Asp.net core 如何确保经过JWT认证的用户只能访问自己的资源
我正在使用JWT承载身份验证中间件和ASP.NET核心标识开发一个ASP.NET核心WebAPI Startup.cs:Asp.net core 如何确保经过JWT认证的用户只能访问自己的资源,asp.net-core,authorization,jwt,bearer-token,asp.net-core-identity,Asp.net Core,Authorization,Jwt,Bearer Token,Asp.net Core Identity,我正在使用JWT承载身份验证中间件和ASP.NET核心标识开发一个ASP.NET核心WebAPI Startup.cs: app.UseJwtBearerAuthentication(new JwtBearerOptions() { AutomaticAuthenticate = true, AutomaticChallenge = true, TokenValidationParameter
app.UseJwtBearerAuthentication(new JwtBearerOptions()
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
TokenValidationParameters = new TokenValidationParameters()
{
...
}
});
AuthController.cs
[ValidateModel]
[HttpPost("api/auth/token")]
public async Task<IActionResult> Token([FromBody] Credential model)
{
try
{
var applicationUser = await _userManager.FindByEmailAsync(model.Email);
if (applicationUser != null)
{
if (_hasher.VerifyHashedPassword(applicationUser, applicationUser.PasswordHash, model.Password) == PasswordVerificationResult.Success)
{
var token = await CreateTokenAsync(applicationUser);
return Ok(new
{
token = new JwtSecurityTokenHandler().WriteToken(token),
expiration = token.ValidTo
});
}
}
}
catch (Exception ex)
{
_logger.LogError($"Exception thrown while creating JWT: {ex}");
}
return BadRequest("Failed to generate token");
}
我如何在控制器的方法中访问jti值,以确保用户实际请求属于他们的资源
编辑
看起来可以吗
var test = User.FindFirst(ClaimTypes.NameIdentifier).Value;
if(test != id.ToString())
{
return BadRequest("Failed to get user");
}
其中“id”是我的操作的Guid参数
谢谢您是否尝试从您的代币中获取关联声明?据我所知,使用声明将允许我基于策略授权我的用户访问资源,而不是确保用户仅访问属于他们的资源查看此帖子以更好地理解声明的概念
var test = User.FindFirst(ClaimTypes.NameIdentifier).Value;
if(test != id.ToString())
{
return BadRequest("Failed to get user");
}