ASP.NET Core JWT承载令牌自定义验证 [英] ASP.NET Core JWT Bearer Token Custom Validation
问题描述
大量阅读后,我发现了一种实现自定义JWT承载令牌验证器的方法,如下所示.
After a lot of reading, i have found a way to implement a custom JWT bearer token validator as below.
Starup.cs代码:
public void Configure(IApplicationBuilder app, IHostingEnvironment env,
ILoggerFactory loggerFactory, IApplicationLifetime appLifetime)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseStaticFiles();
app.UseIdentity();
ConfigureAuth(app);
app.UseMvcWithDefaultRoute();
}
private void ConfigureAuth(IApplicationBuilder app)
{
var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration.GetSection("TokenAuthentication:SecretKey").Value));
var tokenValidationParameters = new TokenValidationParameters
{
// The signing key must match!
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
// Validate the JWT Issuer (iss) claim
ValidateIssuer = true,
ValidIssuer = Configuration.GetSection("TokenAuthentication:Issuer").Value,
// Validate the JWT Audience (aud) claim
ValidateAudience = true,
ValidAudience = Configuration.GetSection("TokenAuthentication:Audience").Value,
// Validate the token expiry
ValidateLifetime = true,
// If you want to allow a certain amount of clock drift, set that here:
ClockSkew = TimeSpan.Zero
};
var jwtBearerOptions = new JwtBearerOptions();
jwtBearerOptions.AutomaticAuthenticate = true;
jwtBearerOptions.AutomaticChallenge = true;
jwtBearerOptions.TokenValidationParameters = tokenValidationParameters;
jwtBearerOptions.SecurityTokenValidators.Clear();
//below line adds the custom validator class
jwtBearerOptions.SecurityTokenValidators.Add(new CustomJwtSecurityTokenHandler());
app.UseJwtBearerAuthentication(jwtBearerOptions);
var tokenProviderOptions = new TokenProviderOptions
{
Path = Configuration.GetSection("TokenAuthentication:TokenPath").Value,
Audience = Configuration.GetSection("TokenAuthentication:Audience").Value,
Issuer = Configuration.GetSection("TokenAuthentication:Issuer").Value,
SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256)
};
app.UseMiddleware<TokenProviderMiddleware>(Options.Create(tokenProviderOptions));
}
以下是自定义验证程序类:
Below is the custom validator class:
public class CustomJwtSecurityTokenHandler : ISecurityTokenValidator
{
private int _maxTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
private JwtSecurityTokenHandler _tokenHandler;
public CustomJwtSecurityTokenHandler()
{
_tokenHandler = new JwtSecurityTokenHandler();
}
public bool CanValidateToken
{
get
{
return true;
}
}
public int MaximumTokenSizeInBytes
{
get
{
return _maxTokenSizeInBytes;
}
set
{
_maxTokenSizeInBytes = value;
}
}
public bool CanReadToken(string securityToken)
{
return _tokenHandler.CanReadToken(securityToken);
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
//How to access HttpContext/IP address from here?
var principal = _tokenHandler.ValidateToken(securityToken, validationParameters, out validatedToken);
return principal;
}
}
在令牌被盗的情况下,我想添加一个附加的安全层,以验证请求是否来自生成令牌的同一客户端.
In case of stolen token, i would like to add an additional layer of security to validate that the request is coming from the same client who generated the token.
问题:
- 有什么方法可以访问
CustomJwtSecurityTokenHandler类中的HttpContext,以便我可以基于当前的客户端/请求者添加自定义验证? - 还有其他方法可以使用这种方法/中间件来验证请求者的真实性吗?
- Is there any way i can access
HttpContextwithin theCustomJwtSecurityTokenHandlerclass so that i could add custom validations based on the current client/requestor? - Is there any other way we can validate the authenticity of the requestor using such method/middleware?
推荐答案
在ASP.NET Core中,可以使用IHttpContextAccessor服务获取HttpContext.使用DI将IHttpContextAccessor实例传递到处理程序中,并获取IHttpContextAccessor.HttpContext属性的值.
In ASP.NET Core HttpContext could be obtained using IHttpContextAccessor service. Use DI to pass IHttpContextAccessor instance into your handler and get value of IHttpContextAccessor.HttpContext property.
IHttpContextAccessor服务未注册,因此您首先需要在Startup.ConfigureServices方法中添加以下内容:
IHttpContextAccessor service is not registered by defaul, so you first need to add the following in your Startup.ConfigureServices method:
services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();
然后修改您的CustomJwtSecurityTokenHandler类:
private readonly IHttpContextAccessor _httpContextAccessor;
public CustomJwtSecurityTokenHandler(IHttpContextAccessor httpContextAccessor)
{
_httpContextAccessor = httpContextAccessor;
_tokenHandler = new JwtSecurityTokenHandler();
}
...
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
var httpContext = _httpContextAccessor.HttpContext;
}
您还应该将DI技术用于JwtSecurityTokenHandler实例化.如果您不熟悉所有内容,请查阅依赖注入文档这些东西.
You should also use DI technique for JwtSecurityTokenHandler instantiation. Look into Dependency Injection documentation if you are new to all this stuff.
更新:如何手动解决依赖关系(更多信息,请此处 )
Update: how to manually resolve dependencies (more info here)
修改Configure方法以使用IServiceProvider serviceProvider:
public void Configure(IApplicationBuilder app, IHostingEnvironment env,
ILoggerFactory loggerFactory, IApplicationLifetime appLifetime,
IServiceProvider serviceProvider)
{
...
var httpContextAccessor = serviceProvider.GetService<IHttpContextAccessor>();
// and extend ConfigureAuth
ConfigureAuth(app, httpContextAccessor);
...
}
这篇关于ASP.NET Core JWT承载令牌自定义验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
