对于authn / z目的,我们使用JOSE-JWT创建JWT令牌。此令牌通过授权:承载 HTTP标头传递到不同的microservces以模拟调用者。
微服务本身利用 Microsoft.IdentityModel.Tokens 来验证JWT令牌:
using System;
using System.Text;
using Microsoft.IdentityModel.Tokens;
using Microsoft.AspNetCore.Builder;
// The key length needs to be of sufficient length, or otherwise an error will occur.
var tokenSecretKey = Encoding.UTF8.GetBytes(Configuration["TokenSecretKey"]);
var tokenValidationParameters = new TokenValidationParameters
{
// Token signature will be verified using a private key.
ValidateIssuerSigningKey = true,
RequireSignedTokens = true,
IssuerSigningKey = new SymmetricSecurityKey(tokenSecretKey),
// Token will only be valid if contains "accelist.com" for "iss" claim.
ValidateIssuer = true,
ValidIssuer = "accelist.com",
// Token will only be valid if contains "accelist.com" for "aud" claim.
ValidateAudience = true,
ValidAudience = "accelist.com",
// Token will only be valid if not expired yet, with 5 minutes clock skew.
ValidateLifetime = true,
RequireExpirationTime = true,
ClockSkew = new TimeSpan(0, 5, 0),
ValidateActor = false,
};
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
TokenValidationParameters = tokenValidationParameters,
});
某些JWT保留声明将自动填充到 HttpContext.User 中,即
是否有一种简单而优雅的方式将其他自定义声明填充到 HttpContext.User ?目前我能想到的唯一方法是解码令牌并调用 HttpContext.User.Claims.Add(...)。
提前谢谢!
答案 0 :(得分:1)
不是解码令牌并添加custom claims
,而是动态执行Union
和user
个custom
声明:
private async Task<JwtSecurityToken> GetJwtSecurityToken(ApplicationUser user)
{
//Get the user claims
var userClaims = await _userManager.GetClaimsAsync(user);
//Merge the claims here
return new JwtSecurityToken(
issuer: "", //Insert your issuer
audience: "",//Insert your audience
claims: GetTokenClaims(user).Union(userClaims), //This is the Union you need
expires: DateTime.UtcNow.AddMinutes(5),//Add expiry time here
signingCredentials: new SigningCredentials(IssuerSigningKey, SecurityAlgorithms.HmacSha256)//Do your magic here
);
}
GetTokenClaims()
方法只返回自定义声明列表,如:
private static IEnumerable<Claim> GetTokenClaims(ApplicationUser user)
{
return new List<Claim>
{
new Claim("UserName", user.UserName),
new Claim("Email", user.Email),
new Claim("FirstName", user.FirstName),
new Claim("LastName", user.LastName),
new Claim("Phone", user.PhoneNumber),
//More custom claims
};
}
最后,您可以按如下方式将其打包:
//Get the token combination
var token = await GetJwtSecurityToken(user);
//Write and return the token
return Ok(new
{
token = new JwtSecurityTokenHandler().WriteToken(token),
expiration = token.ValidTo,
});