问题描述
我正在尝试创建一种令牌验证方法,如果基于签名的JWT令牌有效,则该方法将返回true.我认为我真的不需要验证令牌中的所有内容,但是在调用ValidateToken()之后,实际上表示令牌有效的是什么呢?是否存在原则? out引用的令牌包含某些值?不知道何时从此方法返回true.
I am attempting to create a token validation method that returns true if a JWT token is valid based on the signature. I don't think I really need to validate everything in the token but what actually signifies a token is valid after calling ValidateToken()? The existence of a principle? The out referenced token contains certain values? Not sure when to return true from this method.
public bool ValidateToken(string tokenString)
{
var validationParameters = new TokenValidationParameters()
{
ValidIssuer = "My Company",
ValidAudience = ApplicationId,
IssuerSigningKey = JsonWebTokenSecretKey
};
SecurityToken token = new JwtSecurityToken();
var tokenHandler = new JwtSecurityTokenHandler();
var principal = tokenHandler.ValidateToken(tokenString, validationParameters, out token);
return principal != null;
}
推荐答案
我手动检查所有索赔值.我一直在寻找一个相同问题的明确答案,但是我唯一看到的是,如果出现错误,ValidateToken函数将引发Exception异常,因此我首先将调用包装在try-catch中,然后从false中返回false.抓住.
I check all of the claims values manually. I've been searching for a definitive answer to your same question but the only thing I have seen is that the ValidateToken function will throw an Exception if something is wrong, so I begin by wrapping the call in a try-catch and return false from the catch.
不过,那只是我验证令牌的第一遍".之后,我做了一些繁重的工作来手动检查某些值.例如,我确保Claims部分中的unique_name值实际上以用户身份存在于我的数据库中,并且尚未停用该用户以及类似的其他专有系统内容.
That's just my "first-pass" at validating the token, though. Afterwards I do a little more heavy lifting to check certain values manually. For example, I make sure that the unique_name value in the claims section actually exists as a user in my database, that the user has not been deactivated, and other proprietary system stuff like that.
public static bool VerifyToken(string token)
{
var validationParameters = new TokenValidationParameters()
{
IssuerSigningToken = new BinarySecretSecurityToken(_key),
ValidAudience = _audience,
ValidIssuer = _issuer,
ValidateLifetime = true,
ValidateAudience = true,
ValidateIssuer = true,
ValidateIssuerSigningKey = true
};
var tokenHandler = new JwtSecurityTokenHandler();
SecurityToken validatedToken = null;
try
{
tokenHandler.ValidateToken(token, validationParameters, out validatedToken);
}
catch(SecurityTokenException)
{
return false;
}
catch(Exception e)
{
log(e.ToString()); //something else happened
throw;
}
//... manual validations return false if anything untoward is discovered
return validatedToken != null;
}
最后一行return validatedToken != null纯粹是我的迷信.我从未见过validatedToken为空.
The last line, return validatedToken != null, is purely superstition on my part. I've never seen the validatedToken be null.
这篇关于JWTSecurityTokenHandler.ValidateToken()何时真正有效?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!