我已经在我的项目中实现了JWT Auth。 JWT是使用下面的代码(从用户名获取用户名并从用户传递并从数据库中找到它)生成的。
public AuthenticateResponse Authenticate(AuthenticateRequest model)
{
var userres = new Users { Username = model.Username, Password = model.Password };
var user = GetById(userres);
// return null if user not found
if (user == null) return null;
// authentication successful so generate jwt token
var token = generateJwtToken(user);
return new AuthenticateResponse(user, token);
}
private string generateJwtToken(Users user)
{
// generate token that is valid for 30 days
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(_appSettings.Secret);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[] { new Claim("Username", user.Username.ToString()) }),
Expires = DateTime.UtcNow.AddDays(30),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return tokenHandler.WriteToken(token);
}
接下来的事情是,我很困惑,每当用户发送给我以获得对API的访问权限时,如何对生成的JWT令牌进行身份验证。如何实现它以及它如何工作?我找到了很多解决方案,但是我很困惑他们如何验证此密钥?
答案 0 :(得分:0)
您可以将授权标头添加到客户端的请求标头,然后可以解析令牌以获取所需的内容(id,用户名等)。
答案 1 :(得分:0)
我使用此代码来验证令牌
var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_tokenManagement.Secret));
var tokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false, //you might want to validate the audience and issuer depending on your use case
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ValidateLifetime = false //here we are saying that we don't care about the token's expiration date
};
var tokenHandler = new JwtSecurityTokenHandler();
SecurityToken securityToken;
var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out securityToken);
var jwtSecurityToken = securityToken as JwtSecurityToken;
if (jwtSecurityToken == null || !jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256Signature, StringComparison.InvariantCultureIgnoreCase))
throw new SecurityTokenException("Invalid token");
return principal;