C# ASP.NET中的JWT令牌验证
我正在ASP.NET中编写一个API,它公开了两个端点:一个用于生成JWT令牌,另一个用于验证给定令牌 令牌生成似乎工作正常:C# ASP.NET中的JWT令牌验证,c#,asp.net,jwt,C#,Asp.net,Jwt,我正在ASP.NET中编写一个API,它公开了两个端点:一个用于生成JWT令牌,另一个用于验证给定令牌 令牌生成似乎工作正常: [HttpPost] public IHttpActionResult Token() { var headerAuth = HttpContext.Current.Request.Headers["Authorization"]; if (headerAuth.ToString().St
[HttpPost]
public IHttpActionResult Token()
{
var headerAuth = HttpContext.Current.Request.Headers["Authorization"];
if (headerAuth.ToString().StartsWith("Basic"))
{
var credValue = headerAuth.ToString().Substring("Basic".Length).Trim();
var usernameAndPassEnc = Encoding.UTF8.GetString(Convert.FromBase64String(credValue));
var usernameAndPass = usernameAndPassEnc.Split(':');
LdapAuthentication ldap = new LdapAuthentication();
if (ldap.IsAuthenticated(usernameAndPass[0], usernameAndPass[1]))
{
var claimsData = new[] { new Claim(ClaimTypes.Name, usernameAndPass[0]) };
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("secret"));
var signInCred = new SigningCredentials(key, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest);
var tokenString = new JwtSecurityToken(
issuer: "http://my.website.com",
audience: "http://my.tokenissuer.com",
expires: DateTime.Now.AddMinutes(1),
claims: claimsData,
signingCredentials: signInCred
);
var token = new JwtSecurityTokenHandler().WriteToken(tokenString);
return Ok(token);
}
}
return BadRequest("Bad request");
}
但我不知道如何验证给定的令牌,在ASP.NET Core中,我用以下方式实现它(这很好):
那么,如何在ASP.NET中验证JWT令牌呢?为此,您可以编写一个中间件,或者使用现有的授权筛选器并覆盖它。使用以下方法验证令牌
public static bool ValidateToken(string authToken) // Retrieve token from request header
{
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = this.GetValidationParameters();
SecurityToken validatedToken;
IPrincipal principal = tokenHandler.ValidateToken(authToken, validationParameters, out validatedToken);
Thread.CurrentPrincipal = principal;
HttpContext.Current.User = principal;
return true;
}
private static TokenValidationParameters GetValidationParameters()
{
return new TokenValidationParameters
{
IssuerSigningToken = new System.ServiceModel.Security.Tokens.BinarySecretSecurityToken(symmetricKey), //Key used for token generation
ValidIssuer = issuerName,
ValidAudience = allowedAudience,
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateAudience = true
};
}
验证JWT令牌是什么意思?我的意思是检查没有人修改令牌。像JWT网页调试器中那样验证签名您通常没有单独的端点,但使用
[Authorize]
装饰您的API,并让中间件为您完成工作。我建议您阅读一篇关于如何在ASP.NET中实现身份验证的好介绍。您也有官方的MS文档:是的,但我想在一个单独的服务中实现所有的身份验证逻辑,该服务将独立部署。各种应用程序将使用该身份验证。
public static bool ValidateToken(string authToken) // Retrieve token from request header
{
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = this.GetValidationParameters();
SecurityToken validatedToken;
IPrincipal principal = tokenHandler.ValidateToken(authToken, validationParameters, out validatedToken);
Thread.CurrentPrincipal = principal;
HttpContext.Current.User = principal;
return true;
}
private static TokenValidationParameters GetValidationParameters()
{
return new TokenValidationParameters
{
IssuerSigningToken = new System.ServiceModel.Security.Tokens.BinarySecretSecurityToken(symmetricKey), //Key used for token generation
ValidIssuer = issuerName,
ValidAudience = allowedAudience,
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateAudience = true
};
}