1,在asp.net mvc 中常用的是 Cooke+Session 或者 form 認證(實際也是Cooke)的方式,當然都是mvc中在 webapi中也是可以使用的,那麼上面的兩種方式這裏就不多寫了,後面有時間寫,今天最主要是 JWT的認證方式
2,簡單說明一下,JWT是什麼。JWT 全稱 JSON Web Tokens ,是一種規範化的 token。是對 token 這一技術提出一套規範,其它細節,查資料就可。
3,使用,.NET裏面可以使用JWT來生成Token以及解密Token。我們打開Nuget,搜索JWT 安裝。
4,既然是根據同koken去獲取權限,那麼第一個就是去獲取token
private string secret = "zhonlong"; //這個密鑰以一般用加密過的
public string Get()
{
IDateTimeProvider provider = new UtcDateTimeProvider();
var now = provider.GetNow();
var unixEpoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); // or use JwtValidator.UnixEpoch
var secondsSinceEpoch = Math.Round((now - unixEpoch).TotalSeconds);
var payload = new Dictionary<string, object>
{
{"name", "MrBug" },
{"exp",secondsSinceEpoch+1000 }, // 1000 秒過期時間,必須大於簽發時間
{"jti","luozhipeng" }
};
Console.WriteLine(secondsSinceEpoch);
IJwtAlgorithm algorithm = new HMACSHA256Algorithm();
IJsonSerializer serializer = new JsonNetSerializer();
IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder);
var token = encoder.Encode(payload, secret);
return token;
}
5,那麼下次訪問服務端的時候,獲取到了token之後驗證一下
//解密token
public string DecodeToken()
{
try
{
IJwtAlgorithm algorithm = new HMACSHA256Algorithm();
IJsonSerializer serializer = new JsonNetSerializer();
IDateTimeProvider provider = new UtcDateTimeProvider();
IJwtValidator validator = new JwtValidator(serializer, provider);
IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm);
var json = decoder.Decode("密鑰", secret, verify: true);//token爲之前生成的字符串
}
catch (TokenExpiredException)
{
Console.WriteLine("Token has expired"); //過期
}
catch (SignatureVerificationException)
{
Console.WriteLine("Token has invalid signature"); //簽名沒有驗證
}
return "value"; // 根據你的json 裏面解析出數據,然後去驗證一下數據(當然這一步放到了驗證中)
}
6,最後別忘記了加上驗證
public class TokenAuthAttribute : AuthorizeAttribute
{
//重寫基類的驗證方式,加入我們自定義的Ticket驗證
public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
//url獲取token
var content = actionContext.Request.Properties["MS_HttpContext"] as HttpContextBase;
var token = content.Request.Headers["Token"]; //自己加入在頭部的名稱
if (!string.IsNullOrEmpty(token))
{
//解密用戶ticket,並校驗用戶名密碼是否匹配
if (ValidateTicket(token))
{
base.IsAuthorized(actionContext);
}
else
{
HandleUnauthorizedRequest(actionContext);
}
}
//如果取不到身份驗證信息,並且不允許匿名訪問,則返回未驗證401
else
{
var attributes = actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().OfType<AllowAnonymousAttribute>();
bool isAnonymous = attributes.Any(a => a is AllowAnonymousAttribute);
if (isAnonymous) base.OnAuthorization(actionContext);
else HandleUnauthorizedRequest(actionContext);
}
}
//校驗票據(數據庫數據匹配)
private bool ValidateTicket(string encryptToken)
{
//正常這裏是用的token 來驗證的
bool flag = false;
try
{
//獲取數據庫Token
if ("jiaxiel" == encryptToken) //存在
{
//未超時
flag = true;
}
}
catch (Exception ex)
{
}
return flag;
}
}
到此基本的驗證授權都給上了,還需要優化!
下載地址:https://download.csdn.net/download/weixin_42780928/12264868