我一直在四处寻找并尝试对 .NET Core Identity 进行更多研究(https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-2.1&tabs=visual-studio%2Caspnetcore2x)和 Jwt(json 网络令牌).我一直在我的 .NET Core 2.0 应用程序中使用默认身份作为身份验证/授权,到目前为止它运行良好.
I've been looking around and trying to do more research on .NET Core Identity (https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-2.1&tabs=visual-studio%2Caspnetcore2x) and Jwt (json web tokens). I've been rolling with the default Identity as authentication/authorization in my .NET Core 2.0 app and it has been working well so far.
我遇到了障碍,我认为这是我理解 .NET Core 身份和 jwt 的方式.我的应用程序有 MVC 和 web api.我理想地希望保护 web api,但我听说现在最好的方法是通过 jwt.好 - 酷.
I'm running into a roadblock and I think it's the way of my understanding of .NET Core identity and jwt. My application has MVC and an web api. I would ideally like to secure the web api, but I hear the best way to do that now is through jwt. Good - cool.
我可以继续配置 jwt,然后将其用作我的身份验证/授权 (https://blogs.msdn.microsoft.com/webdev/2017/04/06/jwt-validation-and-authorization-in-asp-net-core/),但是 - 我需要继续启动一个新服务器作为 jwt 的授权服务器吗?如果是这样,我不会那样做(太贵了).
I can go ahead and configure jwt and then use it as my authentication/authorization (https://blogs.msdn.microsoft.com/webdev/2017/04/06/jwt-validation-and-authorization-in-asp-net-core/), but - do I need to go ahead and spin up a new server to serve as the authorization server for jwt? If so, I'm not going to do that (too expensive).
如果我确实使用 jwt,我的 .NET Core 身份代码会怎样?那是不是必须要走了?如果它可以共存,我如何使用 Identity 授权我的 MVC 页面并使用 jwt 授权我的 api 端点?
What about my .NET Core identity code if I do go with jwt? Does that have to go away then? If it can co-exist, how might I authorize my MVC pages with Identity and my api endpoints with jwt?
我知道这是一个开放式问题,但它的核心是:
I realize this is an open-ended question, but the core of it is:
.NET Core Identity 和 JWT 可以共存吗?还是我必须选择其中一个?我有 MVC 和一个 web api,并希望保护两者.
是的,你可以.逻辑过程在这个方法中:
Yes, you can. The logic process is in this method:
第 1 步:获取用户声明
var identity = await GetClaimsIdentity(credentials.UserName, credentials.Password);
您将进入 GetClaimsIdentity
Into GetClaimsIdentity you will
private async Task<ClaimsIdentity> GetClaimsIdentity(string userName, string password)
{
if (string.IsNullOrEmpty(userName) || string.IsNullOrEmpty(password))
return await Task.FromResult<ClaimsIdentity>(null);
var userToVerify = await _userManager.FindByNameAsync(userName);
if (userToVerify == null) {
userToVerify = await _userManager.FindByEmailAsync(userName);
if (userToVerify == null) {
return await Task.FromResult<ClaimsIdentity>(null);
}
}
// check the credentials
if (await _userManager.CheckPasswordAsync(userToVerify, password))
{
_claims = await _userManager.GetClaimsAsync(userToVerify);
return await Task.FromResult(_jwtFactory.GenerateClaimsIdentity(userToVerify.UserName, userToVerify.Id, _claims));
}
// Credentials are invalid, or account doesn't exist
return await Task.FromResult<ClaimsIdentity>(null);
}
第 2 步:将您需要添加到令牌的所有用户声明分组 - 使用 System.Security.Claims
public ClaimsIdentity GenerateClaimsIdentity(string userName, string id, IList<Claim> claims)
{
claims.Add(new Claim(Helpers.Constants.Strings.JwtClaimIdentifiers.Id, id));
// If your security is role based you can get then with the RoleManager and add then here as claims
// Ask here for all claims your app need to validate later
return new ClaimsIdentity(new GenericIdentity(userName, "Token"), claims);
}
第 3 步:然后返回您的方法,您必须生成并返回 JWT 令牌
jwt = await jwtFactory.GenerateEncodedToken(userName, identity);
return new OkObjectResult(jwt);
要生成令牌,请执行以下操作:
To generate token do something like this:
public async Task<string> GenerateEncodedToken(string userName, ClaimsIdentity identity)
{
List<Claim> claims = new List<Claim>();
//Config claims
claims.Add(new Claim(JwtRegisteredClaimNames.Sub, userName));
claims.Add(new Claim(JwtRegisteredClaimNames.Jti, await _jwtOptions.JtiGenerator()));
claims.Add(new Claim(JwtRegisteredClaimNames.Iat, ToUnixEpochDate(_jwtOptions.IssuedAt).ToString(), ClaimValueTypes.Integer64));
//End Config claims
claims.AddRange(identity.FindAll(Helpers.Constants.Strings.JwtClaimIdentifiers.Roles));
claims.AddRange(identity.FindAll("EspecificClaimName"));
// Create the JWT security token and encode it.
var jwt = new JwtSecurityToken(
issuer: _jwtOptions.Issuer,
audience: _jwtOptions.Audience,
claims: claims,
notBefore: _jwtOptions.NotBefore,
expires: _jwtOptions.Expiration,
signingCredentials: _jwtOptions.SigningCredentials);
var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);
return encodedJwt;
}
有很多方法可以做到这一点.最常见的是:验证身份用户 --> 获取用户标识符 --> 根据标识符生成并返回令牌 --> 对端点使用授权
There are many ways to do this. The most common is: Validate Identity User --> Get User identifiers --> Generate and Return Token Based on Identifiers --> Use Authorization for endpoints
希望有帮助
这篇关于.NET Core 2.0 身份和 jwt?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!