public TokenProviderOptions() { Path = "/api/token"; Issuer = "ExampleIssuer"; Audience = "ExampleAudience"; Expiration = TimeSpan.FromDays(1); var secretKey = "mysupersecret_secretkey!123"; var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey)); SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256); TokenValidationParameters = new TokenValidationParameters { // The signing key must match! ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, // Validate the JWT Issuer (iss) claim ValidateIssuer = true, ValidIssuer = "ExampleIssuer", // Validate the JWT Audience (aud) claim ValidateAudience = true, ValidAudience = Audience, // Validate the token expiry ValidateLifetime = true, // If you want to allow a certain amount of clock drift, set that here: ClockSkew = TimeSpan.Zero }; }
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken) { AuthenticationTicket ticket = _ticketDataFormat.Unprotect(securityToken); validatedToken = null; return ticket?.Principal; }
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { var audienceConfig = Configuration.GetSection("Audience"); var symmetricKeyAsBase64 = audienceConfig["Secret"]; var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64); var signingKey = new SymmetricSecurityKey(keyByteArray); var options = new TokenProviderOptions { Audience = "ExampleAudience", Issuer = "ExampleIssuer", SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256), }; var tokenValidationParameters = new TokenValidationParameters { // The signing key must match! ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, // Validate the JWT Issuer (iss) claim ValidateIssuer = true, ValidIssuer = options.Issuer, // Validate the JWT Audience (aud) claim ValidateAudience = true, ValidAudience = options.Audience, // Validate the token expiry ValidateLifetime = true, // If you want to allow a certain amount of clock drift, set that here: ClockSkew = TimeSpan.Zero }; loggerFactory.AddConsole(Configuration.GetSection("Logging")); loggerFactory.AddDebug(); app.UseJwtBearerAuthentication(new JwtBearerOptions { AutomaticAuthenticate = true, AutomaticChallenge = true, TokenValidationParameters = tokenValidationParameters, }); app.UseMiddleware<CustomTokenProviderMiddleware>(Options.Create(options)); app.UseMvc(); }
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken) { validatedToken = null; var claims = new[] { // Make sure to use a different name identifier // than the one defined by CustomTokenValidated. new Claim(ClaimTypes.NameIdentifier, "Bob le Tout Puissant"), new Claim(ClaimTypes.Email, "*****@*****.**"), new Claim(ClaimsIdentity.DefaultNameClaimType, "bob"), }; return new ClaimsPrincipal(new ClaimsIdentity(claims)); }
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken) { validatedToken = null; if (securityToken == DEMO_TOKEN) { // TODO: Complete all claims and other user data var claims = new[] { new Claim(ClaimTypes.NameIdentifier, DEMO_USERNAME), new Claim(ClaimsIdentity.DefaultNameClaimType, DEMO_USERNAME), new Claim(ClaimTypes.Email, DEMO_EMAIL) }; return new ClaimsPrincipal(new ClaimsIdentity(claims, "Bearer") { BootstrapContext = securityToken }); } else { throw new ApiException(new InvalidTokenProblem()); } }
public bool IsValidToken(string token) { var validationParameters = new TokenValidationParameters { ValidateLifetime = true, ValidateAudience = true, ValidateIssuer = true, ValidateIssuerSigningKey = true, ValidAudience = _tokenAuthOption.Audience, ValidIssuer = _tokenAuthOption.Issuer, IssuerSigningKey = _tokenAuthOption.Key }; SecurityToken validatedToken; try { var principal = _jwtSecurityTokenHandler.ValidateToken(token, validationParameters, out validatedToken); } catch (Exception) { return false; } return validatedToken != null; }
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken) { var constructor = ExceptionType.GetTypeInfo().GetConstructor(new[] { typeof(string) }); var exception = (Exception)constructor.Invoke(new[] { ExceptionType.Name }); throw exception; }
public void WithIssuerKeyValidationShouldValidateInput2(TokenValidationParameters options, IssuerSigningKeyResolver securityKeyResolver) { Assert.Throws <ArgumentNullException>(() => options.WithIssuerKeyValidation(securityKeyResolver)); }
public void WithIssuerValidationShouldValidateInput2(TokenValidationParameters options, IEnumerable <string> validIssuers) { Assert.Throws <ArgumentNullException>(() => options.WithIssuerValidation(validIssuers)); }
public string ValidateIssuerPublic(JwtSecurityToken jwt, TokenValidationParameters validationParameters) { return(base.ValidateIssuer(jwt.Issuer, jwt, validationParameters)); }
public void ValidateSigningTokenPublic(SecurityKey securityKey, JwtSecurityToken jwt, TokenValidationParameters validationParameters) { base.ValidateIssuerSecurityKey(securityKey, jwt, validationParameters); }
private async Task<TokenValidationResult> ValidateJwtAsync(string jwt, string audience, IEnumerable<SymmetricSecurityKey> symmetricKeys, bool validateLifetime = true) { var handler = new JwtSecurityTokenHandler(); handler.InboundClaimTypeMap.Clear(); var parameters = new TokenValidationParameters { ValidIssuer = _context.GetIssuerUri(), IssuerSigningKeys = symmetricKeys, ValidateLifetime = validateLifetime, ValidAudience = audience }; try { SecurityToken jwtToken; var id = handler.ValidateToken(jwt, parameters, out jwtToken); // load the client that belongs to the client_id claim Client client = null; var clientId = id.FindFirst(JwtClaimTypes.ClientId); if (clientId != null) { client = await _clients.FindClientByIdAsync(clientId.Value); if (client == null) { throw new InvalidOperationException("Client does not exist anymore."); } } return new TokenValidationResult { IsError = false, Claims = id.Claims, Client = client, Jwt = jwt }; } catch (Exception ex) { _logger.LogError("JWT token validation error", ex); return Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken); } }
public void DecryptTokenPublic(JwtSecurityToken token, TokenValidationParameters validationParameters) { base.DecryptToken(token, validationParameters); }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { services.AddOptions(); services.Configure <PhotoSettings>(Configuration.GetSection(nameof(PhotoSettings))); services.Configure <InitialAuthSettings>(Configuration.GetSection(nameof(InitialAuthSettings))); var jwtAppSettingOptions = Configuration.GetSection(nameof(AuthOptions)); services.Configure <AuthOptions>(jwtAppSettingOptions); // scoped - for each http-request the new release object services.AddScoped <IPhotoRepository, PhotoRepository>(); services.AddScoped <IVehicleRepository, VehicleRepository>(); services.AddScoped <IUnitOfWork, UnitOfWork>(); services.AddScoped <IAccountService, AccountService>(); services.AddCors(); string connection = Configuration.GetConnectionString("Default"); services.AddDbContext <VegaDbContext>(options => options.UseSqlServer(connection)); //настройка политики паролей var builder = services.AddIdentityCore <Account>(o => { // configure identity options o.Password.RequireDigit = false; o.Password.RequireLowercase = false; o.Password.RequireUppercase = false; o.Password.RequireNonAlphanumeric = false; o.Password.RequiredLength = 6; }); builder = new IdentityBuilder(builder.UserType, typeof(IdentityRole), builder.Services); builder.AddEntityFrameworkStores <VegaDbContext>().AddDefaultTokenProviders(); services.AddIdentity <Account, IdentityRole>() .AddEntityFrameworkStores <VegaDbContext>(); services.AddAutoMapper(); // In production, the Angular files will be served from this directory services.AddSpaStaticFiles(configuration => { configuration.RootPath = "ClientApp"; }); services.AddMvc() // .AddFluentValidation(fv => fv.RegisterValidatorsFromAssemblyContaining<Startup>()) .SetCompatibilityVersion(CompatibilityVersion.Version_2_1); // Get options from app settings var appSettings = jwtAppSettingOptions.Get <AuthOptions>(); var key = Encoding.ASCII.GetBytes(appSettings.KEY); var tokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false, ValidIssuer = appSettings.ISSUER, ValidateAudience = false, ValidAudience = appSettings.AUDIENCE, ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(key), // RequireExpirationTime = false, ValidateLifetime = true, // ClockSkew = TimeSpan.Zero }; services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }). AddJwtBearer(options => { // configureOptions.ClaimsIssuer = jwtAppSettingOptions[nameof(AuthOptions.ISSUER)]; options.RequireHttpsMetadata = false; options.TokenValidationParameters = tokenValidationParameters; options.IncludeErrorDetails = true; options.SaveToken = true; }); // services.AddAuthorization(options => // { // options.AddPolicy("user", policy => policy.RequireRole("admin", "user")); // options.AddPolicy("admin", policy => policy.RequireClaim(ClaimsIdentity.DefaultRoleClaimType, "admin")); // }); }
/// <summary> /// Handle the LTI POST request from the Authorization Server. /// </summary> /// <returns></returns> public async Task <IActionResult> OnPostAsync( string platformId, [FromForm(Name = "id_token")] string idToken, [FromForm(Name = "scope")] string scope = null, [FromForm(Name = "state")] string state = null, [FromForm(Name = "session_state")] string sessionState = null) { // Authenticate the request starting at step 5 in the OpenId Implicit Flow // See https://www.imsglobal.org/spec/security/v1p0/#platform-originating-messages // See https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowSteps // The Platform MUST send the id_token via the OAuth 2 Form Post // See https://www.imsglobal.org/spec/security/v1p0/#successful-authentication // See http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html if (string.IsNullOrEmpty(idToken)) { Error = "id_token is missing or empty"; return(Page()); } var handler = new JwtSecurityTokenHandler(); if (!handler.CanReadToken(idToken)) { Error = "Cannot read id_token"; return(Page()); } var jwt = handler.ReadJwtToken(idToken); JwtHeader = jwt.Header; var messageType = jwt.Claims.SingleOrDefault(c => c.Type == Constants.LtiClaims.MessageType)?.Value; if (messageType.IsMissing()) { Error = $"{Constants.LtiClaims.MessageType} claim is missing."; return(Page()); } // Authentication Response Validation // See https://www.imsglobal.org/spec/security/v1p0/#authentication-response-validation // The ID Token MUST contain a nonce Claim. var nonce = jwt.Claims.SingleOrDefault(c => c.Type == "nonce")?.Value; if (string.IsNullOrEmpty(nonce)) { Error = "Nonce is missing from request."; return(Page()); } // If the launch was initiated with a 3rd party login, then there will be a state // entry for the nonce. var memorizedState = _stateContext.GetState(nonce); if (memorizedState == null) { Error = "Invalid nonce. Possible request replay."; return(Page()); } // The state should be echoed back by the AS without modification if (memorizedState.Value != state) { Error = "Invalid state."; return(Page()); } // Look for the platform with platformId in the redirect URI var platform = await _context.GetPlatformByPlatformId(platformId); if (platform == null) { Error = "Unknown platform."; return(Page()); } // Using the JwtSecurityTokenHandler.ValidateToken method, validate four things: // // 1. The Issuer Identifier for the Platform MUST exactly match the value of the iss // (Issuer) Claim (therefore the Tool MUST previously have been made aware of this // identifier. // 2. The Tool MUST Validate the signature of the ID Token according to JSON Web Signature // RFC 7515, Section 5; using the Public Key for the Platform which collected offline. // 3. The Tool MUST validate that the aud (audience) Claim contains its client_id value // registered as an audience with the Issuer identified by the iss (Issuer) Claim. The // aud (audience) Claim MAY contain an array with more than one element. The Tool MUST // reject the ID Token if it does not list the client_id as a valid audience, or if it // contains additional audiences not trusted by the Tool. // 4. The current time MUST be before the time represented by the exp Claim; RSAParameters rsaParameters; try { var httpClient = _httpClientFactory.CreateClient(); var keySetJson = await httpClient.GetStringAsync(platform.JwkSetUrl); var keySet = JsonConvert.DeserializeObject <JsonWebKeySet>(keySetJson); var key = keySet.Keys.SingleOrDefault(k => k.Kid == jwt.Header.Kid); if (key == null) { Error = "No matching key found."; return(Page()); } rsaParameters = new RSAParameters { Modulus = Base64UrlEncoder.DecodeBytes(key.N), Exponent = Base64UrlEncoder.DecodeBytes(key.E) }; } catch (Exception e) { Error = e.Message; return(Page()); } var validationParameters = new TokenValidationParameters { ValidateTokenReplay = true, ValidateAudience = true, ValidateIssuer = true, RequireSignedTokens = true, ValidateIssuerSigningKey = true, ValidAudience = platform.ClientId, ValidIssuer = platform.Issuer, IssuerSigningKey = new RsaSecurityKey(rsaParameters), ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(5.0) }; try { handler.ValidateToken(idToken, validationParameters, out _); } catch (Exception e) { Error = e.Message; return(Page()); } if (messageType == Constants.Lti.LtiDeepLinkingRequestMessageType) { return(Post("/Catalog", new { idToken })); } IdToken = idToken; LtiRequest = new LtiResourceLinkRequest(jwt.Payload); var tokenResponse = await _accessTokenService.GetAccessTokenAsync( LtiRequest.Iss, Constants.LtiScopes.Ags.LineItem); var lineItemClient = _httpClientFactory.CreateClient(); lineItemClient.SetBearerToken(tokenResponse.AccessToken); lineItemClient.DefaultRequestHeaders.Accept .Add(new MediaTypeWithQualityHeaderValue(Constants.MediaTypes.LineItem)); var resultsUrl = $"{LtiRequest.AssignmentGradeServices.LineItemUrl}/{Constants.ServiceEndpoints.Ags.ResultsService}"; var resultsResponse = await lineItemClient.GetAsync(resultsUrl); var resultsContent = await resultsResponse.Content.ReadAsStringAsync(); var results = JsonConvert.DeserializeObject <ResultContainer>(resultsContent); Results = results; var lineItemResponse = await lineItemClient.GetAsync(LtiRequest.AssignmentGradeServices.LineItemUrl); var lineItemContent = await lineItemResponse.Content.ReadAsStringAsync(); var lineItem = JsonConvert.DeserializeObject <LineItem>(lineItemContent); LineItem = lineItem; return(Page()); }
public static IServiceCollection AddInfrastructure(this IServiceCollection services, IConfiguration configuration) { services.AddDbContext <ApplicationDbContext>(options => options .UseLoggerFactory(MyLoggerFactory) .UseSqlServer(configuration.GetConnectionString("DefaultConnection"))); services.AddDefaultIdentity <ApplicationUser>() .AddRoles <ApplicationRole>() .AddEntityFrameworkStores <ApplicationDbContext>(); services.AddIdentityServer() .AddApiAuthorization <ApplicationUser, ApplicationDbContext>(); services.AddAuthentication() .AddIdentityServerJwt(); services.AddScoped <IRepository, AsyncRepository>(); services.AddScoped <IApplicationDbContext, ApplicationDbContext>(); services.AddScoped <IJwtService, JwtTokenFactory>(); services.AddScoped <IIdentityService, IdentityService>(); services.AddScoped <ApplicationDbContext>(); var authSettings = configuration.GetSection(nameof(AuthSettings)); var jwtAppSettingOptions = configuration.GetSection(nameof(JwtIssuerOptions)); var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(authSettings[nameof(AuthSettings.SecretKey)])); services.Configure <AuthSettings>(authSettings); services.Configure <JwtIssuerOptions>(options => { options.Issuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)]; options.Audience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)]; options.SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256); }); var tokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)], ValidateAudience = true, ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)], ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, RequireExpirationTime = false, ValidateLifetime = true, ClockSkew = TimeSpan.Zero }; services.Configure <JwtBearerOptions>(IdentityServerJwtConstants.IdentityServerJwtBearerScheme, configureOptions => { configureOptions.ClaimsIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)]; configureOptions.TokenValidationParameters = tokenValidationParameters; configureOptions.SaveToken = true; configureOptions.Events = new JwtBearerEvents { OnAuthenticationFailed = context => { if (context.Exception.GetType() == typeof(SecurityTokenExpiredException)) { context.Response.Headers.Add("Token-Expired", "true"); } return(Task.CompletedTask); }, OnMessageReceived = context => { if (context.Request.Path.Value.Contains("events")) { context.Request.Query.TryGetValue("access_token", out var queryTokenValues); var token = queryTokenValues.FirstOrDefault(); var test = token?.Split(' '); var bearer = test?.LastOrDefault(); context.Token = bearer; } return(Task.CompletedTask); } }; });
//[Authorize("Bearer")] public ActionResult RefreshToken([FromBody] RefreshTokenData refresh) { var re = Request; var headers = re.Headers; string original = null; if (headers.ContainsKey("Authorization")) { original = headers["Authorization"].ToString().Replace("Bearer ", ""); } if (string.IsNullOrEmpty(original)) { return(Unauthorized()); // new { authenticated = false }); } if (refresh.grant_type != "refresh_token") { return(Unauthorized());//new { authenticated = false }; } var handler = new JwtSecurityTokenHandler(); var validationParametersRefresh = new TokenValidationParameters { ValidateIssuer = true, ValidIssuer = _tokenOptions.Issuer, ValidateAudience = true, ValidAudience = _tokenOptions.Audience, ValidateIssuerSigningKey = true, IssuerSigningKey = _tokenOptions.Key, ValidateLifetime = true }; var validationParametersOriginal = new TokenValidationParameters { ValidateIssuer = true, ValidIssuer = _tokenOptions.Issuer, ValidateAudience = true, ValidAudience = _tokenOptions.Audience, ValidateIssuerSigningKey = true, IssuerSigningKey = _tokenOptions.Key, ValidateLifetime = false }; ClaimsPrincipal principalOriginal = null; try { principalOriginal = handler.ValidateToken(original, validationParametersOriginal, out var tokiOriginal); handler.ValidateToken(original, validationParametersRefresh, out _); } catch { return(Unauthorized()); // new {authenticated = false}; } var ime = principalOriginal.Claims.First(c => c.Type == "Ime"); var prezime = principalOriginal.Claims.First(c => c.Type == "Prezime"); var username = principalOriginal.Claims.First(c => c.Type == ClaimTypes.Name); var email = principalOriginal.Claims.First(c => c.Type == ClaimTypes.Email); var userid = principalOriginal.Claims.First(c => c.Type == ClaimTypes.NameIdentifier); var subj = new ClaimsIdentity(); var user = _userManager.KorisnikPostoji(username.Value); if (user == null) { return(Unauthorized()); //new { authenticated = false }; } //var roles = user.Claims.Where(c => c.ClaimType == ClaimTypes.Role).ToList(); var roles = user.Uloge; subj.AddClaim(new Claim("Ime", ime.Value)); subj.AddClaim(new Claim("Prezime", prezime.Value)); subj.AddClaim(new Claim(ClaimTypes.Email, email.Value)); subj.AddClaim(new Claim(ClaimTypes.Name, username.Value)); subj.AddClaim(new Claim(JwtRegisteredClaimNames.UniqueName, username.Value)); subj.AddClaim(new Claim(ClaimTypes.NameIdentifier, userid.Value)); subj.AddClaim(new Claim("Jezik", user.Lang)); subj.AddClaims(roles.Select(r => new Claim(ClaimTypes.Role, r))); //var expires = DateTime.UtcNow.AddHours(_satiT); var expires = DateTime.UtcNow.AddMinutes(_minT); var accessToken = GetToken(username.Value, expires, subj); //expires = DateTime.UtcNow.AddHours(_satiRT); expires = DateTime.UtcNow.AddMinutes(_minRT); var refreshToken = GetRefreshToken(username.Value, expires); var query = _session.CreateSQLQuery("exec LogKorisnika :username, :akcija"); query.SetParameter("username", username.Value, NHibernateUtil.String); query.SetParameter("akcija", "Refresh", NHibernateUtil.String); query.ExecuteUpdate(); return(Ok(new { authenticated = true, userId = userid.Value, access_token = accessToken, refresh_token = refreshToken })); }
public void ConfigureServices(IServiceCollection s) { s.AddSwaggerGen(c => { c.SwaggerDoc("v1", new Info { Title = "Shop API", Version = "v1" }); c.AddSecurityDefinition("JWT", new OAuth2Scheme()); }); s.AddIdentity <AppUser, IdentityRole> (o => { // configure identity options o.Password.RequireDigit = false; o.Password.RequireLowercase = false; o.Password.RequireUppercase = false; o.Password.RequireNonAlphanumeric = false; o.Password.RequiredLength = 6; }) .AddEntityFrameworkStores <ShopIdentityDbContext>() .AddDefaultTokenProviders(); s.AddAutoMapper(); // api user claim policy s.AddAuthorization(options => { options.AddPolicy(Constants.Strings.AccessPolicy.ApiUser, policy => policy.RequireClaim(Constants.Strings.JwtClaimIdentifiers.Rol, Constants.Strings.JwtClaims.ApiAccess)); }); var jwtAppSettingOptions = Configuration.GetSection(nameof(JwtIssuerOptions)); // s.Configure<JwtIssuerOptions>(options => jwtAppSettingOptions.Bind(options)); s.Configure <JwtIssuerOptions>(options => { options.Issuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)]; options.Audience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)]; options.SigningCredentials = new SigningCredentials(CompositionRoot.SigningKey, SecurityAlgorithms.HmacSha256); }); var tokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)], ValidateAudience = true, ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)], ValidateIssuerSigningKey = true, IssuerSigningKey = CompositionRoot.SigningKey, RequireExpirationTime = false, ValidateLifetime = false, ClockSkew = TimeSpan.Zero }; s.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(o => { o.TokenValidationParameters = tokenValidationParameters; o.Events = new JwtBearerEvents() { OnAuthenticationFailed = c => { c.NoResult(); c.Response.StatusCode = 500; c.Response.ContentType = "text/plain"; if (Environment.IsDevelopment()) { // Debug only, in production do not share exceptions with the remote host. return(c.Response.WriteAsync(c.Exception.ToString())); } return(c.Response.WriteAsync("An error occurred processing your authentication.")); } }; }); }
public static void TokenAuthorize(this IServiceCollection services, SiteSetting siteSetting) { services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(options => { var securityKey = Encoding.UTF8.GetBytes(siteSetting.JwtSetting.SecretKey); var encriptKey = Encoding.UTF8.GetBytes(siteSetting.JwtSetting.Encryptkey); var ValidatePrameters = new TokenValidationParameters { //Tlorance for Expire Time and Befor Time of Token . ClockSkew = TimeSpan.Zero, RequireSignedTokens = true, ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(securityKey), // I Need Check Expire Token or Not RequireExpirationTime = true, ValidateLifetime = true, ValidateAudience = true, ValidAudience = siteSetting.JwtSetting.Audience, ValidateIssuer = true, ValidIssuer = siteSetting.JwtSetting.Issuer, TokenDecryptionKey = new SymmetricSecurityKey(encriptKey) }; options.SaveToken = true; options.RequireHttpsMetadata = false; options.TokenValidationParameters = ValidatePrameters; options.Events = new JwtBearerEvents { // Fail Authorize OnAuthenticationFailed = context => { if (context.Exception != null) { throw new FilmstanUnAuthourizeException("No Access"); } return(Task.CompletedTask); }, OnTokenValidated = async context => { var domainUnitofWork = context.HttpContext.RequestServices.GetRequiredService <IDomainUnitOfWork>(); var claimsIdentity = context.Principal.Identity as ClaimsIdentity; var securityStamp = claimsIdentity.FindAll(new ClaimsIdentityOptions().SecurityStampClaimType).ToList(); var userSecurityInfo = await domainUnitofWork.UsersRepository.GetUserTokenInfo(Guid.Parse(claimsIdentity.GetUserId())); if (claimsIdentity.Claims.Any() != true) { context.Fail("Token Has No Claim"); } if (securityStamp == null) { throw new FilmstanUnAuthourizeException("No securityStamp"); } if (userSecurityInfo.Result.IsActive == false) { throw new FilmstanUnAuthourizeException("User not Active"); } if (userSecurityInfo.Result.UserSecurityStamp != Guid.Parse(securityStamp[0].Value)) { throw new FilmstanUnAuthourizeException("User Security Stamp Invalid"); } if (userSecurityInfo.Result.RoleSecurityStamp != Guid.Parse(securityStamp[1].Value)) { throw new FilmstanUnAuthourizeException("Role Security Stamp Invalid"); } }, // when Server Recived the Token haven't Token OnChallenge = context => { if (context.AuthenticateFailure != null) { throw new FilmstanUnAuthourizeException("AuthenticateFailure"); } return(Task.CompletedTask); } }; }); }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { // Get options from app settings services.AddOptions(); ConfigureCustomOptions(services); var jwtAppSettingOptions = Configuration.GetSection(nameof(JwtIssuerOptions)); _key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration["SecretKey"])); // Configure JwtIssuerOptions services.Configure <JwtIssuerOptions>(options => { options.Issuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)]; options.Audience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)]; options.SigningCredentials = new SigningCredentials(_key, SecurityAlgorithms.HmacSha256); }); var tokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)], ValidateAudience = true, ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)], ValidateIssuerSigningKey = true, IssuerSigningKey = _key, RequireExpirationTime = false, ValidateLifetime = false, ClockSkew = TimeSpan.Zero }; services.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(options => { options.Audience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)]; options.RequireHttpsMetadata = false; options.ClaimsIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)]; options.TokenValidationParameters = tokenValidationParameters; }); services.AddAuthorization(options => { options.AddPolicy("AppUser", policy => policy.RequireClaim("Organizatie", "Ong")); }); services.AddApplicationInsightsTelemetry(Configuration); services.AddMvc(config => { var policy = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .Build(); config.Filters.Add(new AuthorizeFilter(policy)); }); services.AddSwaggerGen(options => { options.SwaggerDoc("v1", new Info { Version = "v1", Title = "Monitorizare Vot - API privat", Description = "API care ofera suport aplicatiilor folosite de observatori.", TermsOfService = "TBD", Contact = new Contact { Email = "*****@*****.**", Name = "Code for Romania", Url = "http://monitorizarevot.ro" }, }); options.AddSecurityDefinition("bearer", new ApiKeyScheme() { Name = "Authorization", In = "header", Type = "apiKey" }); options.AddSecurityRequirement(new Dictionary <string, IEnumerable <string> > { { "bearer", new[] { "readAccess", "writeAccess" } } }); options.OperationFilter <AddFileUploadParams>(); var path = PlatformServices.Default.Application.ApplicationBasePath + System.IO.Path.DirectorySeparatorChar + "VotingIrregularities.Api.xml"; if (System.IO.File.Exists(path)) { options.IncludeXmlComments(path); } }); services.UseSimpleInjectorAspNetRequestScoping(_container); ConfigureContainer(services); ConfigureCache(services); }
public AuthController(UserManager <ApplicationUser> _userManager, RoleManager <MongoRole> _roleManager, IConfiguration _configuration, IMongoDatabaseSettings _settings, TokenValidationParameters _tokenValidationParams) { userManager = _userManager; roleManager = _roleManager; configuration = _configuration; settings = _settings; tokenValidationParams = _tokenValidationParams; }
public bool LifetimeValidator(DateTime?notBefore, DateTime?expires, SecurityToken securityToken, TokenValidationParameters validationParameters) { if (expires != null) { if (DateTime.UtcNow < expires) { return(true); } } return(false); }
public long? ValidateToken(string accessToken) { var handler = new JwtSecurityTokenHandler(); if (!handler.CanValidateToken) return null; var signedCredentials = this.options.SigningCredentials ?? TokenProvider.DefaultSigningCredentials(); var validationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidIssuer = this.options.Issuer, ValidateAudience = true, ValidAudience = this.options.Audience, ValidateLifetime = true, IssuerSigningKey = signedCredentials.Key }; long? result = null; try { SecurityToken validatedToken; var claimsPrincipal = handler.ValidateToken(accessToken, validationParameters, out validatedToken); foreach (var claim in claimsPrincipal.Claims) { if (claim.Type != "id") continue; long id; if (long.TryParse(claim.Value, out id)) result = id; break; } } catch(Exception e) { InColUn.Logger.Instance.Log(InColUn.LogLevel.Exception, string.Format("Token validation exception for: {0}", accessToken), e); } return result; }
private static void ConfigureJwtAuthentication(IServiceCollection services, TenantsBuilder tenantsBuilder, IConfiguration configuration) { var authenticationBuilder = services.AddAuthentication(); JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); string[] requiredScopesSplit = null; string requiredScopes = configuration["Identity:Jwt:RequiredScopes"]; if (!string.IsNullOrEmpty(requiredScopes)) { requiredScopesSplit = requiredScopes.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries); if (requiredScopesSplit.Length == 0) { requiredScopesSplit = null; } } if (tenantsBuilder == null) { string defaultClientAuthority = configuration[$"Identity:DefaultClient:Authority"]; if (string.IsNullOrEmpty(defaultClientAuthority)) { throw new Exception("Identity default client authority string is empty"); } string defaultClientAudience = configuration[$"Identity:DefaultClient:Audience"]; if (string.IsNullOrEmpty(defaultClientAudience)) { throw new Exception("Identity default client audience string is empty"); } authenticationBuilder.AddJwtBearer(IdentityCoreConstants.JwtScheme, jwt => { jwt.RequireHttpsMetadata = true; jwt.Authority = defaultClientAuthority; jwt.Audience = defaultClientAudience; jwt.TokenValidationParameters = new TokenValidationParameters() { ClockSkew = TimeSpan.FromMinutes(5), RequireSignedTokens = true, RequireExpirationTime = true, ValidateLifetime = true, // audience validation will be done via scope, as recommended in // https://github.com/IdentityServer/IdentityServer4/issues/127 ValidateAudience = false, ValidateIssuer = true, ValidIssuer = defaultClientAuthority }; }); services.AddAuthorization(options => { options.AddPolicy(IdentityCoreConstants.JwtPolicy, policy => { policy.AuthenticationSchemes.Add(IdentityCoreConstants.JwtScheme); if (requiredScopesSplit != null) { policy.RequireAssertion(handler => { return(CheckScopes(handler.User, requiredScopesSplit)); }); } policy.RequireAuthenticatedUser(); }); }); } else { authenticationBuilder.AddJwtBearer(IdentityCoreConstants.JwtScheme, jwt => { jwt.RequireHttpsMetadata = true; }); tenantsBuilder.WithPerTenantOptions <JwtBearerOptions>((jwt, tenantInfo) => { jwt.Authority = tenantInfo.DeveloperAuthority; jwt.Audience = tenantInfo.DeveloperAudience; var tokenValidationParameters = new TokenValidationParameters() { ClockSkew = TimeSpan.FromMinutes(5), RequireSignedTokens = true, RequireExpirationTime = true, ValidateLifetime = true, // audience validation will be done via scope, as recommended in // https://github.com/IdentityServer/IdentityServer4/issues/127 ValidateAudience = false, ValidateIssuer = true, ValidIssuer = tenantInfo.DeveloperAuthority }; if (tenantInfo.DeveloperCertificate != null) { // if we cannot resolve it from some discovery endpoint tokenValidationParameters.IssuerSigningKey = new X509SecurityKey(tenantInfo.DeveloperCertificate); } jwt.TokenValidationParameters = tokenValidationParameters; }); ConfigureExternalAuthenticationServices(authenticationBuilder, tenantsBuilder, configuration); services.AddAuthorization(options => { options.AddPolicy(IdentityCoreConstants.JwtPolicy, policy => { policy.AuthenticationSchemes.Add(IdentityCoreConstants.JwtScheme); policy.Requirements.Add(new ClientDeveloperUuidRequirement()); if (requiredScopesSplit != null) { policy.RequireAssertion(handler => { return(CheckScopes(handler.User, requiredScopesSplit)); }); } policy.RequireAuthenticatedUser(); }); }); services.AddSingleton <IAuthorizationHandler, ClientDeveloperUuidRequirementHandler>(); } }
public override ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken) { return(base.ValidateToken(securityToken, validationParameters, out validatedToken)); }
private static IConveyBuilder AddJwt(this IConveyBuilder builder, JwtOptions options) { if (!builder.TryRegister(RegistryName)) { return(builder); } builder.Services.AddSingleton(options); builder.Services.AddSingleton <IJwtHandler, JwtHandler>(); builder.Services.AddSingleton <IAccessTokenService, InMemoryAccessTokenService>(); builder.Services.AddTransient <AccessTokenValidatorMiddleware>(); var tokenValidationParameters = new TokenValidationParameters { RequireAudience = options.RequireAudience, ValidIssuer = options.ValidIssuer, ValidIssuers = options.ValidIssuers, ValidateActor = options.ValidateActor, ValidAudience = options.ValidAudience, ValidAudiences = options.ValidAudiences, ValidateAudience = options.ValidateAudience, ValidateIssuer = options.ValidateIssuer, ValidateLifetime = options.ValidateLifetime, ValidateTokenReplay = options.ValidateTokenReplay, ValidateIssuerSigningKey = options.ValidateIssuerSigningKey, SaveSigninToken = options.SaveSigninToken, RequireExpirationTime = options.RequireExpirationTime, RequireSignedTokens = options.RequireSignedTokens, ClockSkew = TimeSpan.Zero }; if (!string.IsNullOrWhiteSpace(options.AuthenticationType)) { tokenValidationParameters.AuthenticationType = options.AuthenticationType; } if (!string.IsNullOrWhiteSpace(options.IssuerSigningKey)) { tokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey( Encoding.UTF8.GetBytes(options.IssuerSigningKey)); } if (!string.IsNullOrWhiteSpace(options.NameClaimType)) { tokenValidationParameters.NameClaimType = options.NameClaimType; } if (!string.IsNullOrWhiteSpace(options.RoleClaimType)) { tokenValidationParameters.RoleClaimType = options.RoleClaimType; } builder.Services.AddSingleton(tokenValidationParameters); builder.Services .AddAuthentication(o => { o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(o => { o.Authority = options.Authority; o.Audience = options.Audience; o.MetadataAddress = options.MetadataAddress; o.SaveToken = options.SaveToken; o.RefreshOnIssuerKeyNotFound = options.RefreshOnIssuerKeyNotFound; o.RequireHttpsMetadata = options.RequireHttpsMetadata; o.IncludeErrorDetails = options.IncludeErrorDetails; o.TokenValidationParameters = tokenValidationParameters; if (!string.IsNullOrWhiteSpace(options.Challenge)) { o.Challenge = options.Challenge; } }); return(builder); }
public void ValidateAudiencePublic(JwtSecurityToken jwt, TokenValidationParameters validationParameters) { base.ValidateAudience(jwt.Audiences, jwt, validationParameters); }
public void ConfigureServices(IServiceCollection services) { #region Serilog /*这里配置的意思是:全局最低记录日志级别是Debug,但是针对以Microsoft开头的命名空间的最低级别是Information。 * * 使用Enruch.FromLogContext()可以让程序在执行上下文时动态添加或移除属性(这个需要看文档)。 * * 按日生成记录文件,日志文件名后会带着日期,并放到./logs目录下*/ Log.Logger = new LoggerConfiguration() .MinimumLevel.Debug() .MinimumLevel.Override("Microsoft", LogEventLevel.Information) .Enrich.FromLogContext() .WriteTo.Console() .WriteTo.File(Path.Combine("logs", @"log.txt"), rollingInterval: RollingInterval.Day) .CreateLogger(); #endregion #region Swagger services.AddSwaggerGen(c => { c.SwaggerDoc("v1", new Info { Title = "约", Version = "v1", Description = "海贼王", Contact = new Contact { Name = "醉人", Email = "*****@*****.**", Url = "https://www.zuiren.xyz" } }); #region API 文档说明 var basePath = Path.GetDirectoryName(AppContext.BaseDirectory); var apiPath = Path.Combine(basePath, "Team.xml"); c.IncludeXmlComments(apiPath, true); var modelPath = Path.Combine(basePath, "Team.Model.xml"); c.IncludeXmlComments(modelPath, true); #endregion #region Token 绑定的 ConfigureService var security = new Dictionary <string, IEnumerable <string> > { { "Team", new string[] { } }, }; c.AddSecurityRequirement(security); c.AddSecurityDefinition("Team", new ApiKeyScheme { Description = "JWT授权 (数据在请求中进行传输) 直接在下框中输入Bearer {token} (注意两者之间是一个空格)\"", Name = "Authorization", //jwt默认授权的参数名称 In = "header", //jwt默认存放在authorization的信息的位置(请求头) Type = "apiKey" }); #endregion }); #endregion #region SQL链接 services.AddDbContext <MyContext>(options => { options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")); }); #endregion #region Policy services.AddSingleton <IMemoryCache>(factory => { var cache = new MemoryCache(new MemoryCacheOptions()); return(cache); }); services.AddAuthorization(options => { options.AddPolicy("Client", policy => policy.RequireRole("Client").Build());//.Build() options.AddPolicy("Captain", policy => policy.RequireRole("Captain").Build()); options.AddPolicy("Admin", policy => policy.RequireRole("Admin").Build()); options.AddPolicy("SuperAdministrator", policy => policy.RequireRole("SuperAdministrator").Build()); options.AddPolicy("ClientOrCaptain", policy => policy.RequireRole("Captain", "Client")); }); #endregion #region 认证 //上边用到的 tokenValidationParameters //读取配置文件 var audienceConfig = Configuration.GetSection("Audience"); var symmetricKeyAsBase64 = audienceConfig["Secret"]; var KeyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64); var signingKey = new SymmetricSecurityKey(KeyByteArray); //令牌验证参数 var tokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, //还是从 appsettings.json 拿到的 ValidateIssuer = true, ValidIssuer = audienceConfig["Issuer"], //发行人 ValidateAudience = true, ValidAudience = audienceConfig["Audience"], //订阅人 ValidateLifetime = true, //其实和之前的方法是一样的,只不过请注意 ClockSkew 属性,默认是5分钟缓冲。 //总的Token有效时间 = JwtRegisteredClaimNames.Exp + ClockSkew ; ClockSkew = TimeSpan.Zero, RequireExpirationTime = true }; services.AddAuthentication(x => { x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(o => { o.TokenValidationParameters = tokenValidationParameters; }); #endregion #region FluentValidation services.AddTransient <IValidator <UserUpdateMap>, UserUpdateValidator>(); services.AddTransient <IValidator <UserRegisteredMap>, UserRegisteredValidator>(); services.AddTransient <IValidator <UserLoginMap>, UserLoginValidator>(); services.AddTransient <IValidator <TeamCreateMap>, TeamCreateValidator>(); services.AddTransient <IValidator <RunRecordMap>, RunRecordValidator>(); #endregion #region 接口生命周期 services.AddScoped <IJwtHelper, JwtHelper>(); services.AddScoped <IUnitOfWork, UnitOfWork>(); services.AddScoped <IUserRepository, UserRepository>(); services.AddScoped <ITeamBall, TeamBall>(); services.AddScoped <IRunRepository, RunRepository>(); services.AddScoped <IImagesResource, ImagesResource>(); services.AddScoped <IRunTeamResource, RunTeamResource>(); services.AddScoped <ILatitudeAndLongitudeResource, LatitudeAndLongitudeResource>(); services.AddScoped <IListResource, ListResource>(); services.AddScoped <IParentResource, ParentResource>(); #endregion services.AddAutoMapper(); services.AddTimedJob(); #region 将Json.NET配置为忽略它在对象图中找到的循环 services.AddMvc() .AddJsonOptions( options => options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore ); #endregion services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2).AddFluentValidation().AddJsonOptions( options => options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore); }
public void ValidateLifetimePublic(JwtSecurityToken jwt, TokenValidationParameters validationParameters) { base.ValidateLifetime(DateTime.UtcNow, DateTime.UtcNow, jwt, validationParameters); }
public void ConfigureServices(IServiceCollection services) { // Registra o contexto do banco BootStrapper.RegisterDbContext(Configuration, services); BootStrapper.Register(services); BootStrapper.RegisterIdentity(Configuration, services); // Configura o mapeamento var mapper = AutoMapperConfig.RegisterMappings(); BootStrapper.RegisterMappings(services, mapper); // Register the Swagger generator, defining 1 or more Swagger documents //services.AddSwaggerGen(c => //{ // c.SwaggerDoc("v1", new OpenApiInfo { Title = "My API", Version = "V1" }); //}); services.AddSwaggerGen( swagger => { swagger.SwaggerDoc("v1", new Info { Title = "Sistema de Login de Usuários com JWT", Version = "v1", Description = "Projeto desenvolvido em aula - COTI Informática" }); swagger.OperationFilter <HeaderParameter>(); } ); IdentityBuilder builder = services.AddIdentityCore <User>(options => { options.Password.RequireDigit = false; options.Password.RequireLowercase = false; options.Password.RequireNonAlphanumeric = false; options.Password.RequireUppercase = false; options.Password.RequiredLength = 4; } ); builder = new IdentityBuilder(builder.UserType, typeof(Role), builder.Services); builder.AddEntityFrameworkStores <ApplicationDbContext>(); builder.AddRoleManager <RoleManager <Role> >(); builder.AddRoleValidator <RoleValidator <Role> >(); builder.AddSignInManager <SignInManager <User> >(); services .AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { var key = Encoding.UTF8.GetBytes(Configuration.GetSection("AppSettings:Token").Value); var tokenValidationParameters = new TokenValidationParameters(); tokenValidationParameters.ValidateIssuerSigningKey = true; tokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(key); tokenValidationParameters.ValidateIssuer = false; tokenValidationParameters.ValidateAudience = false; options.TokenValidationParameters = tokenValidationParameters; } ); //Comentei essa parte para validar o CRUD da APIs, fique a vontade. services .AddMvc(options => { var policy = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .Build(); options.Filters.Add(new AuthorizeFilter(policy)); } ) .SetCompatibilityVersion(CompatibilityVersion.Version_2_2) .AddJsonOptions(options => { //Set date configurations options .SerializerSettings .DateTimeZoneHandling = DateTimeZoneHandling.Local; options .SerializerSettings .ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore; } ); services.AddCors(); services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2); }
public IdentityService(UserManager <IdentityUser> userManager, JwtSettings jwtSettings, TokenValidationParameters tokenValidationParameters, DataContext context, IFacebookAuthService facebookAuthService) { _userManager = userManager; _jwtSettings = jwtSettings; _tokenValidationParameters = tokenValidationParameters; _context = context; _facebookAuthService = facebookAuthService; }
// This method gets called by the runtime. Use this method to add services to the container. // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940 public void ConfigureServices(IServiceCollection services) { services.AddControllers(); services.AddSwaggerGen(c => { c.SwaggerDoc("v1", new OpenApiInfo { Version = "v1", Title = "Cart Microservice", Description = "API Documentation", //Contact = new OpenApiContact() { // Name = "Dheeraj Vyas", // Email = "*****@*****.**", // Url = new System.Uri("https://github.com/sebamed") // }, // License = new OpenApiLicense { // Name = "MIT", // Url = new System.Uri("https://opensource.org/licenses/MIT") //}, }); c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme { In = ParameterLocation.Header, Description = "Please insert JWT with Bearer into field", Name = "Authorization", Type = SecuritySchemeType.ApiKey }); c.AddSecurityRequirement(new OpenApiSecurityRequirement { { new OpenApiSecurityScheme { Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" } }, new string[] { } } }); }); //Security var audienceConfig = Configuration.GetSection("Audience"); var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(audienceConfig["Secret"])); var tokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, ValidateIssuer = true, ValidIssuer = audienceConfig["Iss"], ValidateAudience = true, ValidAudience = audienceConfig["Aud"], ValidateLifetime = true, ClockSkew = TimeSpan.Zero, RequireExpirationTime = true, }; services .AddAuthentication(x => { x.DefaultAuthenticateScheme = audienceConfig["Secret"]; x.DefaultChallengeScheme = audienceConfig["Secret"]; }) .AddJwtBearer(audienceConfig["Secret"], x => { x.RequireHttpsMetadata = false; x.TokenValidationParameters = tokenValidationParameters; }); services.AddSingleton <ICartService, CartService>(); }
public void WithIssuerKeyValidationShouldValidateInput3(TokenValidationParameters options, IEnumerable <SecurityKey> securityKeys) { Assert.Throws <ArgumentNullException>(() => options.WithIssuerKeyValidation(securityKeys)); }
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, SagaBus sagaBus, IOptions<OAuth20Configuration> oauthOptions) { loggerFactory.AddConsole(Configuration.GetSection("Logging")); loggerFactory.AddDebug(); app.UseApplicationInsightsRequestTelemetry(); if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); app.UseBrowserLink(); } else { app.UseExceptionHandler("/Home/Error"); } app.UseApplicationInsightsExceptionTelemetry(); app.UseStaticFiles(); app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Obsidian.Cookie", AutomaticChallenge = false, AutomaticAuthenticate = false }); var oauthConfig = oauthOptions.Value; var key = oauthConfig.TokenSigningKey; var signingKey = new SymmetricSecurityKey(Encoding.Unicode.GetBytes(key)); var param = new TokenValidationParameters { AuthenticationType = "Bearer", ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, ValidateIssuer = true, ValidIssuer = oauthConfig.TokenIssuer, ValidAudience = oauthConfig.TokenAudience }; app.UseJwtBearerAuthentication(new JwtBearerOptions { TokenValidationParameters = param, AutomaticAuthenticate = false, AutomaticChallenge = false }); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); }); MappingConfig.ConfigureQueryModelMapping(); sagaBus.RegisterSagas(); }
public void WithAudienceValidationShouldValidateInput1(TokenValidationParameters options, string validAudience) { Assert.Throws <ArgumentNullException>(() => options.WithAudienceValidation(validAudience)); }
internal static Lazy<OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) { return new Lazy<OAuthBearerAuthenticationOptions>(() => { JwtFormat tokenFormat = null; // use static configuration if (!string.IsNullOrWhiteSpace(options.IssuerName) && options.SigningCertificate != null) { var audience = options.IssuerName.EnsureTrailingSlash(); audience += "resources"; var valParams = new TokenValidationParameters { ValidIssuer = options.IssuerName, ValidAudience = audience, IssuerSigningToken = new X509SecurityToken(options.SigningCertificate), NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType, }; tokenFormat = new JwtFormat(valParams); } else { // use discovery endpoint if (string.IsNullOrWhiteSpace(options.Authority)) { throw new Exception("Either set IssuerName and SigningCertificate - or Authority"); } var discoveryEndpoint = options.Authority.EnsureTrailingSlash(); discoveryEndpoint += ".well-known/openid-configuration"; var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider( discoveryEndpoint, options, loggerFactory); var valParams = new TokenValidationParameters { ValidAudience = issuerProvider.Audience, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType }; tokenFormat = new JwtFormat(valParams, issuerProvider); } var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = tokenFormat, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType, Provider = new ContextTokenProvider(options.TokenProvider) }; return bearerOptions; }, true); }
protected override void ValidateAudience(IEnumerable <string> audiences, JwtSecurityToken jwt, TokenValidationParameters validationParameters) { DerivedJwtSecurityToken derivedJwt = jwt as DerivedJwtSecurityToken; Assert.NotNull(derivedJwt); ValidateAudienceCalled = true; base.ValidateAudience(audiences, jwt, validationParameters); }
// This method gets called by the runtime. Use this method to add services to the container. public IServiceProvider ConfigureServices(IServiceCollection services) { #region 部分服务注入-netcore自带方法 //缓存注入 services.AddScoped <ICaching, MemoryCaching>(); services.AddSingleton <IMemoryCache>(factory => { var cache = new MemoryCache(new MemoryCacheOptions()); return(cache); }); //Redis注入 services.AddScoped <IRedisCacheManager, RedisCacheManager>(); //log日志注入 services.AddSingleton <ILoggerHelper, LogHelper>(); #endregion #region 初始化DB services.AddScoped <Blog.Core.Model.Models.DBSeed>(); services.AddScoped <Blog.Core.Model.Models.MyContext>(); #endregion #region Automapper services.AddAutoMapper(typeof(Startup)); #endregion #region CORS //跨域第二种方法,声明策略,记得下边app中配置 services.AddCors(c => { //↓↓↓↓↓↓↓注意正式环境不要使用这种全开放的处理↓↓↓↓↓↓↓↓↓↓ c.AddPolicy("AllRequests", policy => { policy .AllowAnyOrigin() //允许任何源 .AllowAnyMethod() //允许任何方式 .AllowAnyHeader() //允许任何头 .AllowCredentials(); //允许cookie }); //↑↑↑↑↑↑↑注意正式环境不要使用这种全开放的处理↑↑↑↑↑↑↑↑↑↑ //一般采用这种方法 c.AddPolicy("LimitRequests", policy => { policy .WithOrigins("http://127.0.0.1:1818", "http://*****:*****@xxx.com", Url = "https://www.jianshu.com/u/94102b59cc2a" } //}); //遍历出全部的版本,做文档信息展示 typeof(ApiVersions).GetEnumNames().ToList().ForEach(version => { c.SwaggerDoc(version, new Info { // {ApiName} 定义成全局变量,方便修改 Version = version, Title = $"{ApiName} 接口文档", Description = $"{ApiName} HTTP API " + version, TermsOfService = "None", Contact = new Contact { Name = "Blog.Core", Email = "*****@*****.**", Url = "https://www.jianshu.com/u/94102b59cc2a" } }); // 按相对路径排序,作者:Alby c.OrderActionsBy(o => o.RelativePath); }); //就是这里 var xmlPath = Path.Combine(basePath, "Blog.Core.xml"); //这个就是刚刚配置的xml文件名 c.IncludeXmlComments(xmlPath, true); //默认的第二个参数是false,这个是controller的注释,记得修改 var xmlModelPath = Path.Combine(basePath, "Blog.Core.Model.xml"); //这个就是Model层的xml文件名 c.IncludeXmlComments(xmlModelPath); #region Token绑定到ConfigureServices //添加header验证信息 //c.OperationFilter<SwaggerHeader>(); // 发行人 var IssuerName = (Configuration.GetSection("Audience"))["Issuer"]; var security = new Dictionary <string, IEnumerable <string> > { { IssuerName, new string[] { } }, }; c.AddSecurityRequirement(security); //方案名称“Blog.Core”可自定义,上下一致即可 c.AddSecurityDefinition(IssuerName, new ApiKeyScheme { Description = "JWT授权(数据将在请求头中进行传输) 直接在下框中输入Bearer {token}(注意两者之间是一个空格)\"", Name = "Authorization", //jwt默认的参数名称 In = "header", //jwt默认存放Authorization信息的位置(请求头中) Type = "apiKey" }); #endregion }); #endregion #region MVC //注入全局异常捕获 services.AddMvc(o => { o.Filters.Add(typeof(GlobalExceptionsFilter)); }).SetCompatibilityVersion(CompatibilityVersion.Version_2_2); #endregion #region JWT Token Service //读取配置文件 var audienceConfig = Configuration.GetSection("Audience"); var symmetricKeyAsBase64 = audienceConfig["Secret"]; var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64); var signingKey = new SymmetricSecurityKey(keyByteArray); // 令牌验证参数 var tokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, ValidateIssuer = true, ValidIssuer = audienceConfig["Issuer"], //发行人 ValidateAudience = true, ValidAudience = audienceConfig["Audience"], //订阅人 ValidateLifetime = true, ClockSkew = TimeSpan.Zero, RequireExpirationTime = true, }; var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256); // 注意使用RESTful风格的接口会更好,因为只需要写一个Url即可,比如:/api/values 代表了Get Post Put Delete等多个。 // 如果想写死,可以直接在这里写。 //var permission = new List<Permission> { // new Permission { Url="/api/values", Role="Admin"}, // new Permission { Url="/api/values", Role="System"}, // new Permission { Url="/api/claims", Role="Admin"}, // }; // 如果要数据库动态绑定,这里先留个空,后边处理器里动态赋值 var permission = new List <PermissionItem>(); // 角色与接口的权限要求参数 var permissionRequirement = new PermissionRequirement( "/api/denied", // 拒绝授权的跳转地址(目前无用) permission, ClaimTypes.Role, //基于角色的授权 audienceConfig["Issuer"], //发行人 audienceConfig["Audience"], //听众 signingCredentials, //签名凭据 expiration: TimeSpan.FromSeconds(60 * 10) //接口的过期时间 ); services.AddAuthorization(options => { options.AddPolicy("Client", policy => policy.RequireRole("Client").Build()); options.AddPolicy("Admin", policy => policy.RequireRole("Admin").Build()); options.AddPolicy("SystemOrAdmin", policy => policy.RequireRole("Admin", "System")); // 自定义权限要求 options.AddPolicy("Permission", policy => policy.Requirements.Add(permissionRequirement)); }) .AddAuthentication(x => { x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(o => { o.TokenValidationParameters = tokenValidationParameters; o.Events = new JwtBearerEvents { OnAuthenticationFailed = context => { // 如果过期,则把<是否过期>添加到,返回头信息中 if (context.Exception.GetType() == typeof(SecurityTokenExpiredException)) { context.Response.Headers.Add("Token-Expired", "true"); } return(Task.CompletedTask); } }; }); services.AddSingleton <IAuthorizationHandler, PermissionHandler>(); services.AddSingleton(permissionRequirement); #endregion #region AutoFac //实例化 AutoFac 容器 var builder = new ContainerBuilder(); //注册要通过反射创建的组件 //builder.RegisterType<AdvertisementServices>().As<IAdvertisementServices>(); builder.RegisterType <BlogCacheAOP>(); //可以直接替换其他拦截器 builder.RegisterType <BlogLogAOP>(); //这样可以注入第二个 // ※※★※※ 如果你是第一次下载项目,请先F6编译,然后再F5执行,※※★※※ #region Service.dll 注入,有对应接口 //获取项目绝对路径,请注意,这个是实现类的dll文件,不是接口 IService.dll ,注入容器当然是Activatore var servicesDllFile = Path.Combine(basePath, "Blog.Core.Services.dll"); var assemblysServices = Assembly.LoadFile(servicesDllFile);//直接采用加载文件的方法 //builder.RegisterAssemblyTypes(assemblysServices).AsImplementedInterfaces();//指定已扫描程序集中的类型注册为提供所有其实现的接口。 builder.RegisterAssemblyTypes(assemblysServices) .AsImplementedInterfaces() .InstancePerLifetimeScope() .EnableInterfaceInterceptors() //引用Autofac.Extras.DynamicProxy; // 如果你想注入两个,就这么写 InterceptedBy(typeof(BlogCacheAOP), typeof(BlogLogAOP)); .InterceptedBy(typeof(BlogCacheAOP), typeof(BlogLogAOP)); //允许将拦截器服务的列表分配给注册。 #endregion #region Repository.dll 注入,有对应接口 var repositoryDllFile = Path.Combine(basePath, "Blog.Core.Repository.dll"); var assemblysRepository = Assembly.LoadFile(repositoryDllFile); builder.RegisterAssemblyTypes(assemblysRepository).AsImplementedInterfaces(); #endregion #region 其他注入 #region 没有接口的 dll 层注入 ////因为没有接口层,所以不能实现解耦,只能用 Load 方法。 ////var assemblysServicesNoInterfaces = Assembly.Load("Blog.Core.Services"); ////builder.RegisterAssemblyTypes(assemblysServicesNoInterfaces); #endregion #region 没有接口的单独类 class 注入 ////只能注入该类中的虚方法 builder.RegisterAssemblyTypes(Assembly.GetAssembly(typeof(Love))) .EnableClassInterceptors() .InterceptedBy(typeof(BlogLogAOP)); #endregion #endregion //将services填充到Autofac容器生成器中 builder.Populate(services); //使用已进行的组件登记创建新容器 var ApplicationContainer = builder.Build(); #endregion return(new AutofacServiceProvider(ApplicationContainer));//第三方IOC接管 core内置DI容器 }
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { loggerFactory.AddConsole(Configuration.GetSection("Logging")); loggerFactory.AddDebug(); var jwtAppSettingOptions = Configuration.GetSection(nameof(JwtIssuerOptions)); var tokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)], ValidateAudience = true, ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)], ValidateIssuerSigningKey = true, IssuerSigningKey = _signingKey, RequireExpirationTime = true, ValidateLifetime = true, ClockSkew = TimeSpan.Zero, }; app.UseJwtBearerAuthentication(new JwtBearerOptions { AutomaticAuthenticate = true, AutomaticChallenge = true, TokenValidationParameters = tokenValidationParameters, RequireHttpsMetadata = !env.IsDevelopment(), }); app.UseDefaultFiles(); app.UseStaticFiles(); app.UseIdentity(); app.UseMvc(); app.UseWebSockets(); app.UseSignalR(); var logger = loggerFactory.CreateLogger("Yiyi" + jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)]); logger.LogInformation("IsDev: " + env.IsDevelopment()); using (var serviceScope = app.ApplicationServices.GetRequiredService<IServiceScopeFactory>().CreateScope()) { var ctx = serviceScope.ServiceProvider.GetService<BrewMaticContext>(); ctx.Database.Migrate(); ctx.Seed(); var ctx2 = serviceScope.ServiceProvider.GetService<IdentityContext>(); ctx2.Database.Migrate(); var usrMgr = serviceScope.ServiceProvider.GetService<UserManager<ApplicationUser>>(); var rlMgr = serviceScope.ServiceProvider.GetService<RoleManager<IdentityRole>>(); ctx2.Seed(usrMgr, rlMgr, Configuration["DefaultPassword"]); } }
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken) { throw new SecurityTokenException("InvalidToken"); }
private TokenValidationParameters CreateTokenValidationParameters() { var jwtAppSettingOptions = Configuration.GetSection(nameof(JwtIssuerOptions)); var tokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)], ValidateAudience = true, ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)], ValidateIssuerSigningKey = true, IssuerSigningKey = _signingKey, RequireExpirationTime = true, ValidateLifetime = true, ClockSkew = TimeSpan.Zero }; return tokenValidationParameters; }
protected override void ValidateIssuerSecurityKey(SecurityKey securityKey, JwtSecurityToken securityToken, TokenValidationParameters validationParameters) { DerivedJwtSecurityToken derivedJwt = securityToken as DerivedJwtSecurityToken; Assert.NotNull(derivedJwt); ValidateIssuerSigningKeyCalled = true; base.ValidateIssuerSecurityKey(securityKey, securityToken, validationParameters); }
protected override string ValidateIssuer(string issuer, JwtSecurityToken jwt, TokenValidationParameters validationParameters) { DerivedJwtSecurityToken derivedJwt = jwt as DerivedJwtSecurityToken; Assert.NotNull(derivedJwt); ValidateIssuerCalled = true; return(base.ValidateIssuer(issuer, jwt, validationParameters)); }
protected override void ValidateLifetime(DateTime?notBefore, DateTime?expires, JwtSecurityToken jwt, TokenValidationParameters validationParameters) { DerivedJwtSecurityToken derivedJwt = jwt as DerivedJwtSecurityToken; Assert.NotNull(derivedJwt); ValidateLifetimeCalled = true; base.ValidateLifetime(notBefore, expires, jwt, validationParameters); }