JWT身份验证检查和验证

时间:2020-08-06 14:30:10

标签: asp.net-core jwt-auth

我已经在我的项目中实现了JWT Auth。 JWT是使用下面的代码(从用户名获取用户名并从用户传递并从数据库中找到它)生成的。

public AuthenticateResponse Authenticate(AuthenticateRequest model)
    {
        var userres = new Users { Username = model.Username, Password = model.Password };
        var user = GetById(userres);

        // return null if user not found
        if (user == null) return null;

        // authentication successful so generate jwt token
        var token = generateJwtToken(user);

        return new AuthenticateResponse(user, token);
    }
private string generateJwtToken(Users user)
    {
        // generate token that is valid for 30 days
        var tokenHandler = new JwtSecurityTokenHandler();
        var key = Encoding.ASCII.GetBytes(_appSettings.Secret);
        var tokenDescriptor = new SecurityTokenDescriptor
        {
            Subject = new ClaimsIdentity(new[] { new Claim("Username", user.Username.ToString()) }),
            Expires = DateTime.UtcNow.AddDays(30),
            SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
        };
        var token = tokenHandler.CreateToken(tokenDescriptor);
        return tokenHandler.WriteToken(token);
    }

接下来的事情是,我很困惑,每当用户发送给我以获得对API的访问权限时,如何对生成的JWT令牌进行身份验证。如何实现它以及它如何工作?我找到了很多解决方案,但是我很困惑他们如何验证此密钥?

2 个答案:

答案 0 :(得分:0)

您可以将授权标头添加到客户端的请求标头,然后可以解析令牌以获取所需的内容(id,用户名等)。

答案 1 :(得分:0)

我使用此代码来验证令牌

var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_tokenManagement.Secret));

var tokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false, //you might want to validate the audience and issuer depending on your use case
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ValidateLifetime = false //here we are saying that we don't care about the token's expiration date
};

var tokenHandler = new JwtSecurityTokenHandler();
SecurityToken securityToken;
var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out securityToken);

var jwtSecurityToken = securityToken as JwtSecurityToken;

if (jwtSecurityToken == null || !jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256Signature, StringComparison.InvariantCultureIgnoreCase))
throw new SecurityTokenException("Invalid token");

return principal;
相关问题
最新问题