In the past, identity authentication on the web side was based on Cookie | Session authentication. Before more terminals appeared, there was no problem with this. But in the Web API era, you have to face more than There are browsers and various clients, so there is a problem. These clients don't know what cookies are. (Cookies are actually little tricks made by browsers to maintain sessions, but HTTP itself is stateless, and all various clients can provide is nothing more than APIs for HTTP operations)
Based on Token The identity authentication was born in response to this change. It is more open and has higher security.
There are many ways to implement Token-based identity authentication, but we only use the API provided by Microsoft here.
The following example will lead you to complete an identity authentication based on beare token using Microsoft JwtSecurityTokenHandler.
Note: This kind of article is a step by step tutorial. Follow it to avoid getting dizzy. It is meaningful to download the complete code and analyze the code structure.
Create project
Create a new project in VS, select ASP.NET Core Web Application (.NET Core) as the project type, and enter the project name as CSTokenBaseAuth
Coding
Create some auxiliary classes
Create a folder Auth in the project root directory, and add two files RSAKeyHelper.cs and TokenAuthOption.cs
In RSAKeyHelper.cs
using System.Security.Cryptography;
namespace CSTokenBaseAuth.Auth
{
public class RSAKeyHelper
{
public static RSAParameters GenerateKey()
{
using (var key = new RSACryptoServiceProvider(2048))
{
return key.ExportParameters(true);
}
}
}
}Copy after login
+
In TokenAuthOption.cs
using System;
using Microsoft.IdentityModel.Tokens;
namespace CSTokenBaseAuth.Auth
{
public class TokenAuthOption
{
public static string Audience { get; } = "ExampleAudience";
public static string Issuer { get; } = "ExampleIssuer";
public static RsaSecurityKey Key { get; } = new RsaSecurityKey(RSAKeyHelper.GenerateKey());
public static SigningCredentials SigningCredentials { get; } = new SigningCredentials(Key, SecurityAlgorithms.RsaSha256Signature);
public static TimeSpan ExpiresSpan { get; } = TimeSpan.FromMinutes(20);
}
}Copy after login
Startup.cs
Add the following code in ConfigureServices :
services.AddAuthorization(auth =>
{
auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser().Build());
});Copy after login
The complete code should be like this
public void ConfigureServices(IServiceCollection services)
{
// Add framework services.
services.AddApplicationInsightsTelemetry(Configuration);
// Enable the use of an [Authorize("Bearer")] attribute on methods and classes to protect.
services.AddAuthorization(auth =>
{
auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser().Build());
});
services.AddMvc();
}Copy after login
Add the following code in the Configure method
app.UseExceptionHandler(appBuilder => {
appBuilder.Use(async (context, next) => {
var error = context.Features[typeof(IExceptionHandlerFeature)] as IExceptionHandlerFeature;
//when authorization has failed, should retrun a json message to client
if (error != null && error.Error is SecurityTokenExpiredException)
{
context.Response.StatusCode = 401;
context.Response.ContentType = "application/json";
await context.Response.WriteAsync(JsonConvert.SerializeObject(
new { authenticated = false, tokenExpired = true }
));
}
//when orther error, retrun a error message json to client
else if (error != null && error.Error != null)
{
context.Response.StatusCode = 500;
context.Response.ContentType = "application/json";
await context.Response.WriteAsync(JsonConvert.SerializeObject(
new { success = false, error = error.Error.Message }
));
}
//when no error, do next.
else await next();
});
});Copy after login
This code is mainly used for Handle Error. For example, an exception will be thrown when identity authentication fails, and this exception is handled here.
Next add the following code in the same method,
app.UseExceptionHandler(appBuilder => {
appBuilder.Use(async (context, next) => {
var error = context.Features[typeof(IExceptionHandlerFeature)] as IExceptionHandlerFeature;
//when authorization has failed, should retrun a json message to client
if (error != null && error.Error is SecurityTokenExpiredException)
{
context.Response.StatusCode = 401;
context.Response.ContentType = "application/json";
await context.Response.WriteAsync(JsonConvert.SerializeObject(
new { authenticated = false, tokenExpired = true }
));
}
//when orther error, retrun a error message json to client
else if (error != null && error.Error != null)
{
context.Response.StatusCode = 500;
context.Response.ContentType = "application/json";
await context.Response.WriteAsync(JsonConvert.SerializeObject(
new { success = false, error = error.Error.Message }
));
}
//when no error, do next.
else await next();
});
});Copy after login
Apply JwtBearerAuthentication
app.UseJwtBearerAuthentication(new JwtBearerOptions {
TokenValidationParameters = new TokenValidationParameters {
IssuerSigningKey = TokenAuthOption.Key,
ValidAudience = TokenAuthOption.Audience,
ValidIssuer = TokenAuthOption.Issuer,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(0)
}
});Copy after login
The complete code should be like this
using System;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using CSTokenBaseAuth.Auth;
using Microsoft.AspNetCore.Diagnostics;
using Microsoft.IdentityModel.Tokens;
using Microsoft.AspNetCore.Http;
using Newtonsoft.Json;
namespace CSTokenBaseAuth
{
public class Startup
{
public Startup(IHostingEnvironment env)
{
var builder = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);
if (env.IsEnvironment("Development"))
{
// This will push telemetry data through Application Insights pipeline faster, allowing you to view results immediately.
builder.AddApplicationInsightsSettings(developerMode: true);
}
builder.AddEnvironmentVariables();
Configuration = builder.Build();
}
public IConfigurationRoot Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container
public void ConfigureServices(IServiceCollection services)
{
// Add framework services.
services.AddApplicationInsightsTelemetry(Configuration);
// Enable the use of an [Authorize("Bearer")] attribute on methods and classes to protect.
services.AddAuthorization(auth =>
{
auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser().Build());
});
services.AddMvc();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseApplicationInsightsRequestTelemetry();
app.UseApplicationInsightsExceptionTelemetry();
#region Handle Exception
app.UseExceptionHandler(appBuilder => {
appBuilder.Use(async (context, next) => {
var error = context.Features[typeof(IExceptionHandlerFeature)] as IExceptionHandlerFeature;
//when authorization has failed, should retrun a json message to client
if (error != null && error.Error is SecurityTokenExpiredException)
{
context.Response.StatusCode = 401;
context.Response.ContentType = "application/json";
await context.Response.WriteAsync(JsonConvert.SerializeObject(
new { authenticated = false, tokenExpired = true }
));
}
//when orther error, retrun a error message json to client
else if (error != null && error.Error != null)
{
context.Response.StatusCode = 500;
context.Response.ContentType = "application/json";
await context.Response.WriteAsync(JsonConvert.SerializeObject(
new { success = false, error = error.Error.Message }
));
}
//when no error, do next.
else await next();
});
});
#endregion
#region UseJwtBearerAuthentication
app.UseJwtBearerAuthentication(new JwtBearerOptions {
TokenValidationParameters = new TokenValidationParameters {
IssuerSigningKey = TokenAuthOption.Key,
ValidAudience = TokenAuthOption.Audience,
ValidIssuer = TokenAuthOption.Issuer,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(0)
}
});
#endregion
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Login}/{action=Index}");
});
}
}
}Copy after login
Create a new Web API Controller Class in Controllers and name it TokenAuthController.cs. We will complete the login authorization here
Add two classes under the same file, which are used to simulate the user model and user storage. The code should be like this
public class User
{
public Guid ID { get; set; }
public string Username { get; set; }
public string Password { get; set; }
}
public static class UserStorage
{
public static List<User> Users { get; set; } = new List<User> {
new User {ID=Guid.NewGuid(),Username="user1",Password = "user1psd" },
new User {ID=Guid.NewGuid(),Username="user2",Password = "user2psd" },
new User {ID=Guid.NewGuid(),Username="user3",Password = "user3psd" }
};
}Copy after login
Next, add the following method in TokenAuthController.cs
private string GenerateToken(User user, DateTime expires)
{
var handler = new JwtSecurityTokenHandler();
ClaimsIdentity identity = new ClaimsIdentity(
new GenericIdentity(user.Username, "TokenAuth"),
new[] {
new Claim("ID", user.ID.ToString())
}
);
var securityToken = handler.CreateToken(new SecurityTokenDescriptor
{
Issuer = TokenAuthOption.Issuer,
Audience = TokenAuthOption.Audience,
SigningCredentials = TokenAuthOption.SigningCredentials,
Subject = identity,
Expires = expires
});
return handler.WriteToken(securityToken);
}Copy after login
This method only generates an Auth Token. Next, we will add another method. To call it
Add the following code in the same file
[HttpPost]
public string GetAuthToken(User user)
{
var existUser = UserStorage.Users.FirstOrDefault(u => u.Username == user.Username && u.Password == user.Password);
if (existUser != null)
{
var requestAt = DateTime.Now;
var expiresIn = requestAt + TokenAuthOption.ExpiresSpan;
var token = GenerateToken(existUser, expiresIn);
return JsonConvert.SerializeObject(new {
stateCode = 1,
requertAt = requestAt,
expiresIn = TokenAuthOption.ExpiresSpan.TotalSeconds,
accessToken = token
});
}
else
{
return JsonConvert.SerializeObject(new { stateCode = -1, errors = "Username or password is invalid" });
}
}Copy after login
The complete code of the file should be like this
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Newtonsoft.Json;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Security.Principal;
using Microsoft.IdentityModel.Tokens;
using CSTokenBaseAuth.Auth;
namespace CSTokenBaseAuth.Controllers
{
[Route("api/[controller]")]
public class TokenAuthController : Controller
{
[HttpPost]
public string GetAuthToken(User user)
{
var existUser = UserStorage.Users.FirstOrDefault(u => u.Username == user.Username && u.Password == user.Password);
if (existUser != null)
{
var requestAt = DateTime.Now;
var expiresIn = requestAt + TokenAuthOption.ExpiresSpan;
var token = GenerateToken(existUser, expiresIn);
return JsonConvert.SerializeObject(new {
stateCode = 1,
requertAt = requestAt,
expiresIn = TokenAuthOption.ExpiresSpan.TotalSeconds,
accessToken = token
});
}
else
{
return JsonConvert.SerializeObject(new { stateCode = -1, errors = "Username or password is invalid" });
}
}
private string GenerateToken(User user, DateTime expires)
{
var handler = new JwtSecurityTokenHandler();
ClaimsIdentity identity = new ClaimsIdentity(
new GenericIdentity(user.Username, "TokenAuth"),
new[] {
new Claim("ID", user.ID.ToString())
}
);
var securityToken = handler.CreateToken(new SecurityTokenDescriptor
{
Issuer = TokenAuthOption.Issuer,
Audience = TokenAuthOption.Audience,
SigningCredentials = TokenAuthOption.SigningCredentials,
Subject = identity,
Expires = expires
});
return handler.WriteToken(securityToken);
}
}
public class User
{
public Guid ID { get; set; }
public string Username { get; set; }
public string Password { get; set; }
}
public static class UserStorage
{
public static List<User> Users { get; set; } = new List<User> {
new User {ID=Guid.NewGuid(),Username="user1",Password = "user1psd" },
new User {ID=Guid.NewGuid(),Username="user2",Password = "user2psd" },
new User {ID=Guid.NewGuid(),Username="user3",Password = "user3psd" }
};
}
}Copy after login
Next we will complete the authorization verification part
Create a new Web API Controller Class in Controllers and name it ValuesController.cs
Add the following code in it
public string Get()
{
var claimsIdentity = User.Identity as ClaimsIdentity;
var id = claimsIdentity.Claims.FirstOrDefault(c => c.Type == "ID").Value;
return $"Hello! {HttpContext.User.Identity.Name}, your ID is:{id}";
}Copy after login
Add decorative attributes to the method
[HttpGet]
[Authorize("Bearer")]
完整的文件代码应该是这样
using System.Linq;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Authorization;
using System.Security.Claims;
namespace CSTokenBaseAuth.Controllers
{
[Route("api/[controller]")]
public class ValuesController : Controller
{
[HttpGet]
[Authorize("Bearer")]
public string Get()
{
var claimsIdentity = User.Identity as ClaimsIdentity;
var id = claimsIdentity.Claims.FirstOrDefault(c => c.Type == "ID").Value;
return $"Hello! {HttpContext.User.Identity.Name}, your ID is:{id}";
}
}
}Copy after login
Finally let us add the view
Create a new Web Controller Class in Controllers and name it LoginController.cs
The code should be like this
using Microsoft.AspNetCore.Mvc;
namespace CSTokenBaseAuth.Controllers
{
[Route("[controller]/[action]")]
public class LoginController : Controller
{
public IActionResult Index()
{
return View();
}
}
}Copy after login
In the project Views directory Create a new directory named Login and create a new Index.cshtml file in it.
The code should look like this
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</head>
<body>
<button id="getToken">getToken</button>
<button id="requestAPI">requestAPI</button>
<script src="https://code.jquery.com/jquery-3.1.1.min.js"></script>
<script>
$(function () {
var accessToken = undefined;
$("#getToken").click(function () {
$.post(
"/api/TokenAuth",
{ Username: "user1", Password: "user1psd" },
function (data) {
console.log(data);
if (data.stateCode == 1)
{
accessToken = data.accessToken;
$.ajaxSetup({
headers: { "Authorization": "Bearer " + accessToken }
});
}
},
"json"
);
})
$("#requestAPI").click(function () {
$.get("/api/Values", {}, function (data) {
alert(data);
}, "text");
})
})
</script>
</body>
</html>Copy after login
The above is the entire content of this article. I hope it will be helpful to everyone's study, and I hope you can support me a lot. php Chinese website.
For more related articles on implementing a Token base identity authentication example in ASP.NET Core, please pay attention to the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
