public static void AddJwt(this IServiceCollection services, IConfiguration configuration)
{
//读取配置文件
var audienceConfig = configuration.GetSection("Audience");
var symmetricKeyAsBase64 = audienceConfig["Secret"];
var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
var signingKey = new SymmetricSecurityKey(keyByteArray);
// 令牌验证参数
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ValidateIssuer = true,
ValidIssuer = audienceConfig["Issuer"], //发行人
ValidateAudience = true,
ValidAudience = audienceConfig["Audience"], //订阅人
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero,
RequireExpirationTime = true,
};
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
// 如果要数据库动态绑定,这里先留个空,后边处理器里动态赋值
var permission = new List <AuthorizeItem>();
// 角色与接口的权限要求参数
var permissionRequirement = new AuthorizeRequirement(
"/api/denied", // 拒绝授权的跳转地址(目前无用)
permission,
ClaimTypes.Role, //基于角色的授权
audienceConfig["Issuer"], //发行人
audienceConfig["Audience"], //听众
signingCredentials, //签名凭据
expiration: TimeSpan.FromHours(6) //接口的过期时间
);
//【授权】
services.AddAuthorization(options =>
{
options.AddPolicy("Permission", policy => policy.Requirements.Add(permissionRequirement));
})
.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.TokenValidationParameters = tokenValidationParameters;
o.Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
// 如果过期,则把<是否过期>添加到,返回头信息中
if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))
{
context.Response.Headers.Add("Token-Expired", "true");
}
return(Task.CompletedTask);
},
OnMessageReceived = context =>
{
var accessToken = context.Request.Query["access_token"];
var path = context.HttpContext.Request.Path;
if (!string.IsNullOrEmpty(accessToken) && (path.StartsWithSegments("/hub")))
{
context.Token = accessToken;
}
return(Task.CompletedTask);
}
};
});
services.AddSingleton <IAuthorizationHandler, AuthorizeHandler>();
services.AddSingleton(permissionRequirement);
}
/// <summary>
/// 构造函数注入
/// </summary>
public LoginController(IUserBLL userBLL, IModuleBLL moduleBLL, AuthorizeRequirement requirement)
{
_userBLL = userBLL;
_moduleBLL = moduleBLL;
_requirement = requirement;
}
public static IServiceCollection AddAuthentication(this IServiceCollection services, Action <AuthorizeRequirement> configure)
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
if (configure == null)
{
throw new ArgumentNullException(nameof(configure));
}
var req = new AuthorizeRequirement
{
AllowClientToken = true,
AllowUserToken = true
};
configure(req);
if (string.IsNullOrWhiteSpace(req.Authority))
{
throw new ArgumentNullException(nameof(req.Authority), "此参数用于获取认证授权中心配置的信息,请务必设置为认证授权的终结点");
}
services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(o =>
{
IdentityModelEventSource.ShowPII = true;
o.Authority = req.Authority;
o.RequireHttpsMetadata = false;
o.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = ClaimTypes.Role,
ValidIssuer = req.ValidIssuer,
ValidAudiences = req.ValidAudiences,
/***********************************TokenValidationParameters的参数默认值***********************************/
// RequireSignedTokens = true,
// SaveSigninToken = false,
// ValidateActor = false,
// 将下面两个参数设置为false,可以不验证Issuer和Audience,但是不建议这样做。
ValidateAudience = req.ValidateAudience,
ValidateIssuer = req.ValidateIssuer,
// ValidateIssuerSigningKey = false,
// 是否要求Token的Claims中必须包含Expires
RequireExpirationTime = true,
// 允许的服务器时间偏移量
ClockSkew = TimeSpan.FromSeconds(300),
// 是否验证Token有效期,使用当前时间与Token的Claims中的NotBefore和Expires对比
ValidateLifetime = true
};
});
services.AddAuthorization(options =>
{
options.AddPolicy("Basic",
policy =>
{
policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme);
policy.RequireAuthenticatedUser();
policy.Requirements.Add(req);
});
});
services.AddSingleton <IAuthorizationHandler, TokenAuthorizeHandler>(); // 注入拦截对象
return(services);
}
