.net 默认新建Api项目不需要额外从Nuget添加Microsoft.AspNetCore.Authentication.JwtBearer
appsettings.json
{ "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "AllowedHosts": "*", "Authentication": { //私钥必须16位 "SecretKey": "YpdCP1VHoWkNawmb", //谁签发的(发布者) "issuer": "issuer", //签发给谁(持有者) "audience": "audience" } }
AuthController,具体登录实现可参考我以前文章Identity用户管理入门五(登录、注销)
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Configuration; using Microsoft.IdentityModel.Tokens; using System; using System.IdentityModel.Tokens.Jwt; using System.Security.Claims; using System.Text; namespace Shop.WebHost.Controllers { [Route("auth")] [ApiController] public class AuthController : ControllerBase { private readonly IConfiguration _configuration; public AuthController(IConfiguration configuration) { _configuration = configuration; } // GET: api/<AuthController> [AllowAnonymous] [HttpPost("Login")] public ActionResult Login([FromForm] UserDto loginUser) { //模拟登陆用户提交数据 //以下假设登陆验证通过 // JWT主要由三部分组成:HEADER.PAYLOAD.SIGNATURE // HEADER,加密算法和签名的类型,加密算法是HmacSha256 const string signingAlgorithm = SecurityAlgorithms.HmacSha256; //Payload,如用户名,角色等信息,过期日期等,因为是未加密的,所以不建议存放敏感信息。 var claims = new[] { new Claim(JwtRegisteredClaimNames.Sub, "user_id"), //红色字体为登录后获取的实际用户ID
//用户角色
new Claim(ClaimTypes.Role,"Admin"), //红色字体为用户登录后获取的实际用户角色
};
//Signiture从配置文件获取私钥 var secretByte = Encoding.UTF8.GetBytes(_configuration["Authentication:SecretKey"]); //使用非对称算法对私钥进行加密 var signingKey = new SymmetricSecurityKey(secretByte); //使用HmacSha256验证非对称加密后的私钥 var signingCredentials = new SigningCredentials(signingKey, signingAlgorithm); //创建Jwt Token var token = new JwtSecurityToken( //谁发布的token issuer: _configuration["Authentication:issuer"], //发布给谁 audience: _configuration["Authentication:audience"], //Payload claims, //发布时间 notBefore: DateTime.UtcNow, //有效期s expires: DateTime.UtcNow.AddDays(1), //数字签名 signingCredentials ); return Ok(new JwtSecurityTokenHandler().WriteToken(token)); } } public class UserDto { public string UserName { get; set; } public string Password { get; set; } } }
Startup.cs
using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.Hosting; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Hosting; using Microsoft.IdentityModel.Tokens; using Microsoft.OpenApi.Models; using System.Text; namespace Shop.WebHost { public class Startup { public Startup(IConfiguration configuration) { Configuration = configuration; } public IConfiguration Configuration { get; } public void ConfigureServices(IServiceCollection services) { //Jwt认证服务 //AddAuthentication注册认证服务 //JwtBearerDefaults.AuthenticationScheme身份认证类型 services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) //Jwt身份认证 .AddJwtBearer(option => { //从配置文件读取私钥 var secretByte= Encoding.UTF8.GetBytes(Configuration["Authentication:SecretKey"]); //身份认证参数 option.TokenValidationParameters = new TokenValidationParameters() { //验证发布者 ValidateIssuer = true, ValidIssuer = Configuration["Authentication:issuer"], //验证持有者 ValidateAudience = true, ValidAudience = Configuration["Authentication:audience"], //验证是否过期 ValidateLifetime = true, //加密私钥 IssuerSigningKey = new SymmetricSecurityKey(secretByte) }; }); services.AddControllers(); services.AddSwaggerGen(c => { c.SwaggerDoc("v1", new OpenApiInfo { Title = "Shop.WebHost", Version = "v1" }); }); } public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); app.UseSwagger(); app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "Shop.WebHost v1")); } app.UseHttpsRedirection(); //你在哪 app.UseRouting(); //你是谁 app.UseAuthentication(); //你可以干什么 app.UseAuthorization(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); } } }
在控制器方法中增加【Authorize】即可未登录用户不能访问
控制用户组访问[Authorize(Roles = "Admin")]
// 由于我们没有将身份验证中间件配置为自动运行并创建身份,
// 因此在授权时必须选择要使用的中间件。
// 选择要授权的中间件的最简单方法是使用ActiveAuthenticationSchemes属性
[Authorize(AuthenticationSchemes = "Bearer")]
访问方式在header中增加(具体格式是Authorization:Bearer+空格+具体Token)
Authorization:Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyX2lkIiwibmJmIjoxNjA3MzI1NzkxLCJleHAiOjE2MDc0MTIxOTEsImlzcyI6Imlzc3VlciIsImF1ZCI6ImF1ZGllbmNlIn0.ZEN3m7XP8u-u9CNkVf1tfeznqh1SuK7Y0wD1bq9rSfQ
获取当前登录用户ID
startup.cs增加HttpContextAccessor服务并注入HttpContext的访问器对象IHttpContextAccessor来获取当前的HttpContext
services.AddHttpContextAccessor();
private readonly IHttpContextAccessor _httpContextAccessor; public AuthController(IHttpContextAccessor httpContextAccessor) { _httpContextAccessor = httpContextAccessor; }
增加获取当前用户ID方法
[HttpGet(nameof(GetCurrUserIdAsync))] public async Task<string> GetCurrUserIdAsync() { var auth = await _httpContextAccessor.HttpContext!.AuthenticateAsync();//获取登录用户的AuthenticateResult if (!auth.Succeeded) return null; var userCli = auth.Principal?.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier); //在声明集合中获取ClaimTypes.NameIdentifier 的值就是用户ID if (userCli == null || string.IsNullOrEmpty(userCli.Value)) { return null; } return userCli.Value; }
或者使用
return _httpContextAccessor.HttpContext.User.FindFirst(ClaimTypes.NameIdentifier).Value;
查询出当前用户ID就可以根据Identity用户管理入门二(显示用户列表)显示用户详情