概述
认证授权是很多系统的基本功能 , 在以前PC的时代 , 通常是基于cookies-session这样的方式实现认证授权 , 在那个时候通常系统的用户量都不会很大, 所以这种方式也一直很好运行, 随着现在都软件用户量越来越大, 系统架构也从以前垂直扩展(增加服务器性能) -> 水平扩展(增加服务器数量)
cookies-session 工作方式
客户端提交用户信息 -> 服务器识别用户 -> 服务端保存用户信息 -> 返回session-id客户端 -> 客户端保存session-id -> 每次请求cookies带上session-id
这种方式也不是不能水平扩展 , 例如 , session复制/第三方保存session(数据库 , Redis)
名词解析
认证 : 识别用户是否合法
授权: 赋予用户权限 (能访问哪些资源)
鉴权: 鉴定权限是否合法
Jwt优势与劣势
优势
- 无状态
- 支持跨域访问
- 跨语言
劣势
- Token有效性问题
- 占带宽
- 需要实现续签
- 消耗更多CPU
只能根据自身使用场景决定使用哪一种身份验证方案 , 没有一种方案是通用的,完美的
AspNetCore集成Jwt认证
- 添加包
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer
- 添加配置
"JwtOptions": {
"Issuer": "https://localhost:5001",
"Audience": "https://localhost:5001",
"SecurityKey": "1G3l0yYGbOINId3A*ioEi4iyxR7$SPzm"
}
- Jwt Bearer 扩展(选项)
public static AuthenticationBuilder AddJwtBearer(this IServiceCollection services, Action<JwtOptions> configureOptions)
{
if (configureOptions == null) throw new ArgumentNullException(nameof(configureOptions));
var jwtOptions = new JwtOptions()
{
Issuer = "Jwt Authentication",
Audience = "Wilson Pan Web Api",
};
// set customs optoins
configureOptions(jwtOptions);
// update Options
services.PostConfigure<JwtOptions>(options =>
{
options.Issuer = jwtOptions.Issuer;
options.Audience = jwtOptions.Audience;
options.SecurityKey = jwtOptions.SecurityKey;
});
return services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidIssuer = jwtOptions.Issuer,
ValidAudience = jwtOptions.Audience,
ValidateIssuer = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
IssuerSigningKey = jwtOptions.SymmetricSecurityKey
};
});
}
- ConfigureServices
services.AddJwtBearer(options =>
{
options.Issuer = Configuration.GetValue<string>("JwtOptions:Issuer");
options.Audience = Configuration.GetValue<string>("JwtOptions:Audience");
options.SecurityKey = Configuration.GetValue<string>("JwtOptions:SecurityKey");
});
- Configure
app.UseAuthentication();
app.UseAuthorization();
- add AuthorizeController
//define claim
var claims = new Claim[]
{
new Claim(ClaimTypes.Name, username),
new Claim(ClaimTypes.Email, $"{username}@github.com"),
new Claim(ClaimTypes.Role, username == "WilsonPan" ? "Admin" : "Reader"),
new Claim(ClaimTypes.Hash, JwtHashHelper.GetHashString($"{username}:{password}:{System.DateTime.Now.Ticks}")),
};
//define JwtSecurityToken
var token = new JwtSecurityToken(
issuer: _jwtOptions.Issuer,
audience: _jwtOptions.Audience,
claims: claims,
expires: System.DateTime.Now.AddMinutes(5),
signingCredentials: _jwtOptions.SigningCredentials
);
// generate token
var result = new JwtSecurityTokenHandler().WriteToken(token);
- Contrller/Action 添加认证授权
[ApiController]
[Authorize]
[Route("[controller]")]
public class ApiController : ControllerBase
{
...
}
[HttpPost]
[Authorize(Roles = "Admin")]
public IActionResult Post()
{
return Ok();
}
Rest Client
dotnet run
- 认证接口
@host = https://localhost:5001
# @name token
POST {{host}}/Authorize HTTP/1.1
Content-Type: application/x-www-form-urlencoded
#username=Wilson&password=123456
# admin
username=WilsonPan&password=123456
- 需要授权接口
### required authorize
GET {{host}}/api HTTP/1.1
Authorization: Bearer {{token.response.body.*}}
- 需要管理员角色接口
### required authorize
POST {{host}}/api HTTP/1.1
Authorization: Bearer {{token.response.body.*}}
转发请标明出处:https://www.cnblogs.com/WilsonPan/p/13495936.html
示例代码