Microsoft.IdentityModel.Tokens:添加额外声明

时间:2017-07-10 21:04:14

标签: .net asp.net-core jwt claims-based-identity bearer-token

背景

对于authn / z目的,我们使用JOSE-JWT创建JWT令牌。此令牌通过授权:承载 HTTP标头传递到不同的microservces以模拟调用者。

微服务本身利用 Microsoft.IdentityModel.Tokens 来验证JWT令牌:

using System;
using System.Text;
using Microsoft.IdentityModel.Tokens;
using Microsoft.AspNetCore.Builder;

// The key length needs to be of sufficient length, or otherwise an error will occur.
var tokenSecretKey = Encoding.UTF8.GetBytes(Configuration["TokenSecretKey"]);

var tokenValidationParameters = new TokenValidationParameters
{
    // Token signature will be verified using a private key.
    ValidateIssuerSigningKey = true,
    RequireSignedTokens = true,
    IssuerSigningKey = new SymmetricSecurityKey(tokenSecretKey),

    // Token will only be valid if contains "accelist.com" for "iss" claim.
    ValidateIssuer = true,
    ValidIssuer = "accelist.com",

    // Token will only be valid if contains "accelist.com" for "aud" claim.
    ValidateAudience = true,
    ValidAudience = "accelist.com",

    // Token will only be valid if not expired yet, with 5 minutes clock skew.
    ValidateLifetime = true,
    RequireExpirationTime = true,
    ClockSkew = new TimeSpan(0, 5, 0),

    ValidateActor = false,
};

app.UseJwtBearerAuthentication(new JwtBearerOptions
{
    AutomaticAuthenticate = true,
    TokenValidationParameters = tokenValidationParameters,
});

某些JWT保留声明将自动填充到 HttpContext.User 中,即

enter image description here

问题

是否有一种简单而优雅的方式将其他自定义声明填充到 HttpContext.User ?目前我能想到的唯一方法是解码令牌并调用 HttpContext.User.Claims.Add(...)

提前谢谢!

1 个答案:

答案 0 :(得分:1)

不是解码令牌并添加custom claims,而是动态执行Unionusercustom声明:

private async Task<JwtSecurityToken> GetJwtSecurityToken(ApplicationUser user)
        {
            //Get the user claims
            var userClaims = await _userManager.GetClaimsAsync(user);
            //Merge the claims here
            return new JwtSecurityToken(
                issuer: "", //Insert your issuer
                audience: "",//Insert your audience
                claims: GetTokenClaims(user).Union(userClaims), //This is the Union you need
                expires: DateTime.UtcNow.AddMinutes(5),//Add expiry time here
                signingCredentials: new SigningCredentials(IssuerSigningKey, SecurityAlgorithms.HmacSha256)//Do your magic here
            );
        }

GetTokenClaims()方法只返回自定义声明列表,如:

private static IEnumerable<Claim> GetTokenClaims(ApplicationUser user)
{
    return new List<Claim>
        {
        new Claim("UserName", user.UserName),
        new Claim("Email", user.Email),
        new Claim("FirstName", user.FirstName),
        new Claim("LastName", user.LastName),
        new Claim("Phone", user.PhoneNumber),
        //More custom claims
        };
}

最后,您可以按如下方式将其打包:

//Get the token combination
var token = await GetJwtSecurityToken(user);
//Write and return the token
return Ok(new
{
    token = new JwtSecurityTokenHandler().WriteToken(token),
    expiration = token.ValidTo,              
});