笔记:在.Net Core Web Api里使用JWT

首先，先建一个JWT配置类

/// 

/// JWT配置类
/// 
public class JwtTokenOption
{
    /// 

    /// Token 过期时间，默认为60分钟
    /// 
    public int TokenExpireTime { get; set; } = 60;

    /// 

    /// 接收人
    /// 
    public string? Audience { get; set; }

    /// 

    /// 秘钥
    /// 
    public string? SecurityKey { get; set; }

    /// 

    /// 签发人
    /// 
    public string? Issuer { get; set; }
}

在appsetting里面配置 JWT详细信息,一会在program.cs里要把这个配置读取到JwtTokenOption配置类对象上

  "JwtTokenOption": {
    "TokenExpireTime": 60000,
    "Audience": "cy",
    "Issuer": "cy",
    "SecurityKey": "" //密钥自己生成
  }

读取

var jwtOption = builder.Configuration.GetSection("JwtTokenOption");//获取appsettings里面的JWT配置信息
builder.Services.Configure(jwtOption);//注入到services
JwtTokenOption jwtTokenOption = jwtOption.Get();//将配置转换成JwtTokenOption类

配置(使用上述配置类对象)

// 添加认证服务
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(p =>
    {
        var rsa = RSA.Create();
        rsa.ImportRSAPrivateKey(Convert.FromBase64String(jwtTokenOption.SecurityKey),out _);
        SecurityKey securityKey = new RsaSecurityKey(rsa);
        
        
        // 校验JWT是否合法
        p.TokenValidationParameters = new TokenValidationParameters()
        {
            ValidAlgorithms = new string[]{"RS256"},
            ValidateIssuer = true,//是否验证Issuer
            ValidateAudience = true,//是否验证Audience
            ValidateLifetime = true,//是否验证失效时间
            ClockSkew = TimeSpan.Zero,//时钟脉冲相位差
            ValidateIssuerSigningKey = true,//是否验证SecurityKey
            ValidAudience = jwtTokenOption.Audience,//Audience
            ValidIssuer = jwtTokenOption.Issuer,//Issuer，这两项和前面签发jwt的设置一致
            IssuerSigningKey = securityKey,//拿到SecurityKey
            
        };
        
        p.Events = new JwtBearerEvents()
        {
            OnMessageReceived = context =>
            {
                var token = context.Request.Query["access_token"].ToString();

                var path = context.HttpContext.Request.Path;
                if (!string.IsNullOrWhiteSpace(token) )
                {
                    context.Token = token;
                }

                return Task.CompletedTask;
            }
        };
    });

配置授权

// 设置三种授权策略
builder.Services.AddAuthorization(p =>
{
    // 管理员策略
    p.AddPolicy(AuthorizeRoleName.Administrator, policy =>
    {
        policy.RequireClaim("RoleName", AuthorizeRoleName.Administrator);
    });
    // 商家策略
    p.AddPolicy(AuthorizeRoleName.SellerAdministrator, policy =>
    {
        policy.RequireClaim("RoleName", AuthorizeRoleName.SellerAdministrator);
    });
    // 普通用户策略
    p.AddPolicy(AuthorizeRoleName.TravelUser, policy =>
    {
        policy.RequireClaim("RoleName", AuthorizeRoleName.TravelUser);
    });
    // 管理员或者商家都可操作
    p.AddPolicy(AuthorizeRoleName.AdminOrSeller, policy =>
    {
        policy.RequireClaim("RoleName", AuthorizeRoleName.SellerAdministrator, AuthorizeRoleName.Administrator);
    });
});

AddAuthentication//认证
AddAuthorization//授权

顺序不能乱，先认证再授权