授予执行操作的权限来确保它是同一用户。
祝你好运。
首先生成访问令牌、刷新令牌等都应该发生在真实授权服务器以获取更多信息 http://authguidance.com
但是即使我也在我的应用程序中生成了 JWT 令牌......
这就是我在 .net core 2.0 中所做的
在startup.cs
配置服务
var securityKey = "asdasdasdasdasdasddsda123123132123123";// your own key
var key = Encoding.UTF8.GetBytes(securityKey);
var signingKey = new SymmetricSecurityKey(key);
var tokenValidationParameters = new TokenValidationParameters()
{
ValidAudiences = new string[]
{
tokenSetting.Audience
},
ValidIssuers = new string[]
{
tokenSetting.Issuer
},
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ClockSkew= TimeSpan.Zero
};
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
context.Response.Headers.Add("x-tokenstatus-header", "fail");// may be not necessary for you
return Task.CompletedTask;
}
};
options.Audience = tokenSetting.Audience;
options.RequireHttpsMetadata = tokenSetting.RequireHttpsMetadata;
options.TokenValidationParameters = tokenValidationParameters;
});
并在
配置
app.UseTokenProvider(); // This is my own middleware
app.UseAuthentication();
app.UseMvc();
public class TokenProviderMiddleware {..}
public Task Invoke(HttpContext context, IUserService userService)
{
if (!IsAuthenticationRequest(context.Request.Path, context.Request.Method)) {
return this._next(context);
}
var securityKey = "asdasdasdasdasdasddsda123123132123123";// your own key
var key = Encoding.UTF8.GetBytes(securityKey);
var signingKey = new SymmetricSecurityKey(key);
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
var claimsIdentity = new ClaimsIdentity(listClaims, "Custom");
var securityTokenDescriptor = new SecurityTokenDescriptor()
{
Audience = this._tokenSettings.Audience,
Issuer = this._tokenSettings.Issuer,
Subject = claimsIdentity,
SigningCredentials = signingCredentials,
Expires = DateTime.UtcNow.AddMinutes(20),
};
var tokenHandler = new JwtSecurityTokenHandler();
var plainToken = tokenHandler.CreateToken(securityTokenDescriptor);
var signedAndEncodedToken = tokenHandler.WriteToken(plainToken);
// signedAndEncodedToken => contains your token you can do send it as response or anything you want
}
private bool IsAuthenticationRequest(string path, string method) {
if (HttpMethods.IsPost(method) && path?.IndexOf("/api/login", StringComparison.OrdinalIgnoreCase) >= 0) {
return true;
}
return false;
}
如果您需要对代码进行说明,请告诉我。
我对生成访问令牌并使用它感到非常困惑。 Access Token的生成应该放在Controller中还是放在中间件中?如果有人向我解释一下,我将不胜感激。
这是一个示例,它应该可以帮助您或至少给您一些提示,让您了解如何通过深入了解事情的进展情况来领导您的工作。不过这不太安全,请阅读推荐的身份框架。
您可以保持访问令牌动态(从数据库中调用记录与请求源发送的值相匹配)或 hard-code 一些在中间件的 Web.Config 文件中。
例如(对访问令牌采用 Db 方法):
db Table定义
Create table Tokens(
id int identity(1,1) primary key,
userId int,
TokenValue varchar(max),
IsActive bit
)
自定义模型:
public Class Error
{
public string ErrMsg {get; set;}
}
public Class ReturnData
{
public Error ErrorObj {get; set;}
public string UserName {get; set;}
public string AccessToken {get; set;}
}
public class User
{
public int UserId {get; set;}
public string UserName {get; set;}
public string Password {get; set;}
}
在 Api 控制器中:
public ReturnData GetData(User Creds)
{
ReturnData Data = new ReturnData();
string Pass = Decrypt(Creds.Password);
int i = //Code here to get the middle-ware access token from db table token and update token 'IsActive from 0 to 1' from database. 0 = false, 1 = true
if(i > 0)
{
Data.AccessToken = Encrypt(DbTokenValue);
Data.UserName = Creds.UserName;
}
else
{
Error err = new Error();
err.ErrMsg = "something happened";
Data.ErrorObj = err;
}
return Data;
}
然后将此令牌用于其余的 api,通过比较来自 db 的令牌并授予执行操作的权限来确保它是同一用户。
祝你好运。
首先生成访问令牌、刷新令牌等都应该发生在真实授权服务器以获取更多信息 http://authguidance.com
但是即使我也在我的应用程序中生成了 JWT 令牌...... 这就是我在 .net core 2.0 中所做的
在startup.cs
配置服务
var securityKey = "asdasdasdasdasdasddsda123123132123123";// your own key
var key = Encoding.UTF8.GetBytes(securityKey);
var signingKey = new SymmetricSecurityKey(key);
var tokenValidationParameters = new TokenValidationParameters()
{
ValidAudiences = new string[]
{
tokenSetting.Audience
},
ValidIssuers = new string[]
{
tokenSetting.Issuer
},
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ClockSkew= TimeSpan.Zero
};
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
context.Response.Headers.Add("x-tokenstatus-header", "fail");// may be not necessary for you
return Task.CompletedTask;
}
};
options.Audience = tokenSetting.Audience;
options.RequireHttpsMetadata = tokenSetting.RequireHttpsMetadata;
options.TokenValidationParameters = tokenValidationParameters;
});
并在
配置
app.UseTokenProvider(); // This is my own middleware
app.UseAuthentication();
app.UseMvc();
public class TokenProviderMiddleware {..}
public Task Invoke(HttpContext context, IUserService userService)
{
if (!IsAuthenticationRequest(context.Request.Path, context.Request.Method)) {
return this._next(context);
}
var securityKey = "asdasdasdasdasdasddsda123123132123123";// your own key
var key = Encoding.UTF8.GetBytes(securityKey);
var signingKey = new SymmetricSecurityKey(key);
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
var claimsIdentity = new ClaimsIdentity(listClaims, "Custom");
var securityTokenDescriptor = new SecurityTokenDescriptor()
{
Audience = this._tokenSettings.Audience,
Issuer = this._tokenSettings.Issuer,
Subject = claimsIdentity,
SigningCredentials = signingCredentials,
Expires = DateTime.UtcNow.AddMinutes(20),
};
var tokenHandler = new JwtSecurityTokenHandler();
var plainToken = tokenHandler.CreateToken(securityTokenDescriptor);
var signedAndEncodedToken = tokenHandler.WriteToken(plainToken);
// signedAndEncodedToken => contains your token you can do send it as response or anything you want
}
private bool IsAuthenticationRequest(string path, string method) {
if (HttpMethods.IsPost(method) && path?.IndexOf("/api/login", StringComparison.OrdinalIgnoreCase) >= 0) {
return true;
}
return false;
}
如果您需要对代码进行说明,请告诉我。