ASP.NET Core中基于令牌的身份验证

 

我正在使用ASP.NET Core应用程序。 我试图实现基于令牌的身份验证,但无法弄清楚如何为我的情况使用新的安全系统。 我经历了一些例子,但他们并没有多大帮助,他们使用cookie身份验证或外部身份验证(GitHub,Microsoft,Twitter)。

我的场景是什么:angularjs应用程序应该请求/token url传递用户名和密码。 WebApi应授权用户并返回将在以下请求中由angularjs应用程序使用的access_token

我发现了一篇关于在当前版本的ASP.NET中使用ASP.NET Web API 2,Owin和Identity来实现我需要的精彩文章 - 基于令牌的身份验证。 但对于我如何在ASP.NET Core中做同样的事情并不明显。

我的问题是:如何配置ASP.NET Core WebApi应用程序以使用基于令牌的身份验证?

更新.Net Core 2:

此答案的以前版本使用RSA; 如果您生成令牌的相同代码也正在验证令牌,那么确实没有必要。 但是,如果您要分配责任,则可能仍希望使用Microsoft.IdentityModel.Tokens.RsaSecurityKey实例执行此操作。

  • 创建一些稍后我们将使用的常量; 这是我所做的: 

    const string TokenAudience = "Myself";
const string TokenIssuer = "MyProject";

  • 将其添加到您的Startup.cs的ConfigureServices 。 稍后我们将使用依赖注入来访问这些设置。 我假设你的authenticationConfiguration是一个ConfigurationSectionConfiguration对象,这样你就可以拥有一个不同的调试和生产配置。 确保您安全地存放您的钥匙! 它可以是任何字符串。 

    var keySecret = authenticationConfiguration["JwtSigningKey"];
var symmetricKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(keySecret));

services.AddTransient(_ => new JwtSignInHandler(symmetricKey));

services.AddAuthentication(options =>
{
    // This causes the default authentication scheme to be JWT.
    // Without this, the Authorization header is not checked and
    // you'll get no results. However, this also means that if
    // you're already using cookies in your app, they won't be 
    // checked by default.
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
})
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters.ValidateIssuerSigningKey = true;
        options.TokenValidationParameters.IssuerSigningKey = symmetricKey;
        options.TokenValidationParameters.ValidAudience = JwtSignInHandler.TokenAudience;
        options.TokenValidationParameters.ValidIssuer = JwtSignInHandler.TokenIssuer;
    });

    我见过其他答案改变其他设置,如ClockSkew ; 默认设置是这样的,它应该适用于时钟不完全同步的分布式环境。 这些是您需要更改的唯一设置。

  • 设置身份验证。 在任何需要User信息的中间件之前,你应该有这条​​线,比如app.UseMvc()

    app.UseAuthentication();

    请注意,这不会导致您的令牌与SignInManager或其他任何内容一起发出。 您需要提供自己的输出JWT的机制 - 请参阅下文。

  • 你可能想指定一个AuthorizationPolicy 。 这将允许您使用[Authorize("Bearer")]指定仅允许承载令牌作为认证的控制器和操作。 

    services.AddAuthorization(auth =>
{
    auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
        .AddAuthenticationTypes(JwtBearerDefaults.AuthenticationType)
        .RequireAuthenticatedUser().Build());
});

  • 棘手的部分来了:构建令牌。 

    class JwtSignInHandler
{
    public const string TokenAudience = "Myself";
    public const string TokenIssuer = "MyProject";
    private readonly SymmetricSecurityKey key;

    public JwtSignInHandler(SymmetricSecurityKey symmetricKey)
    {
        this.key = symmetricKey;
    }

    public string BuildJwt(ClaimsPrincipal principal)
    {
        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

        var token = new JwtSecurityToken(
            issuer: TokenIssuer,
            audience: TokenAudience,
            claims: principal.Claims,
            expires: DateTime.Now.AddMinutes(20),
            signingCredentials: creds
        );

        return new JwtSecurityTokenHandler().WriteToken(token);
    }
}

    然后,在你想要令牌的控制器中,如下所示: 

    [HttpPost]
public string AnonymousSignIn([FromServices] JwtSignInHandler tokenFactory)
{
    var principal = new System.Security.Claims.ClaimsPrincipal(new[]
    {
        new System.Security.Claims.ClaimsIdentity(new[]
        {
            new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Name, "Demo User")
        })
    });
    return tokenFactory.BuildJwt(principal);
}

    在这里,我假设你已经有了委托人。 如果您使用Identity,则可以使用IUserClaimsPrincipalFactory<>User转换为ClaimsPrincipal

  • 测试它 :获取一个令牌,将其放入jwt.io的窗体中。 我上面提供的说明还允许您使用配置中的秘密来验证签名!

  • 如果您在HTML网页中以局部视图呈现此视图,并结合使用.Net 4.5中的仅带有承载的身份验证,则现在可以使用ViewComponent来执行相同操作。 它大部分与上面的Controller Action代码相同。

    • 从Matt Dekrey的神话般的答案开始,我创建了一个基于令牌的身份验证的完整工作示例,针对ASP.NET Core(1.0.1)进行了工作。 您可以在GitHub(1.0.0-rc1,beta8,beta7的其他分支)上找到完整的代码,但简而言之,重要的步骤是:

    为您的应用程序生成密钥

    在我的示例中,每次应用程序启动时都会生成一个随机密钥,您需要生成一个并将其存储在某处并将其提供给您的应用程序。 查看这个文件,了解我如何生成随机密钥以及如何从.json文件导入它。 正如@kspearrin的评论中所建议的那样,Data Protection API似乎是“正确”管理密钥的理想人选,但我还没有制定出如果可能的话。 如果你解决了问题,请提交一个拉取请求!

    Startup.cs - ConfigureServices

    在这里,我们需要加载一个用于我们的令牌签名的私钥,我们还将在验证令牌时使用它来验证令牌。 我们将密钥存储在类级变量key ,我们将在下面的配置方法中重用该key 。 TokenAuthOptions是一个简单的类,它持有我们在TokenController中创建密钥所需的签名身份,受众和签发者。 

    // Replace this with some sort of loading from config / file.
RSAParameters keyParams = RSAKeyUtils.GetRandomKey();

// Create the key, and a set of token options to record signing credentials 
// using that key, along with the other parameters we will need in the 
// token controlller.
key = new RsaSecurityKey(keyParams);
tokenOptions = new TokenAuthOptions()
{
    Audience = TokenAudience,
    Issuer = TokenIssuer,
    SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.Sha256Digest)
};

// Save the token options into an instance so they're accessible to the 
// controller.
services.AddSingleton<TokenAuthOptions>(tokenOptions);

// Enable the use of an [Authorize("Bearer")] attribute on methods and
// classes to protect.
services.AddAuthorization(auth =>
{
    auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
        .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme‌​)
        .RequireAuthenticatedUser().Build());
});

    我们还制定了授权政策,允许我们在我们希望保护的端点和类别上使用[Authorize("Bearer")]

    Startup.cs - 配置

    在这里,我们需要配置JwtBearerAuthentication: 

    app.UseJwtBearerAuthentication(new JwtBearerOptions {
    TokenValidationParameters = new TokenValidationParameters {
        IssuerSigningKey = key,
        ValidAudience = tokenOptions.Audience,
        ValidIssuer = tokenOptions.Issuer,

        // When receiving a token, check that it is still valid.
        ValidateLifetime = true,

        // This defines the maximum allowable clock skew - i.e.
        // provides a tolerance on the token expiry time 
        // when validating the lifetime. As we're creating the tokens 
        // locally and validating them on the same machines which 
        // should have synchronised time, this can be set to zero. 
        // Where external tokens are used, some leeway here could be 
        // useful.
        ClockSkew = TimeSpan.FromMinutes(0)
    }
});

    TokenController

    在令牌控制器中,您需要使用在Startup.cs中加载的密钥来生成签名密钥的方法。 我们在Startup中注册了一个TokenAuthOptions实例,所以我们需要在T​​okenController的构造函数中注入它: 

    [Route("api/[controller]")]
public class TokenController : Controller
{
    private readonly TokenAuthOptions tokenOptions;

    public TokenController(TokenAuthOptions tokenOptions)
    {
        this.tokenOptions = tokenOptions;
    }
...

    然后,您需要在您的处理程序中为登录端点生成令牌,在我的示例中,我使用用户名和密码并使用if语句验证这些令牌,但您需要做的关键是创建或加载声明为基础的身份并为此生成令牌: 

    public class AuthRequest
{
    public string username { get; set; }
    public string password { get; set; }
}

/// <summary>
/// Request a new token for a given username/password pair.
/// </summary>
/// <param name="req"></param>
/// <returns></returns>
[HttpPost]
public dynamic Post([FromBody] AuthRequest req)
{
    // Obviously, at this point you need to validate the username and password against whatever system you wish.
    if ((req.username == "TEST" && req.password == "TEST") || (req.username == "TEST2" && req.password == "TEST"))
    {
        DateTime? expires = DateTime.UtcNow.AddMinutes(2);
        var token = GetToken(req.username, expires);
        return new { authenticated = true, entityId = 1, token = token, tokenExpires = expires };
    }
    return new { authenticated = false };
}

private string GetToken(string user, DateTime? expires)
{
    var handler = new JwtSecurityTokenHandler();

    // Here, you should create or look up an identity for the user which is being authenticated.
    // For now, just creating a simple generic identity.
    ClaimsIdentity identity = new ClaimsIdentity(new GenericIdentity(user, "TokenAuth"), new[] { new Claim("EntityID", "1", ClaimValueTypes.Integer) });

    var securityToken = handler.CreateToken(new Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor() {
        Issuer = tokenOptions.Issuer,
        Audience = tokenOptions.Audience,
        SigningCredentials = tokenOptions.SigningCredentials,
        Subject = identity,
        Expires = expires
    });
    return handler.WriteToken(securityToken);
}

    这应该是。 只需将[Authorize("Bearer")]到您要保护的任何方法或类中,并且如果您尝试在没有令牌存在的情况下访问它,则应该会出现错误。 如果你想返回一个401而不是500的错误,你需要注册一个自定义的异常处理程序,就像我在这里的示例中那样。

    您可以查看OpenId连接示例,其中说明了如何处理不同的身份验证机制,包括JWT令牌:

    https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Samples

    如果您查看Cordova Backend项目,API的配置如下所示: 

               // Create a new branch where the registered middleware will be executed only for non API calls.
        app.UseWhen(context => !context.Request.Path.StartsWithSegments(new PathString("/api")), branch => {
            // Insert a new cookies middleware in the pipeline to store
            // the user identity returned by the external identity provider.
            branch.UseCookieAuthentication(new CookieAuthenticationOptions {
                AutomaticAuthenticate = true,
                AutomaticChallenge = true,
                AuthenticationScheme = "ServerCookie",
                CookieName = CookieAuthenticationDefaults.CookiePrefix + "ServerCookie",
                ExpireTimeSpan = TimeSpan.FromMinutes(5),
                LoginPath = new PathString("/signin"),
                LogoutPath = new PathString("/signout")
            });

            branch.UseGoogleAuthentication(new GoogleOptions {
                ClientId = "560027070069-37ldt4kfuohhu3m495hk2j4pjp92d382.apps.googleusercontent.com",
                ClientSecret = "n2Q-GEw9RQjzcRbU3qhfTj8f"
            });

            branch.UseTwitterAuthentication(new TwitterOptions {
                ConsumerKey = "6XaCTaLbMqfj6ww3zvZ5g",
                ConsumerSecret = "Il2eFzGIrYhz6BWjYhVXBPQSfZuS4xoHpSSyD9PI"
            });
        });

    /Providers/AuthorizationProvider.cs中的逻辑和该项目的RessourceController也值得看看;)。

    另外,你也可以使用下面的代码来验证令牌(也有一个代码片段可以用于signalR): 

            // Add a new middleware validating access tokens.
        app.UseOAuthValidation(options =>
        {
            // Automatic authentication must be enabled
            // for SignalR to receive the access token.
            options.AutomaticAuthenticate = true;

            options.Events = new OAuthValidationEvents
            {
                // Note: for SignalR connections, the default Authorization header does not work,
                // because the WebSockets JS API doesn't allow setting custom parameters.
                // To work around this limitation, the access token is retrieved from the query string.
                OnRetrieveToken = context =>
                {
                    // Note: when the token is missing from the query string,
                    // context.Token is null and the JWT bearer middleware will
                    // automatically try to retrieve it from the Authorization header.
                    context.Token = context.Request.Query["access_token"];

                    return Task.FromResult(0);
                }
            };
        });

    对于颁发令牌,您可以使用openId Connect服务器软件包,如下所示: 

            // Add a new middleware issuing access tokens.
        app.UseOpenIdConnectServer(options =>
        {
            options.Provider = new AuthenticationProvider();
            // Enable the authorization, logout, token and userinfo endpoints.
            //options.AuthorizationEndpointPath = "/connect/authorize";
            //options.LogoutEndpointPath = "/connect/logout";
            options.TokenEndpointPath = "/connect/token";
            //options.UserinfoEndpointPath = "/connect/userinfo";

            // Note: if you don't explicitly register a signing key, one is automatically generated and
            // persisted on the disk. If the key cannot be persisted, an exception is thrown.
            // 
            // On production, using a X.509 certificate stored in the machine store is recommended.
            // You can generate a self-signed certificate using Pluralsight's self-cert utility:
            // https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip
            // 
            // options.SigningCredentials.AddCertificate("7D2A741FE34CC2C7369237A5F2078988E17A6A75");
            // 
            // Alternatively, you can also store the certificate as an embedded .pfx resource
            // directly in this assembly or in a file published alongside this project:
            // 
            // options.SigningCredentials.AddCertificate(
            //     assembly: typeof(Startup).GetTypeInfo().Assembly,
            //     resource: "Nancy.Server.Certificate.pfx",
            //     password: "Owin.Security.OpenIdConnect.Server");

            // Note: see AuthorizationController.cs for more
            // information concerning ApplicationCanDisplayErrors.
            options.ApplicationCanDisplayErrors = true // in dev only ...;
            options.AllowInsecureHttp = true // in dev only...;
        });

    编辑:我已经实现了一个使用Aurelia前端框架和ASP.NET核心的基于令牌的认证实现的单页面应用程序。 还有一个信号R持续连接。 但是我没有做任何数据库实现。 代码可以在这里看到:https://github.com/alexandre-spieser/AureliaAspNetCoreAuth

    希望这可以帮助,

    最好,

    亚历克斯

    链接地址: http://www.djcxy.com/p/507.html

    上一篇: Token Based Authentication in ASP.NET Core

    下一篇: How to do authentication with a REST API right? (Browser + Native clients)