具有Identity Core中角色的JWT授权

时间:2019-04-29 09:51:09

标签: c# asp.net-core asp.net-identity claims-based-identity

我无法理解Roles中的Identity Core

我的AccountController如下所示,我在Roles方法的声明中添加了GenerateJWTToken

[HttpPost("Login")]
    public async Task<object> Login([FromBody] LoginBindingModel model)
    {
        var result = await this.signInManager.PasswordSignInAsync(model.UserName, model.Password, false, false);

        if (result.Succeeded)
        {
            var appUser = this.userManager.Users.SingleOrDefault(r => r.UserName == model.UserName);
            return await GenerateJwtToken(model.UserName, appUser);
        }

        throw new ApplicationException("INVALID_LOGIN_ATTEMPT");
    }

    [HttpPost("Register")]
    public async Task<object> Register([FromBody] RegistrationBindingModel model)
    {
        var user = new ApplicationUser
        {
            UserName = model.UserName,
            Email = model.Email,
            FirstName = model.FirstName,
            LastName = model.LastName
        };
        var result = await this.userManager.CreateAsync(user, model.Password);

        if (result.Succeeded)
        {
            await this.signInManager.SignInAsync(user, false);
            return await this.GenerateJwtToken(model.UserName, user);
        }

        throw new ApplicationException("UNKNOWN_ERROR");
    }

    private async Task<object> GenerateJwtToken(string userName, IdentityUser user)
    {
        var claims = new List<Claim>
        {
            new Claim(JwtRegisteredClaimNames.Sub, userName),
            new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
            new Claim(ClaimTypes.NameIdentifier, user.Id),
            new Claim(ClaimTypes.Role, Role.Viewer.ToString()),
            new Claim(ClaimTypes.Role, Role.Developer.ToString()),
            new Claim(ClaimTypes.Role, Role.Manager.ToString())
        };

        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(this.configuration["JwtKey"]));
        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
        var expires = DateTime.Now.AddDays(Convert.ToDouble(this.configuration["JwtExpireDays"]));

        var token = new JwtSecurityToken(
            this.configuration["JwtIssuer"],
            this.configuration["JwtIssuer"],
            claims,
            expires: expires,
            signingCredentials: creds);

        return new JwtSecurityTokenHandler().WriteToken(token);
    }

通过此代码,我的令牌可以与[Authorize]控制器的属性完美配合。

我的问题是,在哪一步中将role添加到我注册的user中以使用(例如)[Authorize("Admin")]?如何将role保存到数据库?

[Route("api/[controller]")]
[Authorize] //in this form it works ok, but how to add roles to it with JWT Token?
            //how to register user to role and get this role to JWT Token?
[ApiController]
public class DefaultController : ControllerBase

我的ApplicationUser

public class ApplicationUser : IdentityUser
{
    public string FirstName { get; set; }

    public string LastName { get; set; }
}

还有Roles的枚举:

public enum Role
{
    Viewer,
    Developer,
    Manager
}

如何将有关用户角色的信息保存到身份数据库,并在登录时如何使该角色正常工作的[Authorize]属性?

编辑:

我想要做的是像在用户的枚举中一样存储Roles。我想将用户注册为DeveloperManager等。我相信我可以通过ApplicationUser并添加Role属性,但是无法通过属性{ {1}}

2 个答案:

答案 0 :(得分:1)

您不需要使用IdentityUser和身份数据库,您使用的是JWT。使用定义的User属性创建Roles模型,并将其简单地持久存储在数据库中。喜欢:

public class User
{
   public string FirstName { get; set; }
   public string LastName { get; set; }
   public Role Role { get; set; }
}

public enum Role
{
   Viewer,
   Developer,
   Manager
}

令牌:

var user = // ...
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(your_seccret_key);
var tokenDescriptor = new SecurityTokenDescriptor
{
    Subject = new ClaimsIdentity(new Claim[] 
         {
             new Claim(ClaimTypes.Name, user.FirstName),
             new Claim(ClaimTypes.Name, user.LastName),
             new Claim(ClaimTypes.Role, user.Role)
         }),
     Expires = DateTime.UtcNow.AddDays(1),
     SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key),SecurityAlgorithms.HmacSha256Signature)
 };
 var token = tokenHandler.CreateToken(tokenDescriptor);
 user.Token = tokenHandler.WriteToken(token);

控制器方法:

[Authorize(Roles = Role.Developer)]
[HttpGet("GetSomethongForAuthorizedOnly")]
public async Task<object> GetSomething()
{ 
   // .... todo
}

答案 1 :(得分:1)

您可以将内置的角色管理与ASP.NET Identity一起使用。由于您使用的是ASP.NET Core 2.1,因此您可以首先参考以下链接来启用身份系统中的角色:

https://stackoverflow.com/a/54069826/5751404

启用角色后,您可以注册角色/用户,然后向用户添加角色,如:

tsmon

因此,当该用户登录到您的应用程序时,您可以在ClaimsPrincipal中找到private async Task CreateUserRoles() { IdentityResult roleResult; //Adding Admin Role var roleCheck = await _roleManager.RoleExistsAsync("Admin"); if (!roleCheck) { IdentityRole adminRole = new IdentityRole("Admin"); //create the roles and seed them to the database roleResult = await _roleManager.CreateAsync(adminRole); _roleManager.AddClaimAsync(adminRole, new Claim(ClaimTypes.AuthorizationDecision, "edit.post")).Wait(); _roleManager.AddClaimAsync(adminRole, new Claim(ClaimTypes.AuthorizationDecision, "delete.post")).Wait(); ApplicationUser user = new ApplicationUser { UserName = "YourEmail", Email = "YourEmail", }; _userManager.CreateAsync(user, "YourPassword").Wait(); await _userManager.AddToRoleAsync(user, "Admin"); } } 个声明,并且可以与具有角色的role属性一起使用。