我在ASP.NET中编写了一个公开两个端点的API:一个用于生成JWT令牌,另一个用于验证给定令牌。
令牌生成似乎工作正常:
[HttpPost]
public IHttpActionResult Token()
{
var headerAuth = HttpContext.Current.Request.Headers["Authorization"];
if (headerAuth.ToString().StartsWith("Basic"))
{
var credValue = headerAuth.ToString().Substring("Basic".Length).Trim();
var usernameAndPassEnc = Encoding.UTF8.GetString(Convert.FromBase64String(credValue));
var usernameAndPass = usernameAndPassEnc.Split(':');
LdapAuthentication ldap = new LdapAuthentication();
if (ldap.IsAuthenticated(usernameAndPass[0], usernameAndPass[1]))
{
var claimsData = new[] { new Claim(ClaimTypes.Name, usernameAndPass[0]) };
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("secret"));
var signInCred = new SigningCredentials(key, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest);
var tokenString = new JwtSecurityToken(
issuer: "http://my.website.com",
audience: "http://my.tokenissuer.com",
expires: DateTime.Now.AddMinutes(1),
claims: claimsData,
signingCredentials: signInCred
);
var token = new JwtSecurityTokenHandler().WriteToken(tokenString);
return Ok(token);
}
}
return BadRequest("Bad request");
}
但是我不知道如何验证给定的令牌,在ASP.NET Core中我实现了它(这很好):
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateIssuerSigningKey = true,
ValidIssuer = "http://my.website.com",
ValidAudience = "http://my.tokenissuer.com",
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("secret"))
};
});
services.AddMvc();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseAuthentication();
app.UseMvc();
}
那么,如何验证ASP.NET中的JWT令牌?
答案 0 :(得分:3)
为此,您可以编写中间件或使用现有的Authorize过滤器并覆盖它。使用以下方法验证令牌
public static bool ValidateToken(string authToken) // Retrieve token from request header
{
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = this.GetValidationParameters();
SecurityToken validatedToken;
IPrincipal principal = tokenHandler.ValidateToken(authToken, validationParameters, out validatedToken);
Thread.CurrentPrincipal = principal;
HttpContext.Current.User = principal;
return true;
}
private static TokenValidationParameters GetValidationParameters()
{
return new TokenValidationParameters
{
IssuerSigningToken = new System.ServiceModel.Security.Tokens.BinarySecretSecurityToken(symmetricKey), //Key used for token generation
ValidIssuer = issuerName,
ValidAudience = allowedAudience,
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateAudience = true
};
}