/// <summary> /// 注入Token生成器参数,在token生成项目的Startup的ConfigureServices中使用 /// </summary> /// <param name="services">IServiceCollection</param> /// <param name="issuer">发行人</param> /// <param name="audience">订阅人</param> /// <param name="secret">密钥</param> /// <param name="deniedUrl">拒绝路由</param> /// <returns></returns> public static IServiceCollection AddJTokenBuild(this IServiceCollection services, string issuer, string audience, string secret, string deniedUrl) { var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secret)), SecurityAlgorithms.HmacSha256); //如果第三个参数,是ClaimTypes.Role,上面集合的每个元素的Name为角色名称,如果ClaimTypes.Name,即上面集合的每个元素的Name为用户名 var permissionRequirement = new PermissionRequirement( deniedUrl, ClaimTypes.Role, issuer, audience, signingCredentials, expiration: TimeSpan.FromHours(10) ); return(services.AddSingleton(permissionRequirement)); }
/// <summary> /// 注入Ocelot jwt策略,在业务API应用中的Startup的ConfigureServices调用 /// </summary> /// <param name="services">IServiceCollection</param> /// <param name="issuer">发行人</param> /// <param name="audience">订阅人</param> /// <param name="secret">密钥</param> /// <param name="defaultScheme">默认架构</param> /// <param name="policyName">自定义策略名称</param> /// <param name="deniedUrl">拒绝路由</param> /// <param name="isHttps">是否https</param> /// <returns></returns> public static AuthenticationBuilder AddOcelotPolicyJwtBearer(this IServiceCollection services, string issuer, string audience, string secret, string defaultScheme, string policyName, string deniedUrl, bool isHttps = false) { var keyByteArray = Encoding.ASCII.GetBytes(secret); var signingKey = new SymmetricSecurityKey(keyByteArray); var tokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, ValidateIssuer = true, ValidIssuer = issuer, //发行人 ValidateAudience = true, ValidAudience = audience, //订阅人 ValidateLifetime = true, ClockSkew = TimeSpan.Zero, RequireExpirationTime = true, }; var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256); //如果第三个参数,是ClaimTypes.Role,上面集合的每个元素的Name为角色名称,如果ClaimTypes.Name,即上面集合的每个元素的Name为用户名 var permissionRequirement = new PermissionRequirement( deniedUrl, ClaimTypes.Role, issuer, audience, signingCredentials, expiration: TimeSpan.FromHours(10) ); //注入授权Handler services.AddSingleton <IAuthorizationHandler, PermissionHandler>(); services.AddSingleton(permissionRequirement); return(services.AddAuthorization(options => { options.AddPolicy(policyName, policy => policy.Requirements.Add(permissionRequirement)); }) .AddAuthentication(options => { options.DefaultScheme = defaultScheme; }) .AddJwtBearer(defaultScheme, o => { //不使用https o.RequireHttpsMetadata = isHttps; o.TokenValidationParameters = tokenValidationParameters; })); }
public static dynamic BuildJwtToken(Claim[] claims, PermissionRequirement permissionRequirement) { var now = DateTime.UtcNow; var jwt = new JwtSecurityToken( issuer: permissionRequirement.Issuer, audience: permissionRequirement.Audience, claims: claims, notBefore: now, expires: now.Add(permissionRequirement.Expiration), signingCredentials: permissionRequirement.SigningCredentials ); var encodeJwt = new JwtSecurityTokenHandler().WriteToken(jwt); var responseJson = new { status = true, access_token = encodeJwt, expires_in = permissionRequirement.Expiration.TotalMilliseconds, token_type = "Bearer" }; return(responseJson); }