zoukankan      html  css  js  c++  java
  • 三分钟学会.NET Core Jwt 策略授权认证

    一.前言

      大家好我又回来了,前几天讲过一个关于Jwt的身份验证最简单的案例,但是功能还是不够强大,不适用于真正的项目,是的,在真正面对复杂而又苛刻的客户中,我们会不知所措,就现在需要将认证授权这一块也变的复杂而又实用起来,那在专业术语中就叫做自定义策略的API认证,本次案例运行在.NET Core 3.0中,最后我们将在swagger中进行浏览,来尝试项目是否正常,对于.NET Core 2.x 版本,这篇文章有些代码不适用,但我会在文中说明。

    二.在.NET Core中尝试

      我们都知道Jwt是为了认证,微软给我们提供了进城打鬼子的城门,那就是 AuthorizationHandle

      我们首先要实现它,并且我们还可以根据依赖注入的 AuthorizationHandlerContext 来获取上下文,就这样我们就更可以做一些权限的手脚

    public class PolicyHandler : AuthorizationHandler<PolicyRequirement>
        {
            protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PolicyRequirement requirement)
            {
                var http = (context.Resource as Microsoft.AspNetCore.Routing.RouteEndpoint);
                var questUrl = "/"+http.RoutePattern.RawText; 
                //赋值用户权限
                var userPermissions = requirement.UserPermissions;
                //是否经过验证
                var isAuthenticated = context.User.Identity.IsAuthenticated;
                if (isAuthenticated)
                {
                    if (userPermissions.Any(u=>u.Url == questUrl))
                    {
                        //用户名
                        var userName = context.User.Claims.SingleOrDefault(s => s.Type == ClaimTypes.NameIdentifier).Value;
                        if (userPermissions.Any(w => w.UserName == userName))
                        {
                            context.Succeed(requirement);
                        }
                    }
                }
                return Task.CompletedTask;
            }
        }

      首先,我们重写了 HandleRequirementAsync 方法,如果你看过AspNetCore的源码你一定知道,它是Jwt身份认证的开端,也就是说你重写了它,原来那一套就不会走了,我们观察一下源码,我贴在下面,可以看到这就是一个最基本的授权,通过 context.Succeed(requirement 完成了最后的认证动作!

    public class DenyAnonymousAuthorizationRequirement : AuthorizationHandler<DenyAnonymousAuthorizationRequirement>, IAuthorizationRequirement
        {
            /// <summary>
            /// Makes a decision if authorization is allowed based on a specific requirement.
            /// </summary>
            /// <param name="context">The authorization context.</param>
            /// <param name="requirement">The requirement to evaluate.</param>
            protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, DenyAnonymousAuthorizationRequirement requirement)
            {
                var user = context.User;
                var userIsAnonymous =
                    user?.Identity == null ||
                    !user.Identities.Any(i => i.IsAuthenticated);
                if (!userIsAnonymous)
                {
                    context.Succeed(requirement);
                }
                return Task.CompletedTask;
            }
        }

    那么  Succeed  是一个什么呢?它是一个在  AuthorizationHandlerContext的定义动作,包括Fail() ,也是如此,当然具体实现我们不在细谈,其内部还是挺复杂的,不过我们需要的是  DenyAnonymousAuthorizationRequirement  被当作了抽象的一部分。

    public abstract class AuthorizationHandler<TRequirement> : IAuthorizationHandler
                where TRequirement : IAuthorizationRequirement
        {}

    好吧,言归正传(看源码挺刺激的),我们刚刚在  PolicyHandler实现了自定义认证策略,上面还说到了两个方法。现在我们在项目中配置并启动它,并且我在代码中也是用了Swagger用于后面的演示。

    在  AddJwtBearer中我们添加了jwt验证包括了验证参数以及几个事件处理,这个很基本,不在解释。不过在Swagger中添加jwt的一些功能是在  AddSecurityDefinition  中写入的。

    public void ConfigureServices(IServiceCollection services)
            {
                //添加策略鉴权模式
                services.AddAuthorization(options =>
                {
                    options.AddPolicy("Permission", policy => policy.Requirements.Add(new PolicyRequirement()));
                })
                .AddAuthentication(s =>
                {
                    //添加JWT Scheme
                    s.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                    s.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                    s.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                })
                //添加jwt验证:
                .AddJwtBearer(options =>
                {
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateLifetime = true,//是否验证失效时间
                        ClockSkew = TimeSpan.FromSeconds(30),
    
                        ValidateAudience = true,//是否验证Audience
                        //ValidAudience = Const.GetValidudience(),//Audience
                        //这里采用动态验证的方式,在重新登陆时,刷新token,旧token就强制失效了
                        AudienceValidator = (m, n, z) =>
                        {
                            return m != null && m.FirstOrDefault().Equals(Const.ValidAudience);
                        },
                        ValidateIssuer = true,//是否验证Issuer
                        ValidIssuer = Const.Domain,//Issuer,这两项和前面签发jwt的设置一致
    
                        ValidateIssuerSigningKey = true,//是否验证SecurityKey
                        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Const.SecurityKey))//拿到SecurityKey
                    };
                    options.Events = new JwtBearerEvents
                    {
                        OnAuthenticationFailed = context =>
                        {
                            //Token expired
                            if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))
                            {
                                context.Response.Headers.Add("Token-Expired", "true");
                            }
                            return Task.CompletedTask;
                        }
                    };
                }); 
                services.AddSwaggerGen(c =>
                {
                    c.SwaggerDoc("v1", new OpenApiInfo
                    {
                        Version = "v1",
                        Title = "HaoZi JWT",
                        Description = "基于.NET Core 3.0 的JWT 身份验证",
                        Contact = new OpenApiContact
                        {
                            Name = "zaranet",
                            Email = "zaranet@163.com",
                            Url = new Uri("http://cnblogs.com/zaranet"),
                        },
                    });
                    c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme()
                    {
                        Description = "在下框中输入请求头中需要添加Jwt授权Token:Bearer Token",
                        Name = "Authorization",
                        In = ParameterLocation.Header,
                        Type = SecuritySchemeType.ApiKey,
                        BearerFormat = "JWT",
                        Scheme = "Bearer"
                    });
                    c.AddSecurityRequirement(new OpenApiSecurityRequirement
                    {
                        {
                            new OpenApiSecurityScheme
                            {
                                Reference = new OpenApiReference {
                                    Type = ReferenceType.SecurityScheme,
                                    Id = "Bearer"
                                }
                            },
                            new string[] { }
                        }
                    });
                });
                //认证服务
                services.AddSingleton<IAuthorizationHandler, PolicyHandler>();
                services.AddControllers();
            }

    在以上代码中,我们通过鉴权模式添加了认证规则,一个名叫  PolicyRequirement  的类,它实现了  IAuthorizationRequirement  接口,其中我们需要定义一些规则,通过构造函数我们可以添加我们要识别的权限规则。那个UserName就是 Attribute 。

    public class PolicyRequirement : IAuthorizationRequirement
        {/// <summary>
         /// User rights collection
         /// </summary>
            public List<UserPermission> UserPermissions { get; private set; }
            /// <summary>
            /// No permission action
            /// </summary>
            public string DeniedAction { get; set; }
            /// <summary>
            /// structure
            /// </summary>
            public PolicyRequirement()
            {
                //Jump to this route without permission
                DeniedAction = new PathString("/api/nopermission");
                //Route configuration that users have access to, of course you can read it from the database, you can also put it in Redis for persistence
                UserPermissions = new List<UserPermission> {
                                  new UserPermission {  Url="/api/value3", UserName="admin"},
                              };
            }
        }
        public class UserPermission
        {
            public string UserName { get; set; }
            public string Url { get; set; }
        }

    随后我们应当启动我们的服务,在.NET Core 3.0 中身份验证的中间件位置需要在路由和端点配置的中间。

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
            {
                if (env.IsDevelopment())
                {
                    app.UseDeveloperExceptionPage();
                }
                app.UseSwagger();
                app.UseSwaggerUI(c =>
                {
                    c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");
                });
                app.UseRouting();
                app.UseAuthentication();
                app.UseAuthorization();
                app.UseEndpoints(endpoints =>
                {
                    endpoints.MapControllers();
                });
            }

      我们通常会有一个获取token的API,用于让Jwt通过  JwtSecurityTokenHandler().WriteToken(token)  用于生成我们的token,虽然jwt是没有状态的,但你应该也明白,如果你的jwt生成了随后你重启了你的网站,你的jwt会失效,这个是因为你的密钥进行了改变,如果你的密钥一直写死,那么这个jwt将不会再过期,这个还是有安全风险的,这个我不在这里解释,gettoken定义如下:

      [ApiController]
        public class AuthController : ControllerBase
        {
            [AllowAnonymous]
            [HttpGet]
            [Route("api/nopermission")]
            public IActionResult NoPermission()
            {
                return Forbid("No Permission!");
            }
            /// <summary>
            /// login
            /// </summary>
            [AllowAnonymous]
            [HttpGet]
            [Route("api/auth")]
            public IActionResult Get(string userName, string pwd)
            {
                if (CheckAccount(userName, pwd, out string role))
                {
                    Const.ValidAudience = userName + pwd + DateTime.Now.ToString();
                    // push the user’s name into a claim, so we can identify the user later on.
                    //这里可以随意加入自定义的参数,key可以自己随便起
                    var claims = new[]
                    {
                        new Claim(JwtRegisteredClaimNames.Nbf,$"{new DateTimeOffset(DateTime.Now).ToUnixTimeSeconds()}") ,
                        new Claim (JwtRegisteredClaimNames.Exp,$"{new DateTimeOffset(DateTime.Now.AddMinutes(30)).ToUnixTimeSeconds()}"),
                        new Claim(ClaimTypes.NameIdentifier, userName),
                        new Claim("Role", role)
                    };
                    //sign the token using a secret key.This secret will be shared between your API and anything that needs to check that the token is legit.
                    var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Const.SecurityKey));
                    var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
                    //.NET Core’s JwtSecurityToken class takes on the heavy lifting and actually creates the token.
                    var token = new JwtSecurityToken(
                        issuer: Const.Domain, //颁发者
                        audience: Const.ValidAudience,//过期时间
                        expires: DateTime.Now.AddMinutes(30),// 签名证书
                        signingCredentials: creds, //自定义参数
                        claims: claims );
                    return Ok(new
                    {
                        token = new JwtSecurityTokenHandler().WriteToken(token)
                    });
                }
                else
                {
                    return BadRequest(new { message = "username or password is incorrect." });
                }
            }
            /// <summary>
            /// 模拟登陆校验
            /// </summary>
            private bool CheckAccount(string userName, string pwd, out string role)
            {
                role = "user";
                if (string.IsNullOrEmpty(userName))
                    return false;
                if (userName.Equals("admin"))
                    role = "admin";
                return true;
            }

      可能比较特别的是  AllowAnonymous  ,这个看我文章的同学可能头一次见,其实怎么说好呢,这个可无可有,没有硬性的要求,我看到好几个知名博主加上了,我也加上了~...最后我们创建了几个资源控制器,它们是受保护的。

      在你添加策略权限的时候例如政策名称是XXX,那么在对应的api表头就应该是XXX,随后到了  PolicyHandler我们解析了 Claims 处理了它是否有权限。

    // GET api/values1
            [HttpGet]
            [Route("api/value1")]
            public ActionResult<IEnumerable<string>> Get()
            {
                return new string[] { "value1", "value1" };
            }
            // GET api/values2
            /**
             * 该接口用Authorize特性做了权限校验,如果没有通过权限校验,则http返回状态码为401
             */
            [HttpGet]
            [Route("api/value2")]
            [Authorize]
            public ActionResult<IEnumerable<string>> Get2()
            {
                var auth = HttpContext.AuthenticateAsync().Result.Principal.Claims;
                var userName = auth.FirstOrDefault(t => t.Type.Equals(ClaimTypes.NameIdentifier))?.Value;
                return new string[] { "这个接口登陆过的都能访问", $"userName={userName}" };
            }
            /**
             * 这个接口必须用admin
             **/
            [HttpGet]
            [Route("api/value3")]
            [Authorize("Permission")]
            public ActionResult<IEnumerable<string>> Get3()
            {
                //这是获取自定义参数的方法
                var auth = HttpContext.AuthenticateAsync().Result.Principal.Claims;
                var userName = auth.FirstOrDefault(t => t.Type.Equals(ClaimTypes.NameIdentifier))?.Value;
                var role = auth.FirstOrDefault(t => t.Type.Equals("Role"))?.Value;
                return new string[] { "这个接口有管理员权限才可以访问", $"userName={userName}", $"Role={role}" };
            }

    三.效果图

    四.栗子源代码和以往版本

      看到很多前辈彩的坑,原来的  (context.Resource as Microsoft.AspNetCore.Routing.RouteEndpoint);  实际上在.NET Core 3.0 已经不能用了,原因是.NET Core 3.0 启用 EndpointRouting 后,权限filter不再添加到 ActionDescriptor ,而将权限直接作为中间件运行,同时所有filter都会添加到  endpoint.Metadata  ,如果在.NET Core 2.1 & 2.2 版本中你通常Handler可以这么写:

    public class PolicyHandler : AuthorizationHandler<PolicyRequirement>
        {
            protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PolicyRequirement requirement)
            {
                //赋值用户权限
                var userPermissions = requirement.UserPermissions;
                //从AuthorizationHandlerContext转成HttpContext,以便取出表求信息
                var httpContext = (context.Resource as Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext).HttpContext;
                //请求Url
                var questUrl = httpContext.Request.Path.Value.ToUpperInvariant();
                //是否经过验证
                var isAuthenticated = httpContext.User.Identity.IsAuthenticated;
                if (isAuthenticated)
                {
                    if (userPermissions.GroupBy(g => g.Url).Any(w => w.Key.ToUpperInvariant() == questUrl))
                    {
                        //用户名
                        var userName = httpContext.User.Claims.SingleOrDefault(s => s.Type == ClaimTypes.NameIdentifier).Value;
                        if (userPermissions.Any(w => w.UserName == userName && w.Url.ToUpperInvariant() == questUrl))
                        {
                            context.Succeed(requirement);
                        }
                        else
                        {
                            //无权限跳转到拒绝页面
                            httpContext.Response.Redirect(requirement.DeniedAction);
                        }
                    }
                    else
                        context.Succeed(requirement);
                }
                return Task.CompletedTask;
            }
        }

      该案例源代码在我的Github上:https://github.com/zaranetCore/aspNetCore_JsonwebToken/tree/master/Jwt_Policy_Demo  谢谢大家

  • 相关阅读:
    C#规范整理·异常与自定义异常
    C#规范整理·资源管理和序列化
    C#规范整理·泛型委托事件
    C#规范整理·集合和Linq
    <抽象工厂>比<工厂方法>多了啥(区别)
    <工厂方法>比<简单工厂>多了啥(区别)
    Unable to start Ocelot because either a ReRoute or GlobalConfiguration
    MySQL服务安装
    mysql登录报错“Access denied for user 'root'@'localhost' (using password: YES”)的处理方法
    使用博客系统发生_STORAGE_WRITE_ERROR_错误
  • 原文地址:https://www.cnblogs.com/createwell/p/12776735.html
Copyright © 2011-2022 走看看