我将ASP.NET Core 2配置为使用JWT令牌进行身份验证。配置如下所示:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultSignInScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.RequireHttpsMetadata = false;
options.SaveToken = true;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = Configuration["Tokens:Issuer"],
ValidAudience = Configuration["Tokens:Issuer"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Tokens:Key"]))
};
});
然后我创建了一个用户登录的方法,如下所示:
[AllowAnonymous]
[HttpPost]
[Route("token")]
public async Task<IActionResult> Token([FromBody] LoginViewModel model)
{
if (!ModelState.IsValid) return BadRequest("Could not create token");
var user = await _userManager.FindByNameAsync(model.UserName);
if (user == null) return BadRequest("Could not create token");
var result = await _signInManager.CheckPasswordSignInAsync(user, model.Password, false);
if (!result.Succeeded) return BadRequest("Could not create token");
var claims = new[]
{
new Claim(JwtRegisteredClaimNames.Sub, user.Email),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
};
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["Tokens:Key"]));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var roles = await _userManager.GetRolesAsync(user);
var token = new JwtSecurityToken(_configuration["Tokens:Issuer"],
_configuration["Tokens:Issuer"],
claims,
expires: DateTime.Now.AddMinutes(30),
signingCredentials: creds);
return Ok(new {
access_token = new JwtSecurityTokenHandler().WriteToken(token),
roles });
}
}
我保存令牌并在我的请求中使用它。我有一个非常简单的api端点:
[HttpGet("users")]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
public IActionResult GetUsers()
{
var isInRole = HttpContext.User.IsInRole(Roles.Administrator);
return Ok(_service.GetAllUsers());
}
这里我介绍了方法,但isInRole始终为false。即使我的var roles = await _userManager.GetRolesAsync(user);返回包括管理员在内的角色列表。为什么这不起作用?
答案 0 :(得分:4)
您需要将角色声明添加到claims数组中,如此
var claims = new[]
{
new Claim(JwtRegisteredClaimNames.Sub, user.Email),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
//role claim
new Claim(ClaimTypes.Role, "Administrator")
};
这是Asp.Net将在[Authorize(Roles="Administrator")]属性和HttpContext.User.IsInRole("Administrator");
同样,ClaimTypes.Name用于在控制器中生成User.Identity.Name
我建议你阅读Rui Figueiredo Secure a Web Api in ASP.NET Core关于这个主题的优秀文章
答案 1 :(得分:-1)
public async Task<string> GenerateEncodedToken(string userName, string email, List<string> roles, ClaimsIdentity identity)
{
var claims = new List<Claim>
{
new Claim(JwtRegisteredClaimNames.Sub, userName),
new Claim(JwtRegisteredClaimNames.UniqueName, userName),
new Claim(JwtRegisteredClaimNames.Email, email),
new Claim(JwtRegisteredClaimNames.Jti, await _jwtOptions.JtiGenerator()),
new Claim(JwtRegisteredClaimNames.Iat, ToUnixEpochDate(_jwtOptions.IssuedAt).ToString(), ClaimValueTypes.Integer64)
};
var id = identity.FindFirst(Constants.Strings.JwtClaimIdentifiers.Id);
claims.Add(id);
roles.ForEach(role =>
{
claims.Add(new Claim(ClaimTypes.Role, role));
});
var jwt = new JwtSecurityToken(
issuer: _jwtOptions.Issuer,
audience: _jwtOptions.Audience,
claims: claims,
notBefore: _jwtOptions.NotBefore,
expires: _jwtOptions.Expiration,
signingCredentials: _jwtOptions.SigningCredentials);
var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);
return encodedJwt;
}