/// <summary>
///
/// </summary>
/// <param name="sysFileManager"></param>
/// <param name="jwtConfig"></param>
/// <param name="logger"></param>
/// <param name="appConfig"></param>
public FileController(ISysFileManager sysFileManager, JwtConfig jwtConfig, ILogger <FileController> logger, AppConfig appConfig)
{
_logger = logger;
_appConfig = appConfig;
_sysFileManager = sysFileManager;
_jwtConfig = jwtConfig;
}
public virtual IHttpActionResult RequestRefresh([FromBody] RefreshParams rp)
{
return(ExecuteValidatedAction(() =>
{
// manually validating, as api is no longer wired up...
ValidatorHelpers.ValidateAndThrow(rp, new RefreshParamsValidator());
// validate AuthClient and RefreshToken
JwtConfig config = new JwtConfig(true, RequestLeftPart);
AuthClient client = ValidateClient(rp);
AuthToken rt = AuthService.RetrieveToken(rp.AuthUserId, rp.AuthClientId, rp.TokenIdentifier);
AddNoCacheHeader();
if (client == null || rt == null || rt.AuthClientId != client.Id ||
!JsonWebToken.GrantNewAccess(config, rt.Token))
{
return ImATeapot();
}
// get user
AuthUser user = AuthService.GetByIdForLogin(rt.AuthUserId);
if (user == null)
{
return ImATeapot();
}
CheckSetRoleManager(user); // make sure state is set in RoleManager
ILoginResultDto loginResult = CreateTokenResult(user, client, config); // create new tokens, return result
return loginResult != null ? (IHttpActionResult)Ok(loginResult) : ImATeapot();
}));
}
public static string Generate(JwtConfig config, User user)
{
var now = DateTime.UtcNow;
var claims = new Claim[]
{
new Claim(JwtRegisteredClaimNames.Sub, Guid.NewGuid().ToString()),
new Claim(JwtRegisteredClaimNames.Iat, now.ToUniversalTime().ToString(CultureInfo.InvariantCulture),
ClaimValueTypes.Integer64),
new Claim(ClaimTypes.Sid, user.Id.ToString()),
new Claim(ClaimTypes.Name, user.DisplayName),
new Claim(ClaimTypes.Email, user.Email ?? string.Empty),
new Claim(ClaimTypes.Role, "todo")
};
var keyByteArray = Encoding.ASCII.GetBytes(config.Secret);
var signingKey = new SymmetricSecurityKey(keyByteArray);
var jwt = new JwtSecurityToken(
issuer: config.Issuer,
audience: config.Audience,
claims: claims,
notBefore: now,
expires: now.AddDays(90),
signingCredentials: new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256)
);
var token = new JwtSecurityTokenHandler().WriteToken(jwt);
return(token);
}
/// <summary>
/// Validate tokens
/// </summary>
/// <param name="config">JwtConfig</param>
/// <param name="token">Token value</param>
public static Maybe <ClaimsPrincipal> ValidateToken(JwtConfig config, string token)
{
try
{
// Create validation parameters
var parameters = new TokenValidationParameters
{
RequireExpirationTime = true,
ValidIssuer = config.Issuer,
ValidAudience = config.Audience ?? config.Issuer,
IssuerSigningKey = config.GetSigningKey()
};
_ = config.GetEncryptingKey().IfSome(encryptingKey => parameters.TokenDecryptionKey = encryptingKey);
// Create handler to validate token
var handler = new JwtSecurityTokenHandler();
// Validate token and return principal
return(handler.ValidateToken(token, parameters, out var validatedToken));
}
catch (SecurityTokenNotYetValidException)
{
return(F.None <ClaimsPrincipal, M.TokenIsNotValidYetMsg>());
}
catch (Exception e) when(e.Message.Contains("IDX10223"))
{
return(F.None <ClaimsPrincipal, M.TokenHasExpiredMsg>());
}
catch (Exception e)
{
return(F.None <ClaimsPrincipal, M.ValidatingTokenExceptionMsg>(e));
}
}
public AuthController(UserManager <ApplicationUser> userManager, IOptionsMonitor <JwtConfig> optionsMonitor, TokenValidationParameters tokenValidationParameters, ApplicationDbContext applicationDbContext)
{
_userManager = userManager;
_jwtConfig = optionsMonitor.CurrentValue;
_tokenValidationParameters = tokenValidationParameters;
_applicationDbContext = applicationDbContext;
}
public static void AddSnowdropJwt(this IServiceCollection services, IConfiguration configuration)
{
JwtConfig config = configuration.GetSection(nameof(JwtConfig)).Get <JwtConfig>();
if (config == null)
{
throw new ArgumentException(nameof(JwtConfig));
}
services.AddSingleton(config);
services
.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.RequireHttpsMetadata = true;
options.SaveToken = true;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = config.Issuer,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(config.Secret)),
ValidAudience = config.Audience,
ValidateAudience = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.FromSeconds(30)
};
});
services.AddScoped <IJwtAuthManager, JwtAuthManager>();
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
var jwtConfig = new JwtConfig();
Configuration.Bind(nameof(JwtConfig), jwtConfig);
services.AddJwtAuthentication(jwtConfig);
services.AddSingleton(jwtConfig);
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info {
Title = "My API", Version = "v1"
});
//Locate the XML file being generated by ASP.NET...
var xmlFile = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml";
var xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile);
//... and tell Swagger to use those XML comments.
c.IncludeXmlComments(xmlPath);
});
services.AddDbContext <AppDbContext>(optionBuilder =>
{
optionBuilder.UseMySql(Configuration["ConnectionStrings:MySQL"]);
});
services.AddTransient <IUnitOfWork, UnitOfWork>();
services.AddTransient <UserRepository>();
services.AddTransient <UserService>();
services.AddTransient <AuthService>();
}
public UserController(UserManager <User> userManager, IOptionsMonitor <JwtConfig> optionsMonitor, IMapper autoMapper, RoleManager <IdentityRole> roleManager)
{
_userManager = userManager;
_jwtConfig = optionsMonitor.CurrentValue;
_mapper = autoMapper;
_roleManager = roleManager;
}
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer)
{
var jsonObject = JObject.Load(reader);
var setting = default(IAuthenticationConfig);
if (jsonObject["Provider"] != null)
{
switch (jsonObject["Provider"].Value <string>())
{
case "Jwt":
setting = new JwtConfig(
jsonObject["Authority"].Value <string>(),
jsonObject["Audience"].Value <string>());
break;
default:
setting = new IdentityServerConfig(
jsonObject["ProviderRootUrl"].Value <string>(),
jsonObject["ApiName"].Value <string>(),
jsonObject["RequireHttps"].Value <bool>(),
jsonObject["ApiSecret"].Value <string>());
break;
}
}
else
{
setting = new IdentityServerConfig(string.Empty, string.Empty, false, string.Empty);
}
serializer.Populate(jsonObject.CreateReader(), setting);
return(setting);
}
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
var jwtBearer = new JwtConfig();
Configuration.GetSection(nameof(JwtConfig)).Bind(jwtBearer);
var appData = new AppData()
{
JwtConfig = jwtBearer,
DocumentLibraryConnectionString = Configuration.GetConnectionString("DocumentLibraryConnection")
};
services.AddDependencyInjectionBindings(appData);
services.AddAutoMapper(AppDomain.CurrentDomain.GetAssemblies());
services.AddDatabaseDeveloperPageExceptionFilter();
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new OpenApiInfo {
Title = "DocumentLibrary.API.Admin", Version = "v1"
});
});
}
/// <summary>
/// 生成Token凭证
/// </summary>
/// <param name="user">用户信息</param>
/// <param name="jwtSetting">Jwt配置信息</param>
/// <returns>Token</returns>
public static string GenerateToken(User user, JwtConfig jwtSetting)
{
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSetting.TokenSecretKey));
DateTime dtNow = DateTime.Now;
DateTime dtExpires = DateTime.Now.AddMinutes(jwtSetting.Expiration);
var descriptor = new SecurityTokenDescriptor()
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(JwtClaimTypes.Issuer, jwtSetting.Issuer),
new Claim(JwtClaimTypes.Audience, jwtSetting.Audience),
new Claim(JwtClaimTypes.Id, user.UserId.ParseToStr()),
new Claim(JwtClaimTypes.Name, user.UserName),
new Claim("permission", user.UserName),
new Claim(JwtClaimTypes.NotBefore, dtNow.ParseToStr()),
new Claim(JwtClaimTypes.Expiration, dtExpires.ParseToStr())
}),
IssuedAt = dtNow,//颁发时间
NotBefore = dtNow,
Expires = dtExpires,
SigningCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256)
};
var jwtHandler = new JwtSecurityTokenHandler();
var securityToken = jwtHandler.CreateToken(descriptor);
return(jwtHandler.WriteToken(securityToken));
}
/// <summary>
/// create access token
/// </summary>
/// <param name="jwtConfig"></param>
/// <param name="user"></param>
/// <returns></returns>
public static JwtToken CreateAccessToken(
JwtConfig jwtConfig
, string jti
, string uniqueName
, string nameId
, string name
, string roleIds
)
{
if (jti.IsNullOrWhiteSpace())
{
throw new ArgumentNullException(nameof(jti));
}
var claims = new Claim[]
{
new Claim(JwtRegisteredClaimNames.Jti, jti),
new Claim(JwtRegisteredClaimNames.UniqueName, uniqueName),
new Claim(JwtRegisteredClaimNames.NameId, nameId),
new Claim(JwtRegisteredClaimNames.Name, name),
new Claim("roleids", roleIds)
};
return(WriteToken(jwtConfig, claims, Tokens.AccessToken));
}
public IdentityService(JwtConfig jwtConfig, UserManager <UserEntity> userManager, IMapper mapper, IBlackListJWT blackList)
{
_jwtConfig = jwtConfig;
_userManager = userManager;
_mapper = mapper;
_blackList = blackList;
}
public JwtProvider(IOptions <JwtConfig> config, UserManager <UserEntity> userManager)
{
_config = config.Value;
_userManager = userManager;
_key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config.Key));
_tokenHandler = new JwtSecurityTokenHandler();
}
public SnUserController(ISnUserService service, snblogContext coreDbContext, IOptions <JwtConfig> _jwtModel)
{
_service = service;
_coreDbContext = coreDbContext;
user = coreDbContext.SnUser;
jwtModel = _jwtModel.Value;
}
public AuthManagementController(
UserManager <IdentityUser> userManager,
IOptionsMonitor <JwtConfig> optionsMonitor)
{
_userManager = userManager;
_jwtConfig = optionsMonitor.CurrentValue;
}
public AuthController(UserManager <PickEmUser> userManager, LeagueService leagueService, IOptions <JwtConfig> jwtOptions, ILogger <AuthController> logger)
{
_userManager = userManager;
_leagueService = leagueService;
_logger = logger;
_jwtOptions = jwtOptions.Value;
}
/// <summary>
///
/// </summary>
/// <param name="userManager"></param>
/// <param name="appConfig"></param>
/// <param name="tokenManage"></param>
/// <param name="mapper"></param>
/// <param name="logger"></param>
public UserService(IUserManager userManager, AppConfig appConfig, JwtConfig tokenManage, IMapper mapper, ILogger <UserService> logger) : base(logger)
{
_userManager = userManager;
_mapper = mapper;
_appConfig = appConfig;
_tokenManage = tokenManage;
}
/// <summary>
/// 构造函数
/// </summary>
public AccountController(IJwtProvider jwtProvider, ICacheProvider cacheService, IOptions <JwtConfig> jwtConfig, IUserService service)
{
_jwtProvider = jwtProvider;
_cacheService = cacheService;
_service = service;
_jwtConfig = jwtConfig.Value;
}
public static void Initialize(IServiceCollection services, JwtConfig jwtConfig)
{
var authenticationProviderKey = "TestKey";
services.AddAuthentication()
.AddIdentityServerAuthentication(authenticationProviderKey, x =>
{
x.Authority = jwtConfig.Authority;
x.RequireHttpsMetadata = false;
//// x.Audience = "basket";
//x.TokenValidationParameters = new TokenValidationParameters
//{
// ValidAudiences = new[] { "basket" }
//};
// x.Audience = "openid";
//x.TokenValidationParameters = new TokenValidationParameters
//{
// ValidateIssuer = true,
// ValidateAudience = true,
// ValidateLifetime = true,
// ValidateIssuerSigningKey = true,
//// validissuer = jwtconfig.issuer,
// // validaudience = jwtconfig.audience,
// ValidAudiences = new[] { "api1" },
// // issuersigningkey = new symmetricsecuritykey(encoding.utf8.getbytes(configuration["jwt:key"]))
//};
});
}
public static DateTime ExchangeExpirationTime(JwtConfig config)
{
switch (config.ExpirationType)
{
case ExpirationType.Minutes:
return(DateTime.UtcNow.AddMinutes(config.ExpirationTime));
case ExpirationType.Hours:
return(DateTime.UtcNow.AddHours(config.ExpirationTime));
case ExpirationType.Days:
return(DateTime.UtcNow.AddDays(config.ExpirationTime));
case ExpirationType.Weeks:
return(DateTime.UtcNow.AddDays(config.ExpirationTime * 7));
case ExpirationType.Months:
return(DateTime.UtcNow.AddMonths(config.ExpirationTime));
case ExpirationType.Years:
return(DateTime.UtcNow.AddYears(config.ExpirationTime));
default:
throw new NotSupportedException("Expiration time for Jwt Token is invalid");
}
}
public AuthManagementController(UserManager <IdentityUser> userManager, IOptionsMonitor <JwtConfig> optionsMonitor, TokenValidationParameters tokenValidationParams, ApiDbContext apiDbContext)
{
_userManager = userManager;
_jwtConfig = optionsMonitor.CurrentValue;
_tokenValidationParams = tokenValidationParams;
_apiDbContext = apiDbContext;
}
public AuthController(ILogger <AuthController> logger, UserManager <User> userManager, IMapper mapper, IOptionsSnapshot <JwtConfig> jwtSetting)
{
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_userManager = userManager ?? throw new ArgumentNullException(nameof(userManager));
_mapper = mapper ?? throw new ArgumentNullException(nameof(mapper));
_jwtSetting = jwtSetting.Value;
}
public TokenController(IUserService userService, IRoleService roleService, IPasswordHasher passwordHasher, IOptions <JwtConfig> jwtConfig)
{
this.userService = userService;
this.roleService = roleService;
this.passwordHasher = passwordHasher;
this.jwtConfig = jwtConfig.Value;
}
public IdentityService(UserManager <IdentityUser> userManager, JwtConfig jwtSettings, TokenValidationParameters tokenValidationParameters, DataContext context, IUserProfileService userProfileService)
{
_userManager = userManager;
_jwtSettings = jwtSettings;
_tokenValidationParameters = tokenValidationParameters;
_context = context;
_userProfileService = userProfileService;
}
public AccountController(IOptionsSnapshot <JwtConfig> jwtConfig
, IAccountAppService accountService
, IUserContext userContext)
{
_jwtConfig = jwtConfig.Value;
_accountService = accountService;
_userContext = userContext;
}
public SsoAuthenticationMiddleware(RequestDelegate next
, IOptions <JwtConfig> jwtConfig
, ICacheProvider cache)
{
_next = next ?? throw new ArgumentNullException(nameof(next));
_cache = cache;
_jwtConfig = jwtConfig.Value;
}
public AccountController(JwtConfig jwtConfig, UserManager <IdentityUser> userManager,
SignInManager <IdentityUser> signInManager)
{
_jwtConfig = jwtConfig;
_userManager = userManager;
_signInManager = signInManager;
_authService = new AuthService(userManager);
}
public LoginCommandHandler(TasiContext context, IMapper mapper, ILogger <LoginCommandHandler> logger,
IOptions <JwtConfig> config)
{
_context = context;
_mapper = mapper;
_logger = logger;
_config = config.Value;
}
public RefreshAccessTokenCommandHandler(IHttpContextAccessor httpContextAccessor,
IRefreshTokenService refreshTokenService, IOptions <JwtConfig> jwtConfigOptions)
{
_httpContext = httpContextAccessor.HttpContext ??
throw new ArgumentNullException(nameof(httpContextAccessor.HttpContext));
_refreshTokenService = refreshTokenService ?? throw new ArgumentNullException(nameof(refreshTokenService));
_jwtConfig = jwtConfigOptions.Value ?? throw new ArgumentNullException(nameof(jwtConfigOptions.Value));
}
public IssuedAtCheckerTests(ITestOutputHelper output)
{
this.output = output;
this.Config = new JwtConfig
{
KeyConfig = new KeyConfig
{
Value = new byte[] { 237, 77, 131, 121, 90, 110, 35, 231, 70, 26, 39, 55, 158, 159, 179, 231 }
},
Signer = new HS256Signer()
};
}
public JwtIdCheckerTests(ITestOutputHelper output)
{
this.output = output;
this.Whitelist = new List<string> {
"B311F1EA-588B-40D3-BD89-27DCDF9DB5EB",
"C706DE30-2C8F-4834-8C1A-71136310CDB0",
"5B6D2B63-C101-4FEA-8625-F1C3C36F2857"
};
this.Validator = (id) =>
{
return Whitelist.Where(Q => Q == id).Any();
};
this.Config = new JwtConfig
{
KeyConfig = new KeyConfig
{
Value = new byte[] { 237, 77, 131, 121, 90, 110, 35, 231, 70, 26, 39, 55, 158, 159, 179, 231 }
},
Signer = new HS256Signer()
};
}
public void Sample()
{
var jwtConfig = new JwtConfig
{
KeyConfig = new KeyConfig
{
Value = new byte[] { 237, 77, 131, 121, 90, 110, 35, 231, 70, 26, 39, 55, 158, 159, 179, 231 }
},
Signer = new HS256Signer()
};
var jwtCodec = new JwtCodec(jwtConfig);
var claims = new
{
UserId = 1,
Username = "******",
Role = "Admin"
};
string token1 = jwtCodec.Encode(claims);
//eyJVc2VySWQiOjEsIlVzZXJuYW1lIjoiamFja2FudG9ubyIsIlJvbGUiOiJBZG1pbiJ9.yCY897l0Qt4pNWAMkLebcwjygiqbkQcFMfNW+BZjCUo=
output.WriteLine(token1);
bool isValid = jwtCodec.Decode(token1);
//True
output.WriteLine(isValid.ToString());
var now = new DateTime(2015, 11, 23, 14, 0, 0, DateTimeKind.Utc);
var token2 = jwtCodec.Encode(claims,
Issuer: "accelist.com",
Subject: "Authentication",
Audience: new List<string> { "EmployeePortal", "SecurityCenter" },
ExpirationTime: now.AddHours(12),
NotBefore: now,
IssuedAt: now,
JwtId: Guid.Parse("2628850a-e1a9-4897-bf78-355fa5367ca1").ToString()
);
//eyJVc2VySWQiOjEsIlVzZXJuYW1lIjoiamFja2FudG9ubyIsIlJvbGUiOiJBZG1pbiIsImlzcyI6ImFjY2VsaXN0LmNvbSIsInN1YiI6IkF1dGhlbnRpY2F0aW9uIiwiYXVkIjpbIkVtcGxveWVlUG9ydGFsIiwiU2VjdXJpdHlDZW50ZXIiXSwiZXhwIjoxNDQ4MzMwNDAwLCJuYmYiOjE0NDgyODcyMDAsImlhdCI6MTQ0ODI4NzIwMCwianRpIjoiMjYyODg1MGEtZTFhOS00ODk3LWJmNzgtMzU1ZmE1MzY3Y2ExIn0=.d/ON3EdLGOC0VPcKwiLE15WZKoM9Mwx+3P2QQIhSP8U=
output.WriteLine(token2);
/// Validation logic for registered claim: Issuer.
/// Successful if the Issuer property value equals the claim or claim is not provided.
var issChecker = new IssuerChecker();
/// Validation logic for registered claim: Subject.
/// Successful if the Subject property value equals the claim or claim is not provided.
var subChecker = new SubjectChecker();
/// Validation logic for registered claim: Audience.
/// Successful if the claim is not present or the Audience property value is in the said claim.
var audChecker = new AudienceChecker();
var leeway = new TimeSpan(0, 5, 0);
/// Validation logic for registered claim: Expiration Time.
/// Successful if claim exists and current time is at or before the said claim, using leeway period if provided.
var expChecker = new ExpirationTimeChecker(leeway);
/// Authorization logic for registered claim: Not Before.
/// Successful if claim exists and current time is at or after the said claim, using leeway period if provided.
var nbfChecker = new NotBeforeChecker(leeway);
/// Authorization logic for registered claim: Issued At.
/// Successful if claim exists.
var iatChecker = new IssuedAtChecker();
/// Validation logic for registered claim: JWT ID.
/// Successful if claims exist and resolves to true when passed through the validator.
Func<string, bool> jtiValidator = (jti) =>
{
return true;
};
var jtiChecker = new JwtIdChecker(jtiValidator);
/// Validation logic for AuthorizeAttribute 'Role' claim.
/// Successful if the Roles property is not set or the claim is in the Roles property value.
var roleChecker = new RoleChecker("Role");
/// Validation logic for AuthorizeAttribute 'User' claim.
/// Successful if the User property is not set or the claim is in the Users property value.
var userChecker = new UserChecker("Username");
var claimsCheckers = new List<IClaimsChecker> { issChecker, subChecker, audChecker, expChecker, nbfChecker, iatChecker, jtiChecker, roleChecker, userChecker };
var variables = new ClaimsCheckerVariables
{
Issuer = "accelist.com",
Subject = "Administration",
Roles = "Admin",
Audience = "EmployeePortal",
Users = "jackantono, ryanelian",
};
jwtCodec.Decode(token2, claimsCheckers, variables);
var jwtObj = JwtObject.Parse(token2);
var extractClaims = jwtObj.ClaimsAsObject<ClaimsTest>();
output.WriteLine(Newtonsoft.Json.JsonConvert.SerializeObject(extractClaims, Newtonsoft.Json.Formatting.Indented));
}
