/// <summary>
/// JwtToken 注入Token生成器参数,在token生成项目的Startup的ConfigureServices中使用
/// </summary>
/// <param name="services">IServiceCollection</param>
/// <returns></returns>
public static IServiceCollection AddJTokenBuild(this IServiceCollection services)
{
var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Secret)), SecurityAlgorithms.HmacSha256);
//如果第三个参数,是ClaimTypes.Role,上面集合的每个元素的Name为角色名称,如果ClaimTypes.Name,即上面集合的每个元素的Name为用户名
var permissionRequirement = new PermissionRequirement(Issuer, Audience, signingCredentials);
return(services.AddSingleton(permissionRequirement));
}
/// <summary>
/// 获取基于JWT的Token
/// </summary>
/// <returns></returns>
public static string BuildJwtToken(Claim[] claims, PermissionRequirement permissionRequirement, TimeSpan expireTime)
{
var now = DateTime.UtcNow;
var jwt = new JwtSecurityToken(
issuer: permissionRequirement.Issuer,
audience: permissionRequirement.Audience,
claims: claims,
notBefore: now,
expires: now.Add(expireTime),
signingCredentials: permissionRequirement.SigningCredentials
);
return(new JwtSecurityTokenHandler().WriteToken(jwt));
}
public void ConfigureServices(IServiceCollection services, List <ResourcePremission> urls, List <UserPermission> permission)
{
//读取配置文件
var keyByteArray = Encoding.ASCII.GetBytes(Secret);
var signingKey = new SymmetricSecurityKey(keyByteArray);
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ValidateIssuer = true,
ValidIssuer = Issuer,
ValidateAudience = true,
ValidAudience = Audience,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero
};
services.AddAuthentication(options =>
{
options.DefaultScheme = AuthenticateScheme;
//options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
//options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(AuthenticateScheme, o =>
{
//不使用https
o.RequireHttpsMetadata = false;
o.TokenValidationParameters = tokenValidationParameters;
});
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
//这个集合模拟用户权限表,可从数据库中查询出来
//如果第三个参数,是ClaimTypes.Role,上面集合的每个元素的Name为角色名称,如果ClaimTypes.Name,即上面集合的每个元素的Name为用户名
_permissionRequirement = new PermissionRequirement(Issuer, Audience, signingCredentials);
//注入授权Handler
services.AddSingleton <IAuthorizationHandler, PermissionHandler>();
services.AddSingleton(_permissionRequirement);
services.AddAuthorization(options =>
{
options.AddPolicy("Permission",
policy => policy.Requirements.Add(_permissionRequirement));
});
}
public static string Login(this Controller c, LoginData data, PermissionRequirement permissionRequirement)
{
var claims = new Claim[] {
new Claim(ClaimTypes.Sid, data.Sid),
new Claim(ClaimTypes.Name, data.Name),
new Claim(ClaimTypes.Role, data.Role),
new Claim(ClaimTypes.Expiration, DateTime.Now.AddSeconds(ExpireTime.TotalSeconds).ToString(CultureInfo.InvariantCulture))
};
//用户标识
var identity = new ClaimsIdentity(JwtBearerDefaults.AuthenticationScheme);
identity.AddClaims(claims);
string token = JwtToken.BuildJwtToken(claims, permissionRequirement, ExpireTime);
return(token.TrimStart('"').TrimEnd('"'));
}
/// <summary>
/// 注入Ocelot jwt策略,在业务API应用中的Startup的ConfigureServices调用
/// </summary>
/// <param name="services">IServiceCollection</param>
/// <param name="permission"></param>
/// <param name="defaultScheme">默认架构</param>
/// <returns></returns>
public static AuthenticationBuilder AddOcelotPolicyJwtBearer(this IServiceCollection services,
List <UserPermission> permission, string defaultScheme)
{
var keyByteArray = Encoding.ASCII.GetBytes(Secret);
var signingKey = new SymmetricSecurityKey(keyByteArray);
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ValidateIssuer = true,
ValidIssuer = Issuer, //发行人
ValidateAudience = true,
ValidAudience = Audience, //订阅人
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero,
RequireExpirationTime = true,
};
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
//如果第三个参数,是ClaimTypes.Role,上面集合的每个元素的Name为角色名称,如果ClaimTypes.Name,即上面集合的每个元素的Name为用户名
var permissionRequirement = new PermissionRequirement(Issuer, Audience, signingCredentials);
//注入授权Handler
services.AddSingleton <IAuthorizationHandler, PermissionHandler>();
services.AddSingleton(permissionRequirement);
services.AddSingleton(permission);
return(services.AddAuthorization(options =>
{
options.AddPolicy("Permission",
policy => policy.Requirements.Add(permissionRequirement));
})
.AddAuthentication(options =>
{
options.DefaultScheme = defaultScheme;
})
.AddJwtBearer(defaultScheme, o =>
{
//不使用https
o.RequireHttpsMetadata = false;
o.TokenValidationParameters = tokenValidationParameters;
}));
}
