public static void AddJwt(this IServiceCollection services, IConfiguration configuration) { //读取配置文件 var audienceConfig = configuration.GetSection("Audience"); var symmetricKeyAsBase64 = audienceConfig["Secret"]; var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64); var signingKey = new SymmetricSecurityKey(keyByteArray); // 令牌验证参数 var tokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, ValidateIssuer = true, ValidIssuer = audienceConfig["Issuer"], //发行人 ValidateAudience = true, ValidAudience = audienceConfig["Audience"], //订阅人 ValidateLifetime = true, ClockSkew = TimeSpan.Zero, RequireExpirationTime = true, }; var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256); // 如果要数据库动态绑定,这里先留个空,后边处理器里动态赋值 var permission = new List <AuthorizeItem>(); // 角色与接口的权限要求参数 var permissionRequirement = new AuthorizeRequirement( "/api/denied", // 拒绝授权的跳转地址(目前无用) permission, ClaimTypes.Role, //基于角色的授权 audienceConfig["Issuer"], //发行人 audienceConfig["Audience"], //听众 signingCredentials, //签名凭据 expiration: TimeSpan.FromHours(6) //接口的过期时间 ); //【授权】 services.AddAuthorization(options => { options.AddPolicy("Permission", policy => policy.Requirements.Add(permissionRequirement)); }) .AddAuthentication(x => { x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(o => { o.TokenValidationParameters = tokenValidationParameters; o.Events = new JwtBearerEvents { OnAuthenticationFailed = context => { // 如果过期,则把<是否过期>添加到,返回头信息中 if (context.Exception.GetType() == typeof(SecurityTokenExpiredException)) { context.Response.Headers.Add("Token-Expired", "true"); } return(Task.CompletedTask); }, OnMessageReceived = context => { var accessToken = context.Request.Query["access_token"]; var path = context.HttpContext.Request.Path; if (!string.IsNullOrEmpty(accessToken) && (path.StartsWithSegments("/hub"))) { context.Token = accessToken; } return(Task.CompletedTask); } }; }); services.AddSingleton <IAuthorizationHandler, AuthorizeHandler>(); services.AddSingleton(permissionRequirement); }
/// <summary> /// 构造函数注入 /// </summary> public LoginController(IUserBLL userBLL, IModuleBLL moduleBLL, AuthorizeRequirement requirement) { _userBLL = userBLL; _moduleBLL = moduleBLL; _requirement = requirement; }
public static IServiceCollection AddAuthentication(this IServiceCollection services, Action <AuthorizeRequirement> configure) { if (services == null) { throw new ArgumentNullException(nameof(services)); } if (configure == null) { throw new ArgumentNullException(nameof(configure)); } var req = new AuthorizeRequirement { AllowClientToken = true, AllowUserToken = true }; configure(req); if (string.IsNullOrWhiteSpace(req.Authority)) { throw new ArgumentNullException(nameof(req.Authority), "此参数用于获取认证授权中心配置的信息,请务必设置为认证授权的终结点"); } services.AddAuthentication(x => { x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }).AddJwtBearer(o => { IdentityModelEventSource.ShowPII = true; o.Authority = req.Authority; o.RequireHttpsMetadata = false; o.TokenValidationParameters = new TokenValidationParameters { NameClaimType = JwtClaimTypes.Name, RoleClaimType = ClaimTypes.Role, ValidIssuer = req.ValidIssuer, ValidAudiences = req.ValidAudiences, /***********************************TokenValidationParameters的参数默认值***********************************/ // RequireSignedTokens = true, // SaveSigninToken = false, // ValidateActor = false, // 将下面两个参数设置为false,可以不验证Issuer和Audience,但是不建议这样做。 ValidateAudience = req.ValidateAudience, ValidateIssuer = req.ValidateIssuer, // ValidateIssuerSigningKey = false, // 是否要求Token的Claims中必须包含Expires RequireExpirationTime = true, // 允许的服务器时间偏移量 ClockSkew = TimeSpan.FromSeconds(300), // 是否验证Token有效期,使用当前时间与Token的Claims中的NotBefore和Expires对比 ValidateLifetime = true }; }); services.AddAuthorization(options => { options.AddPolicy("Basic", policy => { policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme); policy.RequireAuthenticatedUser(); policy.Requirements.Add(req); }); }); services.AddSingleton <IAuthorizationHandler, TokenAuthorizeHandler>(); // 注入拦截对象 return(services); }