以下是一个使用ASP.NET Core WebApi进行身份验证和授权的示例代码:
首先,需要在Startup.cs文件中进行配置:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = Configuration["Jwt:Issuer"],
ValidAudience = Configuration["Jwt:Audience"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Key"]))
};
});
services.AddAuthorization();
// 添加其他服务
services.AddControllers();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
// 省略其他配置
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
然后,您可以在控制器中使用[Authorize]
特性来限制访问:
[Route("api/[controller]")]
[ApiController]
public class HomeController : ControllerBase
{
[HttpGet]
[Authorize]
public IActionResult Get()
{
// 执行需要授权的操作
return Ok("Authenticated");
}
}
最后,生成和验证JWT令牌的代码示例:
public class TokenController : ControllerBase
{
private readonly IConfiguration _configuration;
public TokenController(IConfiguration configuration)
{
_configuration = configuration;
}
[HttpPost]
public IActionResult CreateToken()
{
var claims = new[]
{
new Claim(JwtRegisteredClaimNames.Sub, "your_username"),
new Claim(JwtRegisteredClaimNames.Email, "your_email"),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString())
};
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["Jwt:Key"]));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(
_configuration["Jwt:Issuer"],
_configuration["Jwt:Audience"],
claims,
expires: DateTime.Now.AddMinutes(30),
signingCredentials: creds);
return Ok(new
{
token = new JwtSecurityTokenHandler().WriteToken(token)
});
}
}
需要在appsettings.json文件中添加以下配置:
"Jwt": {
"Key": "your_secret_key_here",
"Issuer": "your_issuer_here",
"Audience": "your_audience_here"
}
在上述示例中,[Authorize]
特性将保护Get()
方法,只有经过身份验证的用户才能访问它。CreateToken()
方法用于生成包含用户声明的JWT令牌。
请注意,上述示例中的配置和代码是一个基本示例,实际应用中可能需要进行更多的配置和安全性措施。