我正在尝试在ASP.NET CORE项目中使用 JWT 身份验证。
步骤1::我已在 Starup.cs 文件的 ConfigureServices 方法中添加了JWT服务。
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:SecretKey"])),
RequireExpirationTime = true,
ValidateLifetime = true,
ValidateAudience = false,
ValidateActor = false,
ValidateIssuer = false
};
});
并在配置方法中添加以下代码:
app.UseAuthentication();
步骤2:在登录时发送jwt令牌。
public class LoginRepository
{
public LoginRepository()
{
//TODO: Dependency to MongoDB will be initialized here
}
public LoginStatus Authenticate(string username, string password)
{
LoginStatus loginStatus = new LoginStatus();
string secretKey = ConfigurationManager.AppSetting["Jwt:SecretKey"];
int tokenExpirationHours = int.Parse(ConfigurationManager.AppSetting["Jwt:TokenExpirationHours"]);
//TODO: Need to add the userID in the payload. UserID will come from Database
Dictionary<string, string> payload = new Dictionary<string, string>() {
{ "UserName", username}
};
//TODO: Need to check the username and password in Database and then generate the token
loginStatus.Token = JwtTokenHelper.GenerateJwtToken(secretKey, payload, tokenExpirationHours);
return loginStatus;
}
}
这是JwtTokenHelper:
public class JwtTokenHelper
{
public static string GenerateJwtToken(string secretKey, IReadOnlyDictionary<string, string> payloadContents, int tokenExpirationHours)
{
JwtSecurityTokenHandler jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secretKey));
var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
var payloadClaims = payloadContents.Select(c => new Claim(c.Key, c.Value));
var payload = new JwtPayload("", "", payloadClaims, DateTime.Now, DateTime.Now.AddHours(tokenExpirationHours));
var header = new JwtHeader(signingCredentials);
var securityToken = new JwtSecurityToken(header, payload);
return jwtSecurityTokenHandler.WriteToken(securityToken);
}
}
在这里,我成功获取了JWT令牌。
第3步:现在,我尝试对控制器进行授权,当我在Postman的Authorization标头中提供了令牌时,它运行良好。
namespace SampleAPI.Controllers
{
[Authorize]
[Produces("application/json")]
[Route("api/Test")]
public class TestController : Controller
{
[HttpGet]
[Route("Testing")]
public IActionResult Testing()
{
return Ok("Yes");
}
}
}
但是,如果我更改了JWT令牌中的某些内容并再次命中该端点,它将返回“ 是”,这表示jwt令牌有效。但是在发送 Authorization 标头之前,我已经更改了该令牌的某些部分。
我在这里想念什么?您能否指出我应该采取的其他步骤?