ASP.NET Core 中基于令牌的身份验证(更新)

本文介绍了ASP.NET Core 中基于令牌的身份验证(更新)的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在使用 ASP.NET Core 应用程序.我正在尝试实施基于令牌的身份验证，但无法弄清楚如何使用新的安全系统.

I'm working with ASP.NET Core application. I'm trying to implement Token Based Authentication but can not figure out how to use new Security System.

我的场景:客户端请求令牌.我的服务器应该授权用户并返回 access_token，客户端将在以下请求中使用该令牌.

My scenario: A client requests a token. My server should authorize the user and return access_token which will be used by the client in following requests.

这里有两篇关于实现我所需要的很棒的文章:

Here are two great articles about implementing exactly what I need:

• 基于令牌使用 ASP.NET Web API 2、Owin 和 Identity 进行身份验证
• 使用 JSON Web令牌

问题是 - 在 ASP.NET Core 中如何做同样的事情对我来说并不明显.

The problem is - it is not obvious for me how to do the same thing in ASP.NET Core.

我的问题是:如何配置 ASP.NET Core Web Api 应用程序以使用基于令牌的身份验证?我应该追求什么方向?你有没有写过任何关于最新版本的文章，或者知道我在哪里可以找到?

My question is: how to configure ASP.NET Core Web Api application to work with token based authentication? What direction should I pursue? Have you written any articles about the newest version, or know where I could find ones?

谢谢！

推荐答案

从 Matt Dekrey 的精彩回答开始工作，我'已经创建了一个完整的基于令牌的身份验证示例，适用于 ASP.NET Core (1.0.1).您可以在 GitHub 上的此存储库中找到完整代码 (1.0.0-rc1, beta8、beta7)，但简而言之，重要的步骤是:

Working from Matt Dekrey's fabulous answer, I've created a fully working example of token-based authentication, working against ASP.NET Core (1.0.1). You can find the full code in this repository on GitHub (alternative branches for 1.0.0-rc1, beta8, beta7), but in brief, the important steps are:

为您的应用程序生成一个密钥

在我的示例中，每次应用程序启动时我都会生成一个随机密钥，您需要生成一个并将其存储在某处并将其提供给您的应用程序.请参阅此文件了解我如何生成随机密钥以及您如何可以从 .json 文件导入它.正如@kspearrin 在评论中所建议的，数据保护 API 似乎是正确"管理密钥的理想人选，但我还没有弄清楚是否可能.如果您解决了，请提交拉取请求！

In my example, I generate a random key each time the app starts, you'll need to generate one and store it somewhere and provide it to your application. See this file for how I'm generating a random key and how you might import it from a .json file. As suggested in the comments by @kspearrin, the Data Protection API seems like an ideal candidate for managing the keys "correctly", but I've not worked out if that's possible yet. Please submit a pull request if you work it out!

Startup.cs - 配置服务

在这里，我们需要为要签名的令牌加载私钥，我们还将使用它来验证出现的令牌.我们将密钥存储在类级变量 key 中，我们将在下面的 Configure 方法中重新使用它.TokenAuthOptions 是一个保存签名身份的简​​单类，我们需要在 TokenController 中创建我们的密钥的受众和发行者.

Here, we need to load a private key for our tokens to be signed with, which we will also use to verify tokens as they are presented. We're storing the key in a class-level variable key which we'll re-use in the Configure method below. TokenAuthOptions is a simple class which holds the signing identity, audience and issuer that we'll need in the TokenController to create our keys.

// Replace this with some sort of loading from config / file. RSAParameters keyParams = RSAKeyUtils.GetRandomKey(); // Create the key, and a set of token options to record signing credentials // using that key, along with the other parameters we will need in the // token controlller. key = new RsaSecurityKey(keyParams); tokenOptions = new TokenAuthOptions() { Audience = TokenAudience, Issuer = TokenIssuer, SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.Sha256Digest) }; // Save the token options into an instance so they're accessible to the // controller. services.AddSingleton<TokenAuthOptions>(tokenOptions); // Enable the use of an [Authorize("Bearer")] attribute on methods and // classes to protect. services.AddAuthorization(auth => { auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder() .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme‌​) .RequireAuthenticatedUser().Build()); });

我们还设置了授权策略，允许我们在我们希望保护的端点和类上使用 [Authorize("Bearer")].

We've also set up an authorization policy to allow us to use [Authorize("Bearer")] on the endpoints and classes we wish to protect.

Startup.cs - 配置

这里，我们需要配置JwtBearerAuthentication:

Here, we need to configure the JwtBearerAuthentication:

app.UseJwtBearerAuthentication(new JwtBearerOptions { TokenValidationParameters = new TokenValidationParameters { IssuerSigningKey = key, ValidAudience = tokenOptions.Audience, ValidIssuer = tokenOptions.Issuer, // When receiving a token, check that it is still valid. ValidateLifetime = true, // This defines the maximum allowable clock skew - i.e. // provides a tolerance on the token expiry time // when validating the lifetime. As we're creating the tokens // locally and validating them on the same machines which // should have synchronised time, this can be set to zero. // Where external tokens are used, some leeway here could be // useful. ClockSkew = TimeSpan.FromMinutes(0) } });

令牌控制器

在令牌控制器中，您需要有一个方法来使用在 Startup.cs 中加载的密钥生成签名密钥.我们已经在 Startup 中注册了一个 TokenAuthOptions 实例，所以我们需要将它注入到 TokenController 的构造函数中:

In the token controller, you need to have a method to generate signed keys using the key that was loaded in Startup.cs. We've registered a TokenAuthOptions instance in Startup, so we need to inject that in the constructor for TokenController:

[Route("api/[controller]")] public class TokenController : Controller { private readonly TokenAuthOptions tokenOptions; public TokenController(TokenAuthOptions tokenOptions) { this.tokenOptions = tokenOptions; } ...

然后您需要在处理程序中为登录端点生成令牌，在我的示例中，我使用用户名和密码并使用 if 语句验证它们，但您需要做的关键是创建或加载基于声明的身份并为其生成令牌:

Then you'll need to generate the token in your handler for the login endpoint, in my example I'm taking a username and password and validating those using an if statement, but the key thing you need to do is create or load a claims-based identity and generate the token for that:

public class AuthRequest { public string username { get; set; } public string password { get; set; } } /// <summary> /// Request a new token for a given username/password pair. /// </summary> /// <param name="req"></param> /// <returns></returns> [HttpPost] public dynamic Post([FromBody] AuthRequest req) { // Obviously, at this point you need to validate the username and password against whatever system you wish. if ((req.username == "TEST" && req.password == "TEST") || (req.username == "TEST2" && req.password == "TEST")) { DateTime? expires = DateTime.UtcNow.AddMinutes(2); var token = GetToken(req.username, expires); return new { authenticated = true, entityId = 1, token = token, tokenExpires = expires }; } return new { authenticated = false }; } private string GetToken(string user, DateTime? expires) { var handler = new JwtSecurityTokenHandler(); // Here, you should create or look up an identity for the user which is being authenticated. // For now, just creating a simple generic identity. ClaimsIdentity identity = new ClaimsIdentity(new GenericIdentity(user, "TokenAuth"), new[] { new Claim("EntityID", "1", ClaimValueTypes.Integer) }); var securityToken = handler.CreateToken(new Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor() { Issuer = tokenOptions.Issuer, Audience = tokenOptions.Audience, SigningCredentials = tokenOptions.SigningCredentials, Subject = identity, Expires = expires }); return handler.WriteToken(securityToken); }

应该就是这样.只需将 [Authorize("Bearer")] 添加到您想要保护的任何方法或类，如果您尝试在没有令牌的情况下访问它，您应该会得到一个错误.如果要返回 401 而不是 500 错误，则需要注册自定义异常处理程序 就像我在这里的例子.

And that should be it. Just add [Authorize("Bearer")] to any method or class you want to protect, and you should get an error if you attempt to access it without a token present. If you want to return a 401 instead of a 500 error, you'll need to register a custom exception handler as I have in my example here.