.Net Core JWT
参考地址
- .NET CORE 2.0 代码参考的这边
- .NET CORE 3.0 JWT
说明
https://www.cnblogs.com/uoyo/p/13209685.html
老张说jwt不适合中级以上的项目,所以这边只是用于去了解一下如何使用的。
环境为.Net Core 3.1
GitHub地址
1.Nuget 安装包
Microsoft.AspNetCore.Authentication.JwtBearer
千万不要安装下面的这个,否则一直401,我TM查了快一天
<PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.7.1" />
2.Startup
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
////添加jwt验证:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,//是否验证Issuer
ValidateAudience = true,//是否验证Audience
ValidateLifetime = true,//是否验证失效时间
ClockSkew = TimeSpan.FromSeconds(30),
ValidateIssuerSigningKey = true,//是否验证SecurityKey
ValidAudience = Const.Domain,//Audience
ValidIssuer = Const.Domain,//Issuer,这两项和前面签发jwt的设置一致
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Const.SecurityKey))//拿到SecurityKey
};
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseRouting();
app.UseAuthentication();//认证中间件
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
3.控制器代码
我这边只是为了demo快速演示,所以Const存放的密匙什么的就随便放的。
/api/jwt 不需要jwt认证就可以访问
/api/Authorize 需要Jwt认证才可以访问
/api/login 返回Jwt
[ApiController]
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
{
[Route("/api/jwt")]
[HttpGet]
public async Task<dynamic> JWT()
{
return "无权限获取";
}
[Route("/api/Authorize")]
[HttpGet]
[Authorize]
public dynamic Authorize()
{
return "有权限获取";
}
// [AllowAnonymous] 是什么意思
[Route("/api/login")]
[HttpPost]
public IActionResult login()
{
var claims = new[]
{
new Claim(Microsoft.IdentityModel.JsonWebTokens.JwtRegisteredClaimNames.Nbf,$"{new DateTimeOffset(DateTime.Now).ToUnixTimeSeconds()}") ,
new Claim (Microsoft.IdentityModel.JsonWebTokens.JwtRegisteredClaimNames.Exp,$"{new DateTimeOffset(DateTime.Now.AddMinutes(30)).ToUnixTimeSeconds()}"),
new Claim(ClaimTypes.Name, "测试jwt")
};
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Const.SecurityKey));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(
issuer: Const.Domain,
audience: Const.Domain,
claims: claims,
expires: DateTime.Now.AddMinutes(30),
signingCredentials: creds);
return Ok(new
{
token = new JwtSecurityTokenHandler().WriteToken(token)
});
}
}
public static class Const
{
/// <summary>
/// 这里为了演示,写死一个密钥。实际生产环境可以从配置文件读取,这个是用网上工具随便生成的一个密钥
/// </summary>
public const string SecurityKey = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI2a2EJ7m872v0afyoSDJT2o1+SitIeJSWtLJU8/Wz2m7gStexajkeD+Lka6DSTy8gt9UwfgVQo6uKjVLG5Ex7PiGOODVqAEghBuS7JzIYU5RvI543nNDAPfnJsas96mSA7L/mD7RTE2drj6hf3oZjJpMPZUQI/B1Qjb5H3K3PNwIDAQAB";
/// <summary>
/// 站点地址
/// </summary>
public const string Domain = "http://localhost:5000";
/// <summary>
/// 受理人,之所以弄成可变的是为了用接口动态更改这个值以模拟强制Token失效
/// 真实业务场景可以在数据库或者redis存一个和用户id相关的值,生成token和验证token的时候获取到持久化的值去校验
/// 如果重新登陆,则刷新这个值
/// </summary>
public static string ValidAudience;
}