本文共 5236 字,大约阅读时间需要 17 分钟。
传统的授权认证主要依赖于Cookies和Session。然而,HTTP协议本身是无状态的,这意味着第一次和第二次请求几乎没有区别。这种无状态性带来了几个问题,尤其是在多服务器集群环境中,Session无法被有效地传递和共享。
例如,商店系统中,顾客的多次购买行为并不一定与其之前的购买行为有直接关系。商店为了避免存储大量顾客信息而忽略了顾客的状态,这就是无状态认证的本质。
尽管如此,商店为了提高收益,可能会设计一些机制来鼓励顾客持续购买。例如,发放磁卡或唯一号码来记录顾客的购买历史。这就是Cookies和Session的基本作用。
JWT(JSON Web Token)是一种用于在分布式系统中传递声明的紧凑且安全的开源标准。它特别适用于单点登录(SSO)场景,能够有效地在资源服务器之间传递用户身份信息。
JWT的主要特点包括:
基于Token的鉴权机制类似于HTTP协议,无需在服务器端保留用户认证信息。这种机制的优势在于支持高扩展性,适用于多服务器集群环境。
以下是基于Token的鉴权流程:
JWT Token主要由以下几个部分组成:
服务端通过私钥签名Token,客户端可以使用公钥验证Token的签名。私钥应严格保密,一旦泄露,可能导致Token被恶意伪造。
在实际应用中,JWT的配置通常存储在配置文件中,例如:
{ "SecurityKey": "your-secure-key", "Issuer": "YourJWTIssuer", "Audience": "YourAudience", "ExpirationTime": "5分钟"}
以下是实现JWT授权的代码示例:
using Microsoft.AspNetCore.Mvc;using System.Collections.Generic;using Microsoft.AspNetCore.Authorization;[Route("api")][ApiController]public class AuthenticationController : ControllerBase{ private ILogger_logger; private IJWTService _iJWTService; private IConfiguration _iConfiguration; public AuthenticationController( ILoggerFactory factory, ILogger logger, IConfiguration configuration, IJWTService service) { _logger = logger; _iConfiguration = configuration; _iJWTService = service; } [Route("Get")] [HttpGet] public IEnumerable Get() { return new List { 1, 2, 3, 4, 6, 7 }; } [Route("Login")] [HttpGet] public string Login(string name, string password) { if ("Richard".Equals(name) && "123456".Equals(password)) { string token = _iJWTService.GetToken(name); return JsonConvert.SerializeObject(new { result = true, token }); } else { return JsonConvert.SerializeObject(new { result = false, token = "" }); } }}
public interface IJWTService{ string GetToken(string UserName);}public class JWTService : IJWTService{ private readonly IConfiguration _configuration; public JWTService(IConfiguration configuration) { _configuration = configuration; } public string GetToken(string UserName) { var claims = new Claim[] { new Claim(ClaimTypes.Name, UserName), new Claim("NickName", "Richard"), new Claim("Role", "Administrator"), new Claim("abc", "abccc") }; var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["SecurityKey"])); var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256); var token = new JwtSecurityToken { Issuer = _configuration["issuer"], Audience = _configuration["audience"], Claims = claims, Expires = DateTime.Now.AddMinutes(5), SigningCredentials = creds }; var tokenHandler = new JwtSecurityTokenHandler(); return tokenHandler.WriteToken(token); }}
在Startup.cs
中添加授权服务配置:
using Microsoft.Extensions.Configuration;using Microsoft.Extensions.DependencyInjection;using Microsoft.AspNetCore.Authentication.JwtBearer;public class Startup{ public void ConfigureServices(IServiceCollection services) { var configuration = new ConfigurationBuilder() .AddJsonFile("appsettings.json") .Build(); var validAudience = configuration["audience"]; var validIssuer = configuration["issuer"]; var securityKey = configuration["SecurityKey"]; services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidateAudience = true, ValidateLifetime = true, ValidateIssuerSigningKey = true, ValidAudience = validAudience, ValidIssuer = validIssuer, IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey)) }; }); }}
在Configure
方法中添加中间件:
public void Configure(IApplicationBuilder app, IHostingEnvironment env){ app.UseAuthentication(); app.UseAuthorization();}
using Microsoft.AspNetCore.Authorization;[Authorize]public class ValuesController : ControllerBase{ public IActionResult GetAuthorizeData() { var name = base.HttpContext.AuthenticateAsync().Result.Principal.Claims.FirstOrDefault(a => a.Type == "Name")?.Value; Console.WriteLine($"this is Name {name}"); return new JsonResult(new { Data = "已授权", Type = "GetAuthorizeData" }); }}
通过以上配置,可以实现基于JWT的安全授权认证,适用于分布式系统中的身份验证场景。
转载地址:http://okwl.baihongyu.com/