public TokenProviderOptions()
{
Path = "/api/token";
Issuer = "ExampleIssuer";
Audience = "ExampleAudience";
Expiration = TimeSpan.FromDays(1);
var secretKey = "mysupersecret_secretkey!123";
var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey));
SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
TokenValidationParameters = new TokenValidationParameters
{
// The signing key must match!
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
// Validate the JWT Issuer (iss) claim
ValidateIssuer = true,
ValidIssuer = "ExampleIssuer",
// Validate the JWT Audience (aud) claim
ValidateAudience = true,
ValidAudience = Audience,
// Validate the token expiry
ValidateLifetime = true,
// If you want to allow a certain amount of clock drift, set that here:
ClockSkew = TimeSpan.Zero
};
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
AuthenticationTicket ticket = _ticketDataFormat.Unprotect(securityToken);
validatedToken = null;
return ticket?.Principal;
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
var audienceConfig = Configuration.GetSection("Audience");
var symmetricKeyAsBase64 = audienceConfig["Secret"];
var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
var signingKey = new SymmetricSecurityKey(keyByteArray);
var options = new TokenProviderOptions
{
Audience = "ExampleAudience",
Issuer = "ExampleIssuer",
SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256),
};
var tokenValidationParameters = new TokenValidationParameters
{
// The signing key must match!
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
// Validate the JWT Issuer (iss) claim
ValidateIssuer = true,
ValidIssuer = options.Issuer,
// Validate the JWT Audience (aud) claim
ValidateAudience = true,
ValidAudience = options.Audience,
// Validate the token expiry
ValidateLifetime = true,
// If you want to allow a certain amount of clock drift, set that here:
ClockSkew = TimeSpan.Zero
};
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
TokenValidationParameters = tokenValidationParameters,
});
app.UseMiddleware<CustomTokenProviderMiddleware>(Options.Create(options));
app.UseMvc();
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
validatedToken = null;
var claims = new[]
{
// Make sure to use a different name identifier
// than the one defined by CustomTokenValidated.
new Claim(ClaimTypes.NameIdentifier, "Bob le Tout Puissant"),
new Claim(ClaimTypes.Email, "*****@*****.**"),
new Claim(ClaimsIdentity.DefaultNameClaimType, "bob"),
};
return new ClaimsPrincipal(new ClaimsIdentity(claims));
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
validatedToken = null;
if (securityToken == DEMO_TOKEN)
{
// TODO: Complete all claims and other user data
var claims = new[]
{
new Claim(ClaimTypes.NameIdentifier, DEMO_USERNAME),
new Claim(ClaimsIdentity.DefaultNameClaimType, DEMO_USERNAME),
new Claim(ClaimTypes.Email, DEMO_EMAIL)
};
return new ClaimsPrincipal(new ClaimsIdentity(claims, "Bearer") { BootstrapContext = securityToken });
}
else
{
throw new ApiException(new InvalidTokenProblem());
}
}
public bool IsValidToken(string token) {
var validationParameters = new TokenValidationParameters {
ValidateLifetime = true,
ValidateAudience = true,
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
ValidAudience = _tokenAuthOption.Audience,
ValidIssuer = _tokenAuthOption.Issuer,
IssuerSigningKey = _tokenAuthOption.Key
};
SecurityToken validatedToken;
try {
var principal = _jwtSecurityTokenHandler.ValidateToken(token, validationParameters, out validatedToken);
}
catch (Exception) {
return false;
}
return validatedToken != null;
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
var constructor = ExceptionType.GetTypeInfo().GetConstructor(new[] { typeof(string) });
var exception = (Exception)constructor.Invoke(new[] { ExceptionType.Name });
throw exception;
}
public void WithIssuerKeyValidationShouldValidateInput2(TokenValidationParameters options, IssuerSigningKeyResolver securityKeyResolver)
{
Assert.Throws <ArgumentNullException>(() => options.WithIssuerKeyValidation(securityKeyResolver));
}
public void WithIssuerValidationShouldValidateInput2(TokenValidationParameters options, IEnumerable <string> validIssuers)
{
Assert.Throws <ArgumentNullException>(() => options.WithIssuerValidation(validIssuers));
}
public string ValidateIssuerPublic(JwtSecurityToken jwt, TokenValidationParameters validationParameters)
{
return(base.ValidateIssuer(jwt.Issuer, jwt, validationParameters));
}
public void ValidateSigningTokenPublic(SecurityKey securityKey, JwtSecurityToken jwt, TokenValidationParameters validationParameters)
{
base.ValidateIssuerSecurityKey(securityKey, jwt, validationParameters);
}
private async Task<TokenValidationResult> ValidateJwtAsync(string jwt, string audience, IEnumerable<SymmetricSecurityKey> symmetricKeys, bool validateLifetime = true)
{
var handler = new JwtSecurityTokenHandler();
handler.InboundClaimTypeMap.Clear();
var parameters = new TokenValidationParameters
{
ValidIssuer = _context.GetIssuerUri(),
IssuerSigningKeys = symmetricKeys,
ValidateLifetime = validateLifetime,
ValidAudience = audience
};
try
{
SecurityToken jwtToken;
var id = handler.ValidateToken(jwt, parameters, out jwtToken);
// load the client that belongs to the client_id claim
Client client = null;
var clientId = id.FindFirst(JwtClaimTypes.ClientId);
if (clientId != null)
{
client = await _clients.FindClientByIdAsync(clientId.Value);
if (client == null)
{
throw new InvalidOperationException("Client does not exist anymore.");
}
}
return new TokenValidationResult
{
IsError = false,
Claims = id.Claims,
Client = client,
Jwt = jwt
};
}
catch (Exception ex)
{
_logger.LogError("JWT token validation error", ex);
return Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken);
}
}
public void DecryptTokenPublic(JwtSecurityToken token, TokenValidationParameters validationParameters)
{
base.DecryptToken(token, validationParameters);
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddOptions();
services.Configure <PhotoSettings>(Configuration.GetSection(nameof(PhotoSettings)));
services.Configure <InitialAuthSettings>(Configuration.GetSection(nameof(InitialAuthSettings)));
var jwtAppSettingOptions = Configuration.GetSection(nameof(AuthOptions));
services.Configure <AuthOptions>(jwtAppSettingOptions);
// scoped - for each http-request the new release object
services.AddScoped <IPhotoRepository, PhotoRepository>();
services.AddScoped <IVehicleRepository, VehicleRepository>();
services.AddScoped <IUnitOfWork, UnitOfWork>();
services.AddScoped <IAccountService, AccountService>();
services.AddCors();
string connection = Configuration.GetConnectionString("Default");
services.AddDbContext <VegaDbContext>(options => options.UseSqlServer(connection));
//настройка политики паролей
var builder = services.AddIdentityCore <Account>(o =>
{
// configure identity options
o.Password.RequireDigit = false;
o.Password.RequireLowercase = false;
o.Password.RequireUppercase = false;
o.Password.RequireNonAlphanumeric = false;
o.Password.RequiredLength = 6;
});
builder = new IdentityBuilder(builder.UserType, typeof(IdentityRole), builder.Services);
builder.AddEntityFrameworkStores <VegaDbContext>().AddDefaultTokenProviders();
services.AddIdentity <Account, IdentityRole>()
.AddEntityFrameworkStores <VegaDbContext>();
services.AddAutoMapper();
// In production, the Angular files will be served from this directory
services.AddSpaStaticFiles(configuration =>
{
configuration.RootPath = "ClientApp";
});
services.AddMvc()
// .AddFluentValidation(fv => fv.RegisterValidatorsFromAssemblyContaining<Startup>())
.SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
// Get options from app settings
var appSettings = jwtAppSettingOptions.Get <AuthOptions>();
var key = Encoding.ASCII.GetBytes(appSettings.KEY);
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidIssuer = appSettings.ISSUER,
ValidateAudience = false,
ValidAudience = appSettings.AUDIENCE,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(key),
// RequireExpirationTime = false,
ValidateLifetime = true,
// ClockSkew = TimeSpan.Zero
};
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).
AddJwtBearer(options =>
{
// configureOptions.ClaimsIssuer = jwtAppSettingOptions[nameof(AuthOptions.ISSUER)];
options.RequireHttpsMetadata = false;
options.TokenValidationParameters = tokenValidationParameters;
options.IncludeErrorDetails = true;
options.SaveToken = true;
});
// services.AddAuthorization(options =>
// {
// options.AddPolicy("user", policy => policy.RequireRole("admin", "user"));
// options.AddPolicy("admin", policy => policy.RequireClaim(ClaimsIdentity.DefaultRoleClaimType, "admin"));
// });
}
/// <summary>
/// Handle the LTI POST request from the Authorization Server.
/// </summary>
/// <returns></returns>
public async Task <IActionResult> OnPostAsync(
string platformId,
[FromForm(Name = "id_token")] string idToken,
[FromForm(Name = "scope")] string scope = null,
[FromForm(Name = "state")] string state = null,
[FromForm(Name = "session_state")] string sessionState = null)
{
// Authenticate the request starting at step 5 in the OpenId Implicit Flow
// See https://www.imsglobal.org/spec/security/v1p0/#platform-originating-messages
// See https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowSteps
// The Platform MUST send the id_token via the OAuth 2 Form Post
// See https://www.imsglobal.org/spec/security/v1p0/#successful-authentication
// See http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
if (string.IsNullOrEmpty(idToken))
{
Error = "id_token is missing or empty";
return(Page());
}
var handler = new JwtSecurityTokenHandler();
if (!handler.CanReadToken(idToken))
{
Error = "Cannot read id_token";
return(Page());
}
var jwt = handler.ReadJwtToken(idToken);
JwtHeader = jwt.Header;
var messageType = jwt.Claims.SingleOrDefault(c => c.Type == Constants.LtiClaims.MessageType)?.Value;
if (messageType.IsMissing())
{
Error = $"{Constants.LtiClaims.MessageType} claim is missing.";
return(Page());
}
// Authentication Response Validation
// See https://www.imsglobal.org/spec/security/v1p0/#authentication-response-validation
// The ID Token MUST contain a nonce Claim.
var nonce = jwt.Claims.SingleOrDefault(c => c.Type == "nonce")?.Value;
if (string.IsNullOrEmpty(nonce))
{
Error = "Nonce is missing from request.";
return(Page());
}
// If the launch was initiated with a 3rd party login, then there will be a state
// entry for the nonce.
var memorizedState = _stateContext.GetState(nonce);
if (memorizedState == null)
{
Error = "Invalid nonce. Possible request replay.";
return(Page());
}
// The state should be echoed back by the AS without modification
if (memorizedState.Value != state)
{
Error = "Invalid state.";
return(Page());
}
// Look for the platform with platformId in the redirect URI
var platform = await _context.GetPlatformByPlatformId(platformId);
if (platform == null)
{
Error = "Unknown platform.";
return(Page());
}
// Using the JwtSecurityTokenHandler.ValidateToken method, validate four things:
//
// 1. The Issuer Identifier for the Platform MUST exactly match the value of the iss
// (Issuer) Claim (therefore the Tool MUST previously have been made aware of this
// identifier.
// 2. The Tool MUST Validate the signature of the ID Token according to JSON Web Signature
// RFC 7515, Section 5; using the Public Key for the Platform which collected offline.
// 3. The Tool MUST validate that the aud (audience) Claim contains its client_id value
// registered as an audience with the Issuer identified by the iss (Issuer) Claim. The
// aud (audience) Claim MAY contain an array with more than one element. The Tool MUST
// reject the ID Token if it does not list the client_id as a valid audience, or if it
// contains additional audiences not trusted by the Tool.
// 4. The current time MUST be before the time represented by the exp Claim;
RSAParameters rsaParameters;
try
{
var httpClient = _httpClientFactory.CreateClient();
var keySetJson = await httpClient.GetStringAsync(platform.JwkSetUrl);
var keySet = JsonConvert.DeserializeObject <JsonWebKeySet>(keySetJson);
var key = keySet.Keys.SingleOrDefault(k => k.Kid == jwt.Header.Kid);
if (key == null)
{
Error = "No matching key found.";
return(Page());
}
rsaParameters = new RSAParameters
{
Modulus = Base64UrlEncoder.DecodeBytes(key.N),
Exponent = Base64UrlEncoder.DecodeBytes(key.E)
};
}
catch (Exception e)
{
Error = e.Message;
return(Page());
}
var validationParameters = new TokenValidationParameters
{
ValidateTokenReplay = true,
ValidateAudience = true,
ValidateIssuer = true,
RequireSignedTokens = true,
ValidateIssuerSigningKey = true,
ValidAudience = platform.ClientId,
ValidIssuer = platform.Issuer,
IssuerSigningKey = new RsaSecurityKey(rsaParameters),
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(5.0)
};
try
{
handler.ValidateToken(idToken, validationParameters, out _);
}
catch (Exception e)
{
Error = e.Message;
return(Page());
}
if (messageType == Constants.Lti.LtiDeepLinkingRequestMessageType)
{
return(Post("/Catalog", new { idToken }));
}
IdToken = idToken;
LtiRequest = new LtiResourceLinkRequest(jwt.Payload);
var tokenResponse = await _accessTokenService.GetAccessTokenAsync(
LtiRequest.Iss,
Constants.LtiScopes.Ags.LineItem);
var lineItemClient = _httpClientFactory.CreateClient();
lineItemClient.SetBearerToken(tokenResponse.AccessToken);
lineItemClient.DefaultRequestHeaders.Accept
.Add(new MediaTypeWithQualityHeaderValue(Constants.MediaTypes.LineItem));
var resultsUrl = $"{LtiRequest.AssignmentGradeServices.LineItemUrl}/{Constants.ServiceEndpoints.Ags.ResultsService}";
var resultsResponse = await lineItemClient.GetAsync(resultsUrl);
var resultsContent = await resultsResponse.Content.ReadAsStringAsync();
var results = JsonConvert.DeserializeObject <ResultContainer>(resultsContent);
Results = results;
var lineItemResponse = await lineItemClient.GetAsync(LtiRequest.AssignmentGradeServices.LineItemUrl);
var lineItemContent = await lineItemResponse.Content.ReadAsStringAsync();
var lineItem = JsonConvert.DeserializeObject <LineItem>(lineItemContent);
LineItem = lineItem;
return(Page());
}
public static IServiceCollection AddInfrastructure(this IServiceCollection services, IConfiguration configuration)
{
services.AddDbContext <ApplicationDbContext>(options => options
.UseLoggerFactory(MyLoggerFactory)
.UseSqlServer(configuration.GetConnectionString("DefaultConnection")));
services.AddDefaultIdentity <ApplicationUser>()
.AddRoles <ApplicationRole>()
.AddEntityFrameworkStores <ApplicationDbContext>();
services.AddIdentityServer()
.AddApiAuthorization <ApplicationUser, ApplicationDbContext>();
services.AddAuthentication()
.AddIdentityServerJwt();
services.AddScoped <IRepository, AsyncRepository>();
services.AddScoped <IApplicationDbContext, ApplicationDbContext>();
services.AddScoped <IJwtService, JwtTokenFactory>();
services.AddScoped <IIdentityService, IdentityService>();
services.AddScoped <ApplicationDbContext>();
var authSettings = configuration.GetSection(nameof(AuthSettings));
var jwtAppSettingOptions = configuration.GetSection(nameof(JwtIssuerOptions));
var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(authSettings[nameof(AuthSettings.SecretKey)]));
services.Configure <AuthSettings>(authSettings);
services.Configure <JwtIssuerOptions>(options =>
{
options.Issuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)];
options.Audience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)];
options.SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
});
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)],
ValidateAudience = true,
ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)],
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
RequireExpirationTime = false,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero
};
services.Configure <JwtBearerOptions>(IdentityServerJwtConstants.IdentityServerJwtBearerScheme, configureOptions =>
{
configureOptions.ClaimsIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)];
configureOptions.TokenValidationParameters = tokenValidationParameters;
configureOptions.SaveToken = true;
configureOptions.Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))
{
context.Response.Headers.Add("Token-Expired", "true");
}
return(Task.CompletedTask);
},
OnMessageReceived = context =>
{
if (context.Request.Path.Value.Contains("events"))
{
context.Request.Query.TryGetValue("access_token", out var queryTokenValues);
var token = queryTokenValues.FirstOrDefault();
var test = token?.Split(' ');
var bearer = test?.LastOrDefault();
context.Token = bearer;
}
return(Task.CompletedTask);
}
};
});
//[Authorize("Bearer")]
public ActionResult RefreshToken([FromBody] RefreshTokenData refresh)
{
var re = Request;
var headers = re.Headers;
string original = null;
if (headers.ContainsKey("Authorization"))
{
original = headers["Authorization"].ToString().Replace("Bearer ", "");
}
if (string.IsNullOrEmpty(original))
{
return(Unauthorized()); // new { authenticated = false });
}
if (refresh.grant_type != "refresh_token")
{
return(Unauthorized());//new { authenticated = false };
}
var handler = new JwtSecurityTokenHandler();
var validationParametersRefresh = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = _tokenOptions.Issuer,
ValidateAudience = true,
ValidAudience = _tokenOptions.Audience,
ValidateIssuerSigningKey = true,
IssuerSigningKey = _tokenOptions.Key,
ValidateLifetime = true
};
var validationParametersOriginal = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = _tokenOptions.Issuer,
ValidateAudience = true,
ValidAudience = _tokenOptions.Audience,
ValidateIssuerSigningKey = true,
IssuerSigningKey = _tokenOptions.Key,
ValidateLifetime = false
};
ClaimsPrincipal principalOriginal = null;
try
{
principalOriginal = handler.ValidateToken(original, validationParametersOriginal, out var tokiOriginal);
handler.ValidateToken(original, validationParametersRefresh, out _);
}
catch
{
return(Unauthorized()); // new {authenticated = false};
}
var ime = principalOriginal.Claims.First(c => c.Type == "Ime");
var prezime = principalOriginal.Claims.First(c => c.Type == "Prezime");
var username = principalOriginal.Claims.First(c => c.Type == ClaimTypes.Name);
var email = principalOriginal.Claims.First(c => c.Type == ClaimTypes.Email);
var userid = principalOriginal.Claims.First(c => c.Type == ClaimTypes.NameIdentifier);
var subj = new ClaimsIdentity();
var user = _userManager.KorisnikPostoji(username.Value);
if (user == null)
{
return(Unauthorized()); //new { authenticated = false };
}
//var roles = user.Claims.Where(c => c.ClaimType == ClaimTypes.Role).ToList();
var roles = user.Uloge;
subj.AddClaim(new Claim("Ime", ime.Value));
subj.AddClaim(new Claim("Prezime", prezime.Value));
subj.AddClaim(new Claim(ClaimTypes.Email, email.Value));
subj.AddClaim(new Claim(ClaimTypes.Name, username.Value));
subj.AddClaim(new Claim(JwtRegisteredClaimNames.UniqueName, username.Value));
subj.AddClaim(new Claim(ClaimTypes.NameIdentifier, userid.Value));
subj.AddClaim(new Claim("Jezik", user.Lang));
subj.AddClaims(roles.Select(r => new Claim(ClaimTypes.Role, r)));
//var expires = DateTime.UtcNow.AddHours(_satiT);
var expires = DateTime.UtcNow.AddMinutes(_minT);
var accessToken = GetToken(username.Value, expires, subj);
//expires = DateTime.UtcNow.AddHours(_satiRT);
expires = DateTime.UtcNow.AddMinutes(_minRT);
var refreshToken = GetRefreshToken(username.Value, expires);
var query = _session.CreateSQLQuery("exec LogKorisnika :username, :akcija");
query.SetParameter("username", username.Value, NHibernateUtil.String);
query.SetParameter("akcija", "Refresh", NHibernateUtil.String);
query.ExecuteUpdate();
return(Ok(new { authenticated = true, userId = userid.Value, access_token = accessToken, refresh_token = refreshToken }));
}
public void ConfigureServices(IServiceCollection s)
{
s.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info {
Title = "Shop API", Version = "v1"
});
c.AddSecurityDefinition("JWT", new OAuth2Scheme());
});
s.AddIdentity <AppUser, IdentityRole>
(o =>
{
// configure identity options
o.Password.RequireDigit = false;
o.Password.RequireLowercase = false;
o.Password.RequireUppercase = false;
o.Password.RequireNonAlphanumeric = false;
o.Password.RequiredLength = 6;
})
.AddEntityFrameworkStores <ShopIdentityDbContext>()
.AddDefaultTokenProviders();
s.AddAutoMapper();
// api user claim policy
s.AddAuthorization(options =>
{
options.AddPolicy(Constants.Strings.AccessPolicy.ApiUser, policy => policy.RequireClaim(Constants.Strings.JwtClaimIdentifiers.Rol, Constants.Strings.JwtClaims.ApiAccess));
});
var jwtAppSettingOptions = Configuration.GetSection(nameof(JwtIssuerOptions));
// s.Configure<JwtIssuerOptions>(options => jwtAppSettingOptions.Bind(options));
s.Configure <JwtIssuerOptions>(options =>
{
options.Issuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)];
options.Audience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)];
options.SigningCredentials = new SigningCredentials(CompositionRoot.SigningKey, SecurityAlgorithms.HmacSha256);
});
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)],
ValidateAudience = true,
ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)],
ValidateIssuerSigningKey = true,
IssuerSigningKey = CompositionRoot.SigningKey,
RequireExpirationTime = false,
ValidateLifetime = false,
ClockSkew = TimeSpan.Zero
};
s.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.TokenValidationParameters = tokenValidationParameters;
o.Events = new JwtBearerEvents()
{
OnAuthenticationFailed = c =>
{
c.NoResult();
c.Response.StatusCode = 500;
c.Response.ContentType = "text/plain";
if (Environment.IsDevelopment())
{
// Debug only, in production do not share exceptions with the remote host.
return(c.Response.WriteAsync(c.Exception.ToString()));
}
return(c.Response.WriteAsync("An error occurred processing your authentication."));
}
};
});
}
public static void TokenAuthorize(this IServiceCollection services, SiteSetting siteSetting)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
var securityKey = Encoding.UTF8.GetBytes(siteSetting.JwtSetting.SecretKey);
var encriptKey = Encoding.UTF8.GetBytes(siteSetting.JwtSetting.Encryptkey);
var ValidatePrameters = new TokenValidationParameters
{
//Tlorance for Expire Time and Befor Time of Token .
ClockSkew = TimeSpan.Zero,
RequireSignedTokens = true,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(securityKey),
// I Need Check Expire Token or Not
RequireExpirationTime = true,
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = siteSetting.JwtSetting.Audience,
ValidateIssuer = true,
ValidIssuer = siteSetting.JwtSetting.Issuer,
TokenDecryptionKey = new SymmetricSecurityKey(encriptKey)
};
options.SaveToken = true;
options.RequireHttpsMetadata = false;
options.TokenValidationParameters = ValidatePrameters;
options.Events = new JwtBearerEvents
{
// Fail Authorize
OnAuthenticationFailed = context =>
{
if (context.Exception != null)
{
throw new FilmstanUnAuthourizeException("No Access");
}
return(Task.CompletedTask);
},
OnTokenValidated = async context =>
{
var domainUnitofWork = context.HttpContext.RequestServices.GetRequiredService <IDomainUnitOfWork>();
var claimsIdentity = context.Principal.Identity as ClaimsIdentity;
var securityStamp = claimsIdentity.FindAll(new ClaimsIdentityOptions().SecurityStampClaimType).ToList();
var userSecurityInfo = await domainUnitofWork.UsersRepository.GetUserTokenInfo(Guid.Parse(claimsIdentity.GetUserId()));
if (claimsIdentity.Claims.Any() != true)
{
context.Fail("Token Has No Claim");
}
if (securityStamp == null)
{
throw new FilmstanUnAuthourizeException("No securityStamp");
}
if (userSecurityInfo.Result.IsActive == false)
{
throw new FilmstanUnAuthourizeException("User not Active");
}
if (userSecurityInfo.Result.UserSecurityStamp != Guid.Parse(securityStamp[0].Value))
{
throw new FilmstanUnAuthourizeException("User Security Stamp Invalid");
}
if (userSecurityInfo.Result.RoleSecurityStamp != Guid.Parse(securityStamp[1].Value))
{
throw new FilmstanUnAuthourizeException("Role Security Stamp Invalid");
}
},
// when Server Recived the Token haven't Token
OnChallenge = context =>
{
if (context.AuthenticateFailure != null)
{
throw new FilmstanUnAuthourizeException("AuthenticateFailure");
}
return(Task.CompletedTask);
}
};
});
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
// Get options from app settings
services.AddOptions();
ConfigureCustomOptions(services);
var jwtAppSettingOptions = Configuration.GetSection(nameof(JwtIssuerOptions));
_key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration["SecretKey"]));
// Configure JwtIssuerOptions
services.Configure <JwtIssuerOptions>(options =>
{
options.Issuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)];
options.Audience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)];
options.SigningCredentials = new SigningCredentials(_key, SecurityAlgorithms.HmacSha256);
});
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)],
ValidateAudience = true,
ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)],
ValidateIssuerSigningKey = true,
IssuerSigningKey = _key,
RequireExpirationTime = false,
ValidateLifetime = false,
ClockSkew = TimeSpan.Zero
};
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Audience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)];
options.RequireHttpsMetadata = false;
options.ClaimsIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)];
options.TokenValidationParameters = tokenValidationParameters;
});
services.AddAuthorization(options =>
{
options.AddPolicy("AppUser",
policy => policy.RequireClaim("Organizatie", "Ong"));
});
services.AddApplicationInsightsTelemetry(Configuration);
services.AddMvc(config =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
config.Filters.Add(new AuthorizeFilter(policy));
});
services.AddSwaggerGen(options =>
{
options.SwaggerDoc("v1", new Info
{
Version = "v1",
Title = "Monitorizare Vot - API privat",
Description = "API care ofera suport aplicatiilor folosite de observatori.",
TermsOfService = "TBD",
Contact =
new Contact
{
Email = "*****@*****.**",
Name = "Code for Romania",
Url = "http://monitorizarevot.ro"
},
});
options.AddSecurityDefinition("bearer", new ApiKeyScheme()
{
Name = "Authorization",
In = "header",
Type = "apiKey"
});
options.AddSecurityRequirement(new Dictionary <string, IEnumerable <string> > {
{ "bearer", new[] { "readAccess", "writeAccess" } }
});
options.OperationFilter <AddFileUploadParams>();
var path = PlatformServices.Default.Application.ApplicationBasePath +
System.IO.Path.DirectorySeparatorChar + "VotingIrregularities.Api.xml";
if (System.IO.File.Exists(path))
{
options.IncludeXmlComments(path);
}
});
services.UseSimpleInjectorAspNetRequestScoping(_container);
ConfigureContainer(services);
ConfigureCache(services);
}
public AuthController(UserManager <ApplicationUser> _userManager, RoleManager <MongoRole> _roleManager, IConfiguration _configuration, IMongoDatabaseSettings _settings, TokenValidationParameters _tokenValidationParams)
{
userManager = _userManager;
roleManager = _roleManager;
configuration = _configuration;
settings = _settings;
tokenValidationParams = _tokenValidationParams;
}
public bool LifetimeValidator(DateTime?notBefore, DateTime?expires, SecurityToken securityToken, TokenValidationParameters validationParameters)
{
if (expires != null)
{
if (DateTime.UtcNow < expires)
{
return(true);
}
}
return(false);
}
public long? ValidateToken(string accessToken)
{
var handler = new JwtSecurityTokenHandler();
if (!handler.CanValidateToken) return null;
var signedCredentials = this.options.SigningCredentials ?? TokenProvider.DefaultSigningCredentials();
var validationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = this.options.Issuer,
ValidateAudience = true,
ValidAudience = this.options.Audience,
ValidateLifetime = true,
IssuerSigningKey = signedCredentials.Key
};
long? result = null;
try
{
SecurityToken validatedToken;
var claimsPrincipal = handler.ValidateToken(accessToken, validationParameters, out validatedToken);
foreach (var claim in claimsPrincipal.Claims)
{
if (claim.Type != "id") continue;
long id;
if (long.TryParse(claim.Value, out id)) result = id;
break;
}
}
catch(Exception e)
{
InColUn.Logger.Instance.Log(InColUn.LogLevel.Exception,
string.Format("Token validation exception for: {0}", accessToken), e);
}
return result;
}
private static void ConfigureJwtAuthentication(IServiceCollection services, TenantsBuilder tenantsBuilder, IConfiguration configuration)
{
var authenticationBuilder = services.AddAuthentication();
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
string[] requiredScopesSplit = null;
string requiredScopes = configuration["Identity:Jwt:RequiredScopes"];
if (!string.IsNullOrEmpty(requiredScopes))
{
requiredScopesSplit = requiredScopes.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries);
if (requiredScopesSplit.Length == 0)
{
requiredScopesSplit = null;
}
}
if (tenantsBuilder == null)
{
string defaultClientAuthority = configuration[$"Identity:DefaultClient:Authority"];
if (string.IsNullOrEmpty(defaultClientAuthority))
{
throw new Exception("Identity default client authority string is empty");
}
string defaultClientAudience = configuration[$"Identity:DefaultClient:Audience"];
if (string.IsNullOrEmpty(defaultClientAudience))
{
throw new Exception("Identity default client audience string is empty");
}
authenticationBuilder.AddJwtBearer(IdentityCoreConstants.JwtScheme, jwt =>
{
jwt.RequireHttpsMetadata = true;
jwt.Authority = defaultClientAuthority;
jwt.Audience = defaultClientAudience;
jwt.TokenValidationParameters = new TokenValidationParameters()
{
ClockSkew = TimeSpan.FromMinutes(5),
RequireSignedTokens = true,
RequireExpirationTime = true,
ValidateLifetime = true,
// audience validation will be done via scope, as recommended in
// https://github.com/IdentityServer/IdentityServer4/issues/127
ValidateAudience = false,
ValidateIssuer = true,
ValidIssuer = defaultClientAuthority
};
});
services.AddAuthorization(options =>
{
options.AddPolicy(IdentityCoreConstants.JwtPolicy, policy =>
{
policy.AuthenticationSchemes.Add(IdentityCoreConstants.JwtScheme);
if (requiredScopesSplit != null)
{
policy.RequireAssertion(handler =>
{
return(CheckScopes(handler.User, requiredScopesSplit));
});
}
policy.RequireAuthenticatedUser();
});
});
}
else
{
authenticationBuilder.AddJwtBearer(IdentityCoreConstants.JwtScheme, jwt =>
{
jwt.RequireHttpsMetadata = true;
});
tenantsBuilder.WithPerTenantOptions <JwtBearerOptions>((jwt, tenantInfo) =>
{
jwt.Authority = tenantInfo.DeveloperAuthority;
jwt.Audience = tenantInfo.DeveloperAudience;
var tokenValidationParameters = new TokenValidationParameters()
{
ClockSkew = TimeSpan.FromMinutes(5),
RequireSignedTokens = true,
RequireExpirationTime = true,
ValidateLifetime = true,
// audience validation will be done via scope, as recommended in
// https://github.com/IdentityServer/IdentityServer4/issues/127
ValidateAudience = false,
ValidateIssuer = true,
ValidIssuer = tenantInfo.DeveloperAuthority
};
if (tenantInfo.DeveloperCertificate != null)
{
// if we cannot resolve it from some discovery endpoint
tokenValidationParameters.IssuerSigningKey = new X509SecurityKey(tenantInfo.DeveloperCertificate);
}
jwt.TokenValidationParameters = tokenValidationParameters;
});
ConfigureExternalAuthenticationServices(authenticationBuilder, tenantsBuilder, configuration);
services.AddAuthorization(options =>
{
options.AddPolicy(IdentityCoreConstants.JwtPolicy, policy =>
{
policy.AuthenticationSchemes.Add(IdentityCoreConstants.JwtScheme);
policy.Requirements.Add(new ClientDeveloperUuidRequirement());
if (requiredScopesSplit != null)
{
policy.RequireAssertion(handler =>
{
return(CheckScopes(handler.User, requiredScopesSplit));
});
}
policy.RequireAuthenticatedUser();
});
});
services.AddSingleton <IAuthorizationHandler, ClientDeveloperUuidRequirementHandler>();
}
}
public override ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
return(base.ValidateToken(securityToken, validationParameters, out validatedToken));
}
private static IConveyBuilder AddJwt(this IConveyBuilder builder, JwtOptions options)
{
if (!builder.TryRegister(RegistryName))
{
return(builder);
}
builder.Services.AddSingleton(options);
builder.Services.AddSingleton <IJwtHandler, JwtHandler>();
builder.Services.AddSingleton <IAccessTokenService, InMemoryAccessTokenService>();
builder.Services.AddTransient <AccessTokenValidatorMiddleware>();
var tokenValidationParameters = new TokenValidationParameters
{
RequireAudience = options.RequireAudience,
ValidIssuer = options.ValidIssuer,
ValidIssuers = options.ValidIssuers,
ValidateActor = options.ValidateActor,
ValidAudience = options.ValidAudience,
ValidAudiences = options.ValidAudiences,
ValidateAudience = options.ValidateAudience,
ValidateIssuer = options.ValidateIssuer,
ValidateLifetime = options.ValidateLifetime,
ValidateTokenReplay = options.ValidateTokenReplay,
ValidateIssuerSigningKey = options.ValidateIssuerSigningKey,
SaveSigninToken = options.SaveSigninToken,
RequireExpirationTime = options.RequireExpirationTime,
RequireSignedTokens = options.RequireSignedTokens,
ClockSkew = TimeSpan.Zero
};
if (!string.IsNullOrWhiteSpace(options.AuthenticationType))
{
tokenValidationParameters.AuthenticationType = options.AuthenticationType;
}
if (!string.IsNullOrWhiteSpace(options.IssuerSigningKey))
{
tokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(
Encoding.UTF8.GetBytes(options.IssuerSigningKey));
}
if (!string.IsNullOrWhiteSpace(options.NameClaimType))
{
tokenValidationParameters.NameClaimType = options.NameClaimType;
}
if (!string.IsNullOrWhiteSpace(options.RoleClaimType))
{
tokenValidationParameters.RoleClaimType = options.RoleClaimType;
}
builder.Services.AddSingleton(tokenValidationParameters);
builder.Services
.AddAuthentication(o =>
{
o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.Authority = options.Authority;
o.Audience = options.Audience;
o.MetadataAddress = options.MetadataAddress;
o.SaveToken = options.SaveToken;
o.RefreshOnIssuerKeyNotFound = options.RefreshOnIssuerKeyNotFound;
o.RequireHttpsMetadata = options.RequireHttpsMetadata;
o.IncludeErrorDetails = options.IncludeErrorDetails;
o.TokenValidationParameters = tokenValidationParameters;
if (!string.IsNullOrWhiteSpace(options.Challenge))
{
o.Challenge = options.Challenge;
}
});
return(builder);
}
public void ValidateAudiencePublic(JwtSecurityToken jwt, TokenValidationParameters validationParameters)
{
base.ValidateAudience(jwt.Audiences, jwt, validationParameters);
}
public void ConfigureServices(IServiceCollection services)
{
#region Serilog
/*这里配置的意思是:全局最低记录日志级别是Debug,但是针对以Microsoft开头的命名空间的最低级别是Information。
*
* 使用Enruch.FromLogContext()可以让程序在执行上下文时动态添加或移除属性(这个需要看文档)。
*
* 按日生成记录文件,日志文件名后会带着日期,并放到./logs目录下*/
Log.Logger = new LoggerConfiguration()
.MinimumLevel.Debug()
.MinimumLevel.Override("Microsoft", LogEventLevel.Information)
.Enrich.FromLogContext()
.WriteTo.Console()
.WriteTo.File(Path.Combine("logs", @"log.txt"), rollingInterval: RollingInterval.Day)
.CreateLogger();
#endregion
#region Swagger
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info
{
Title = "约",
Version = "v1",
Description = "海贼王",
Contact = new Contact
{
Name = "醉人",
Email = "*****@*****.**",
Url = "https://www.zuiren.xyz"
}
});
#region API 文档说明
var basePath = Path.GetDirectoryName(AppContext.BaseDirectory);
var apiPath = Path.Combine(basePath, "Team.xml");
c.IncludeXmlComments(apiPath, true);
var modelPath = Path.Combine(basePath, "Team.Model.xml");
c.IncludeXmlComments(modelPath, true);
#endregion
#region Token 绑定的 ConfigureService
var security = new Dictionary <string, IEnumerable <string> > {
{ "Team", new string[] { } },
};
c.AddSecurityRequirement(security);
c.AddSecurityDefinition("Team", new ApiKeyScheme
{
Description = "JWT授权 (数据在请求中进行传输) 直接在下框中输入Bearer {token} (注意两者之间是一个空格)\"",
Name = "Authorization", //jwt默认授权的参数名称
In = "header", //jwt默认存放在authorization的信息的位置(请求头)
Type = "apiKey"
});
#endregion
});
#endregion
#region SQL链接
services.AddDbContext <MyContext>(options =>
{
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"));
});
#endregion
#region Policy
services.AddSingleton <IMemoryCache>(factory =>
{
var cache = new MemoryCache(new MemoryCacheOptions());
return(cache);
});
services.AddAuthorization(options =>
{
options.AddPolicy("Client", policy => policy.RequireRole("Client").Build());//.Build()
options.AddPolicy("Captain", policy => policy.RequireRole("Captain").Build());
options.AddPolicy("Admin", policy => policy.RequireRole("Admin").Build());
options.AddPolicy("SuperAdministrator", policy => policy.RequireRole("SuperAdministrator").Build());
options.AddPolicy("ClientOrCaptain", policy => policy.RequireRole("Captain", "Client"));
});
#endregion
#region 认证
//上边用到的 tokenValidationParameters
//读取配置文件
var audienceConfig = Configuration.GetSection("Audience");
var symmetricKeyAsBase64 = audienceConfig["Secret"];
var KeyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
var signingKey = new SymmetricSecurityKey(KeyByteArray);
//令牌验证参数
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey, //还是从 appsettings.json 拿到的
ValidateIssuer = true,
ValidIssuer = audienceConfig["Issuer"], //发行人
ValidateAudience = true,
ValidAudience = audienceConfig["Audience"], //订阅人
ValidateLifetime = true,
//其实和之前的方法是一样的,只不过请注意 ClockSkew 属性,默认是5分钟缓冲。
//总的Token有效时间 = JwtRegisteredClaimNames.Exp + ClockSkew ;
ClockSkew = TimeSpan.Zero,
RequireExpirationTime = true
};
services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.TokenValidationParameters = tokenValidationParameters;
});
#endregion
#region FluentValidation
services.AddTransient <IValidator <UserUpdateMap>, UserUpdateValidator>();
services.AddTransient <IValidator <UserRegisteredMap>, UserRegisteredValidator>();
services.AddTransient <IValidator <UserLoginMap>, UserLoginValidator>();
services.AddTransient <IValidator <TeamCreateMap>, TeamCreateValidator>();
services.AddTransient <IValidator <RunRecordMap>, RunRecordValidator>();
#endregion
#region 接口生命周期
services.AddScoped <IJwtHelper, JwtHelper>();
services.AddScoped <IUnitOfWork, UnitOfWork>();
services.AddScoped <IUserRepository, UserRepository>();
services.AddScoped <ITeamBall, TeamBall>();
services.AddScoped <IRunRepository, RunRepository>();
services.AddScoped <IImagesResource, ImagesResource>();
services.AddScoped <IRunTeamResource, RunTeamResource>();
services.AddScoped <ILatitudeAndLongitudeResource, LatitudeAndLongitudeResource>();
services.AddScoped <IListResource, ListResource>();
services.AddScoped <IParentResource, ParentResource>();
#endregion
services.AddAutoMapper();
services.AddTimedJob();
#region 将Json.NET配置为忽略它在对象图中找到的循环
services.AddMvc()
.AddJsonOptions(
options => options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore
);
#endregion
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2).AddFluentValidation().AddJsonOptions(
options => options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore);
}
public void ValidateLifetimePublic(JwtSecurityToken jwt, TokenValidationParameters validationParameters)
{
base.ValidateLifetime(DateTime.UtcNow, DateTime.UtcNow, jwt, validationParameters);
}
public void ConfigureServices(IServiceCollection services)
{
// Registra o contexto do banco
BootStrapper.RegisterDbContext(Configuration, services);
BootStrapper.Register(services);
BootStrapper.RegisterIdentity(Configuration, services);
// Configura o mapeamento
var mapper = AutoMapperConfig.RegisterMappings();
BootStrapper.RegisterMappings(services, mapper);
// Register the Swagger generator, defining 1 or more Swagger documents
//services.AddSwaggerGen(c =>
//{
// c.SwaggerDoc("v1", new OpenApiInfo { Title = "My API", Version = "V1" });
//});
services.AddSwaggerGen(
swagger =>
{
swagger.SwaggerDoc("v1",
new Info
{
Title = "Sistema de Login de Usuários com JWT",
Version = "v1",
Description = "Projeto desenvolvido em aula - COTI Informática"
});
swagger.OperationFilter <HeaderParameter>();
}
);
IdentityBuilder builder = services.AddIdentityCore <User>(options =>
{
options.Password.RequireDigit = false;
options.Password.RequireLowercase = false;
options.Password.RequireNonAlphanumeric = false;
options.Password.RequireUppercase = false;
options.Password.RequiredLength = 4;
}
);
builder = new IdentityBuilder(builder.UserType, typeof(Role), builder.Services);
builder.AddEntityFrameworkStores <ApplicationDbContext>();
builder.AddRoleManager <RoleManager <Role> >();
builder.AddRoleValidator <RoleValidator <Role> >();
builder.AddSignInManager <SignInManager <User> >();
services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
var key = Encoding.UTF8.GetBytes(Configuration.GetSection("AppSettings:Token").Value);
var tokenValidationParameters = new TokenValidationParameters();
tokenValidationParameters.ValidateIssuerSigningKey = true;
tokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(key);
tokenValidationParameters.ValidateIssuer = false;
tokenValidationParameters.ValidateAudience = false;
options.TokenValidationParameters = tokenValidationParameters;
}
);
//Comentei essa parte para validar o CRUD da APIs, fique a vontade.
services
.AddMvc(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
}
)
.SetCompatibilityVersion(CompatibilityVersion.Version_2_2)
.AddJsonOptions(options =>
{
//Set date configurations
options
.SerializerSettings
.DateTimeZoneHandling = DateTimeZoneHandling.Local;
options
.SerializerSettings
.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore;
}
);
services.AddCors();
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}
public IdentityService(UserManager <IdentityUser> userManager, JwtSettings jwtSettings, TokenValidationParameters tokenValidationParameters, DataContext context, IFacebookAuthService facebookAuthService)
{
_userManager = userManager;
_jwtSettings = jwtSettings;
_tokenValidationParameters = tokenValidationParameters;
_context = context;
_facebookAuthService = facebookAuthService;
}
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddSwaggerGen(c => {
c.SwaggerDoc("v1", new OpenApiInfo
{
Version = "v1",
Title = "Cart Microservice",
Description = "API Documentation",
//Contact = new OpenApiContact() {
// Name = "Dheeraj Vyas",
// Email = "*****@*****.**",
// Url = new System.Uri("https://github.com/sebamed")
// },
// License = new OpenApiLicense {
// Name = "MIT",
// Url = new System.Uri("https://opensource.org/licenses/MIT")
//},
});
c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
{
In = ParameterLocation.Header,
Description = "Please insert JWT with Bearer into field",
Name = "Authorization",
Type = SecuritySchemeType.ApiKey
});
c.AddSecurityRequirement(new OpenApiSecurityRequirement {
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference
{
Type = ReferenceType.SecurityScheme,
Id = "Bearer"
}
},
new string[] { }
}
});
});
//Security
var audienceConfig = Configuration.GetSection("Audience");
var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(audienceConfig["Secret"]));
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ValidateIssuer = true,
ValidIssuer = audienceConfig["Iss"],
ValidateAudience = true,
ValidAudience = audienceConfig["Aud"],
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero,
RequireExpirationTime = true,
};
services
.AddAuthentication(x => {
x.DefaultAuthenticateScheme = audienceConfig["Secret"];
x.DefaultChallengeScheme = audienceConfig["Secret"];
})
.AddJwtBearer(audienceConfig["Secret"], x => {
x.RequireHttpsMetadata = false;
x.TokenValidationParameters = tokenValidationParameters;
});
services.AddSingleton <ICartService, CartService>();
}
public void WithIssuerKeyValidationShouldValidateInput3(TokenValidationParameters options, IEnumerable <SecurityKey> securityKeys)
{
Assert.Throws <ArgumentNullException>(() => options.WithIssuerKeyValidation(securityKeys));
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, SagaBus sagaBus,
IOptions<OAuth20Configuration> oauthOptions)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseApplicationInsightsRequestTelemetry();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseBrowserLink();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseApplicationInsightsExceptionTelemetry();
app.UseStaticFiles();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationScheme = "Obsidian.Cookie",
AutomaticChallenge = false,
AutomaticAuthenticate = false
});
var oauthConfig = oauthOptions.Value;
var key = oauthConfig.TokenSigningKey;
var signingKey = new SymmetricSecurityKey(Encoding.Unicode.GetBytes(key));
var param = new TokenValidationParameters
{
AuthenticationType = "Bearer",
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ValidateIssuer = true,
ValidIssuer = oauthConfig.TokenIssuer,
ValidAudience = oauthConfig.TokenAudience
};
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
TokenValidationParameters = param,
AutomaticAuthenticate = false,
AutomaticChallenge = false
});
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
MappingConfig.ConfigureQueryModelMapping();
sagaBus.RegisterSagas();
}
public void WithAudienceValidationShouldValidateInput1(TokenValidationParameters options, string validAudience)
{
Assert.Throws <ArgumentNullException>(() => options.WithAudienceValidation(validAudience));
}
internal static Lazy<OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return new Lazy<OAuthBearerAuthenticationOptions>(() =>
{
JwtFormat tokenFormat = null;
// use static configuration
if (!string.IsNullOrWhiteSpace(options.IssuerName) &&
options.SigningCertificate != null)
{
var audience = options.IssuerName.EnsureTrailingSlash();
audience += "resources";
var valParams = new TokenValidationParameters
{
ValidIssuer = options.IssuerName,
ValidAudience = audience,
IssuerSigningToken = new X509SecurityToken(options.SigningCertificate),
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
};
tokenFormat = new JwtFormat(valParams);
}
else
{
// use discovery endpoint
if (string.IsNullOrWhiteSpace(options.Authority))
{
throw new Exception("Either set IssuerName and SigningCertificate - or Authority");
}
var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
discoveryEndpoint += ".well-known/openid-configuration";
var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
discoveryEndpoint,
options,
loggerFactory);
var valParams = new TokenValidationParameters
{
ValidAudience = issuerProvider.Audience,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType
};
tokenFormat = new JwtFormat(valParams, issuerProvider);
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = tokenFormat,
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider)
};
return bearerOptions;
}, true);
}
protected override void ValidateAudience(IEnumerable <string> audiences, JwtSecurityToken jwt, TokenValidationParameters validationParameters)
{
DerivedJwtSecurityToken derivedJwt = jwt as DerivedJwtSecurityToken;
Assert.NotNull(derivedJwt);
ValidateAudienceCalled = true;
base.ValidateAudience(audiences, jwt, validationParameters);
}
// This method gets called by the runtime. Use this method to add services to the container.
public IServiceProvider ConfigureServices(IServiceCollection services)
{
#region 部分服务注入-netcore自带方法
//缓存注入
services.AddScoped <ICaching, MemoryCaching>();
services.AddSingleton <IMemoryCache>(factory =>
{
var cache = new MemoryCache(new MemoryCacheOptions());
return(cache);
});
//Redis注入
services.AddScoped <IRedisCacheManager, RedisCacheManager>();
//log日志注入
services.AddSingleton <ILoggerHelper, LogHelper>();
#endregion
#region 初始化DB
services.AddScoped <Blog.Core.Model.Models.DBSeed>();
services.AddScoped <Blog.Core.Model.Models.MyContext>();
#endregion
#region Automapper
services.AddAutoMapper(typeof(Startup));
#endregion
#region CORS
//跨域第二种方法,声明策略,记得下边app中配置
services.AddCors(c =>
{
//↓↓↓↓↓↓↓注意正式环境不要使用这种全开放的处理↓↓↓↓↓↓↓↓↓↓
c.AddPolicy("AllRequests", policy =>
{
policy
.AllowAnyOrigin() //允许任何源
.AllowAnyMethod() //允许任何方式
.AllowAnyHeader() //允许任何头
.AllowCredentials(); //允许cookie
});
//↑↑↑↑↑↑↑注意正式环境不要使用这种全开放的处理↑↑↑↑↑↑↑↑↑↑
//一般采用这种方法
c.AddPolicy("LimitRequests", policy =>
{
policy
.WithOrigins("http://127.0.0.1:1818", "http://*****:*****@xxx.com", Url = "https://www.jianshu.com/u/94102b59cc2a" }
//});
//遍历出全部的版本,做文档信息展示
typeof(ApiVersions).GetEnumNames().ToList().ForEach(version =>
{
c.SwaggerDoc(version, new Info
{
// {ApiName} 定义成全局变量,方便修改
Version = version,
Title = $"{ApiName} 接口文档",
Description = $"{ApiName} HTTP API " + version,
TermsOfService = "None",
Contact = new Contact {
Name = "Blog.Core", Email = "*****@*****.**", Url = "https://www.jianshu.com/u/94102b59cc2a"
}
});
// 按相对路径排序,作者:Alby
c.OrderActionsBy(o => o.RelativePath);
});
//就是这里
var xmlPath = Path.Combine(basePath, "Blog.Core.xml"); //这个就是刚刚配置的xml文件名
c.IncludeXmlComments(xmlPath, true); //默认的第二个参数是false,这个是controller的注释,记得修改
var xmlModelPath = Path.Combine(basePath, "Blog.Core.Model.xml"); //这个就是Model层的xml文件名
c.IncludeXmlComments(xmlModelPath);
#region Token绑定到ConfigureServices
//添加header验证信息
//c.OperationFilter<SwaggerHeader>();
// 发行人
var IssuerName = (Configuration.GetSection("Audience"))["Issuer"];
var security = new Dictionary <string, IEnumerable <string> > {
{ IssuerName, new string[] { } },
};
c.AddSecurityRequirement(security);
//方案名称“Blog.Core”可自定义,上下一致即可
c.AddSecurityDefinition(IssuerName, new ApiKeyScheme
{
Description = "JWT授权(数据将在请求头中进行传输) 直接在下框中输入Bearer {token}(注意两者之间是一个空格)\"",
Name = "Authorization", //jwt默认的参数名称
In = "header", //jwt默认存放Authorization信息的位置(请求头中)
Type = "apiKey"
});
#endregion
});
#endregion
#region MVC
//注入全局异常捕获
services.AddMvc(o =>
{
o.Filters.Add(typeof(GlobalExceptionsFilter));
}).SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
#endregion
#region JWT Token Service
//读取配置文件
var audienceConfig = Configuration.GetSection("Audience");
var symmetricKeyAsBase64 = audienceConfig["Secret"];
var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
var signingKey = new SymmetricSecurityKey(keyByteArray);
// 令牌验证参数
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ValidateIssuer = true,
ValidIssuer = audienceConfig["Issuer"], //发行人
ValidateAudience = true,
ValidAudience = audienceConfig["Audience"], //订阅人
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero,
RequireExpirationTime = true,
};
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
// 注意使用RESTful风格的接口会更好,因为只需要写一个Url即可,比如:/api/values 代表了Get Post Put Delete等多个。
// 如果想写死,可以直接在这里写。
//var permission = new List<Permission> {
// new Permission { Url="/api/values", Role="Admin"},
// new Permission { Url="/api/values", Role="System"},
// new Permission { Url="/api/claims", Role="Admin"},
// };
// 如果要数据库动态绑定,这里先留个空,后边处理器里动态赋值
var permission = new List <PermissionItem>();
// 角色与接口的权限要求参数
var permissionRequirement = new PermissionRequirement(
"/api/denied", // 拒绝授权的跳转地址(目前无用)
permission,
ClaimTypes.Role, //基于角色的授权
audienceConfig["Issuer"], //发行人
audienceConfig["Audience"], //听众
signingCredentials, //签名凭据
expiration: TimeSpan.FromSeconds(60 * 10) //接口的过期时间
);
services.AddAuthorization(options =>
{
options.AddPolicy("Client",
policy => policy.RequireRole("Client").Build());
options.AddPolicy("Admin",
policy => policy.RequireRole("Admin").Build());
options.AddPolicy("SystemOrAdmin",
policy => policy.RequireRole("Admin", "System"));
// 自定义权限要求
options.AddPolicy("Permission",
policy => policy.Requirements.Add(permissionRequirement));
})
.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.TokenValidationParameters = tokenValidationParameters;
o.Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
// 如果过期,则把<是否过期>添加到,返回头信息中
if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))
{
context.Response.Headers.Add("Token-Expired", "true");
}
return(Task.CompletedTask);
}
};
});
services.AddSingleton <IAuthorizationHandler, PermissionHandler>();
services.AddSingleton(permissionRequirement);
#endregion
#region AutoFac
//实例化 AutoFac 容器
var builder = new ContainerBuilder();
//注册要通过反射创建的组件
//builder.RegisterType<AdvertisementServices>().As<IAdvertisementServices>();
builder.RegisterType <BlogCacheAOP>(); //可以直接替换其他拦截器
builder.RegisterType <BlogLogAOP>(); //这样可以注入第二个
// ※※★※※ 如果你是第一次下载项目,请先F6编译,然后再F5执行,※※★※※
#region Service.dll 注入,有对应接口
//获取项目绝对路径,请注意,这个是实现类的dll文件,不是接口 IService.dll ,注入容器当然是Activatore
var servicesDllFile = Path.Combine(basePath, "Blog.Core.Services.dll");
var assemblysServices = Assembly.LoadFile(servicesDllFile);//直接采用加载文件的方法
//builder.RegisterAssemblyTypes(assemblysServices).AsImplementedInterfaces();//指定已扫描程序集中的类型注册为提供所有其实现的接口。
builder.RegisterAssemblyTypes(assemblysServices)
.AsImplementedInterfaces()
.InstancePerLifetimeScope()
.EnableInterfaceInterceptors() //引用Autofac.Extras.DynamicProxy;
// 如果你想注入两个,就这么写 InterceptedBy(typeof(BlogCacheAOP), typeof(BlogLogAOP));
.InterceptedBy(typeof(BlogCacheAOP), typeof(BlogLogAOP)); //允许将拦截器服务的列表分配给注册。
#endregion
#region Repository.dll 注入,有对应接口
var repositoryDllFile = Path.Combine(basePath, "Blog.Core.Repository.dll");
var assemblysRepository = Assembly.LoadFile(repositoryDllFile);
builder.RegisterAssemblyTypes(assemblysRepository).AsImplementedInterfaces();
#endregion
#region 其他注入
#region 没有接口的 dll 层注入
////因为没有接口层,所以不能实现解耦,只能用 Load 方法。
////var assemblysServicesNoInterfaces = Assembly.Load("Blog.Core.Services");
////builder.RegisterAssemblyTypes(assemblysServicesNoInterfaces);
#endregion
#region 没有接口的单独类 class 注入
////只能注入该类中的虚方法
builder.RegisterAssemblyTypes(Assembly.GetAssembly(typeof(Love)))
.EnableClassInterceptors()
.InterceptedBy(typeof(BlogLogAOP));
#endregion
#endregion
//将services填充到Autofac容器生成器中
builder.Populate(services);
//使用已进行的组件登记创建新容器
var ApplicationContainer = builder.Build();
#endregion
return(new AutofacServiceProvider(ApplicationContainer));//第三方IOC接管 core内置DI容器
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
var jwtAppSettingOptions = Configuration.GetSection(nameof(JwtIssuerOptions));
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)],
ValidateAudience = true,
ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)],
ValidateIssuerSigningKey = true,
IssuerSigningKey = _signingKey,
RequireExpirationTime = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero,
};
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
TokenValidationParameters = tokenValidationParameters,
RequireHttpsMetadata = !env.IsDevelopment(),
});
app.UseDefaultFiles();
app.UseStaticFiles();
app.UseIdentity();
app.UseMvc();
app.UseWebSockets();
app.UseSignalR();
var logger = loggerFactory.CreateLogger("Yiyi" + jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)]);
logger.LogInformation("IsDev: " + env.IsDevelopment());
using (var serviceScope = app.ApplicationServices.GetRequiredService<IServiceScopeFactory>().CreateScope())
{
var ctx = serviceScope.ServiceProvider.GetService<BrewMaticContext>();
ctx.Database.Migrate();
ctx.Seed();
var ctx2 = serviceScope.ServiceProvider.GetService<IdentityContext>();
ctx2.Database.Migrate();
var usrMgr = serviceScope.ServiceProvider.GetService<UserManager<ApplicationUser>>();
var rlMgr = serviceScope.ServiceProvider.GetService<RoleManager<IdentityRole>>();
ctx2.Seed(usrMgr, rlMgr, Configuration["DefaultPassword"]);
}
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
throw new SecurityTokenException("InvalidToken");
}
private TokenValidationParameters CreateTokenValidationParameters()
{
var jwtAppSettingOptions = Configuration.GetSection(nameof(JwtIssuerOptions));
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)],
ValidateAudience = true,
ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)],
ValidateIssuerSigningKey = true,
IssuerSigningKey = _signingKey,
RequireExpirationTime = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero
};
return tokenValidationParameters;
}
protected override void ValidateIssuerSecurityKey(SecurityKey securityKey, JwtSecurityToken securityToken, TokenValidationParameters validationParameters)
{
DerivedJwtSecurityToken derivedJwt = securityToken as DerivedJwtSecurityToken;
Assert.NotNull(derivedJwt);
ValidateIssuerSigningKeyCalled = true;
base.ValidateIssuerSecurityKey(securityKey, securityToken, validationParameters);
}
protected override string ValidateIssuer(string issuer, JwtSecurityToken jwt, TokenValidationParameters validationParameters)
{
DerivedJwtSecurityToken derivedJwt = jwt as DerivedJwtSecurityToken;
Assert.NotNull(derivedJwt);
ValidateIssuerCalled = true;
return(base.ValidateIssuer(issuer, jwt, validationParameters));
}
protected override void ValidateLifetime(DateTime?notBefore, DateTime?expires, JwtSecurityToken jwt, TokenValidationParameters validationParameters)
{
DerivedJwtSecurityToken derivedJwt = jwt as DerivedJwtSecurityToken;
Assert.NotNull(derivedJwt);
ValidateLifetimeCalled = true;
base.ValidateLifetime(notBefore, expires, jwt, validationParameters);
}