在NET8中使用簡化的 AddJwtBearer 認證

i沒暱稱發表於2023-12-04

開發環境

系統版本： win10
.NET SDK: NET8
開發工具：vscode
參考引用：使用 dotnet user-jwts 管理開發中的 JSON Web 令牌
注意：以下示例中的埠、token等需替換成你的環境中的資訊

建立專案

執行以下命令來建立一個空的 Web 專案，並新增 Microsoft.AspNetCore.Authentication.JwtBearer NuGet 包：

dotnet new web -o MyJWT
cd MyJWT
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

將 Program.cs 的內容替換為以下程式碼(略微改動)：

using System.Security.Claims;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddAuthorization();
// 預設的Scheme是Bearer
// builder.Services.AddAuthentication("Bearer").AddJwtBearer();
builder.Services.AddAuthentication().AddJwtBearer();

var app = builder.Build();

app.UseAuthorization();

app.MapGet("/", () => "Hello, World!");
app.MapGet("/secret", (ClaimsPrincipal user) => $"Hello {user.Identity?.Name}. My secret")
    .RequireAuthorization();

app.Run();

執行專案並訪問介面返回以下內容

PS D:\Learn\MyJWT> curl.exe -i http:///localhost:5276
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Date: Mon, 04 Dec 2023 00:43:03 GMT    
Server: Kestrel
Transfer-Encoding: chunked

Hello, World!

建立 JWT

PS D:\Learn\MyJWT> dotnet user-jwts create
New JWT saved with ID 'c28b968'.
Name: Lingpeng

Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IkxpbmdwZW5nIiwic3ViIjoiTGluZ3BlbmciLCJqdGkiOiJjMjhiOTY4IiwiYXVkIjpbImh0dHA6Ly9sb2NhbGhvc3Q6Mjk3NTQiLCJodHRwczovL2xvY2FsaG9zdDo0NDM2MCIsImh0dHA6Ly9sb2NhbGhvc3Q6NTI3NiIsImh0dHBzOi8vbG9jYWxob3N0OjcyNTMiXSwibmJmIjoxNzAxNjQ5Nzk2LCJleHAiOjE3MDk1MTIxOTYsImlhdCI6MTcwMTY0OTc5NiwiaXNzIjoiZG90bmV0LXVzZXItand0cyJ9.l52s9_7oNjIKL96TysgdE0k970fUS9FoLTu2xRs-IPo

這個命令做了3件事：

更新專案的 appsettings.Development.json，新增了Authentication節點
更新專案的 MyJWT.csproj，新增了UserSecretsId 配置
建立了機密檔案 %APPDATA%\Microsoft\UserSecrets\<secrets_GUID>\user-jwts.json與%APPDATA%\Microsoft\UserSecrets\<secrets_GUID>\secrets.json，機密管理參考

我們看下這兩個機密檔案
user-jwts.json

{
    "c28b968": {
        "Id": "c28b968",
        "Scheme": "Bearer",
        "Name": "Lingpeng",
        "Audience": "http://localhost:29754, https://localhost:44360, http://localhost:5276, https://localhost:7253",
        "NotBefore": "2023-12-04T00:29:56+00:00",
        "Expires": "2024-03-04T00:29:56+00:00",
        "Issued": "2023-12-04T00:29:56+00:00",
        "Token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IkxpbmdwZW5nIiwic3ViIjoiTGluZ3BlbmciLCJqdGkiOiJjMjhiOTY4IiwiYXVkIjpbImh0dHA6Ly9sb2NhbGhvc3Q6Mjk3NTQiLCJodHRwczovL2xvY2FsaG9zdDo0NDM2MCIsImh0dHA6Ly9sb2NhbGhvc3Q6NTI3NiIsImh0dHBzOi8vbG9jYWxob3N0OjcyNTMiXSwibmJmIjoxNzAxNjQ5Nzk2LCJleHAiOjE3MDk1MTIxOTYsImlhdCI6MTcwMTY0OTc5NiwiaXNzIjoiZG90bmV0LXVzZXItand0cyJ9.l52s9_7oNjIKL96TysgdE0k970fUS9FoLTu2xRs-IPo",
        "Scopes": [],
        "Roles": [],
        "CustomClaims": {}
    }
}

secrets.json

{
    "Authentication:Schemes:Bearer:SigningKeys": [
        {
            "Id": "ff20683d",
            "Issuer": "dotnet-user-jwts",
            "Value": "lDOFmIuEDelFKU0zAaLoT2qYOFDRZGDDTv5FyTa36V8=",
            "Length": 32
        }
    ]
}

測試JWT

我們重新執行程式，用直接訪問與攜帶token兩種方式訪問/secret介面

PS D:\Learn\MyJWT> curl.exe -i http://localhost:5276/secret
HTTP/1.1 401 Unauthorized
Content-Length: 0
Date: Mon, 04 Dec 2023 00:43:25 GMT
Server: Kestrel
WWW-Authenticate: Bearer

PS D:\Learn\MyJWT> 
PS D:\Learn\MyJWT> 
PS D:\Learn\MyJWT> curl.exe -i -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IkxpbmdwZW5nIiwic3ViIjoiTGluZ3BlbmciLCJqdGkiOiJjMjhiOTY4IiwiYXVkIjpbImh0dHA6Ly9sb2NhbGhvc3Q6Mjk3NTQiLCJodHRwczovL2xvY2FsaG9zdDo0NDM2MCIsImh0dHA6Ly9sb2NhbGhvc3Q6NTI3NiIsImh0dHBzOi8vbG9jYWxob3N0OjcyNTMiXSwibmJmIjoxNzAxNjQ5Nzk2LCJleHAiOjE3MDk1MTIxOTYsImlhdCI6MTcwMTY0OTc5NiwiaXNzIjoiZG90bmV0LXVzZXItand0cyJ9.l52s9_7oNjIKL96TysgdE0k970fUS9FoLTu2xRs-IPo" http://localhost:5276/secret
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Date: Mon, 04 Dec 2023 00:45:42 GMT
Server: Kestrel
Transfer-Encoding: chunked

Hello Lingpeng. My secret

至此我們已經實現了JwtBearer的初步使用

一點點改動

示例採用了機密管理，我們也可以把機密檔案中的內容遷移至專案中(推薦用機密管理)，我們修改MyJWT.csproj與appsettings.Development.json如下

<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
    <Nullable>enable</Nullable>
    <ImplicitUsings>enable</ImplicitUsings>
    <!-- <UserSecretsId>88d7c163-def1-4747-b01f-cefed382beae</UserSecretsId> -->
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.0" />
  </ItemGroup>

</Project>

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "Authentication": {
    "Schemes": {
      "Bearer": {
        "ValidAudiences": [
          "http://localhost:29754",
          "https://localhost:44360",
          "http://localhost:5276",
          "https://localhost:7253"
        ],
        "ValidIssuer": "dotnet-user-jwts",
        "SigningKeys": [
          {
            "Id": "ff20683d",
            "Issuer": "dotnet-user-jwts",
            "Value": "lDOFmIuEDelFKU0zAaLoT2qYOFDRZGDDTv5FyTa36V8=",
            "Length": 32
          }
        ]
      }
    }
  }
}

修改完成後實現相同的功能

JWT Token生成示例

app.MapGet("/login", (string UserName, string Password, [FromServices] IOptionsMonitor<JwtBearerOptions> optionsMonitor) =>
{
    // 1. 密碼驗證
    // TODO

    // 2. 生成  
    var parameters = optionsMonitor.Get(JwtBearerDefaults.AuthenticationScheme).TokenValidationParameters;
    var signingKey = parameters.IssuerSigningKeys.First();
    var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256Signature);
    var header = new JwtHeader(signingCredentials);
    var payload = new JwtPayload {
        { JwtRegisteredClaimNames.UniqueName, UserName },
        { JwtRegisteredClaimNames.Iss, parameters.ValidIssuers.First() },
        { JwtRegisteredClaimNames.Aud, parameters.ValidAudiences },
        { JwtRegisteredClaimNames.Iat, DateTimeOffset.UtcNow.ToUnixTimeSeconds() },
        { JwtRegisteredClaimNames.Nbf, DateTimeOffset.UtcNow.ToUnixTimeSeconds() },
        { JwtRegisteredClaimNames.Exp, DateTimeOffset.UtcNow.AddMinutes(30).ToUnixTimeSeconds() }
    };
    var jwtSecurityToken = new JwtSecurityToken(header, payload);
    var jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
    var token = jwtSecurityTokenHandler.WriteToken(jwtSecurityToken);
    return token;
});

進行一下驗證

PS D:\Learn\MyJWT> curl.exe -i "http://localhost:5276/login?username=admin&password=1111"
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Date: Mon, 04 Dec 2023 05:03:36 GMT
Server: Kestrel
Transfer-Encoding: chunked

eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNobWFjLXNoYTI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6ImFkbWluIiwiaXNzIjoiZG90bmV0LXVzZXItand0cyIsImF1ZCI6WyJodHRwOi8vbG9jYWxob3N0OjI5NzU0IiwiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNjAiLCJodHRwOi8vbG9jYWxob3N0OjUyNzYiLCJodHRwczovL2xvY2FsaG9zdDo3MjUzIl0sImlhdCI6MTcwMTY2NjIxNiwibmJmIjoxNzAxNjY2MjE2LCJleHAiOjE3MDE2NjgwMTZ9.P9t7vIFfM7cddRPs4OQUTVVdo57nWTLt_ea2UynGUpo
PS D:\Learn\MyJWT>
PS D:\Learn\MyJWT>
PS D:\Learn\MyJWT> curl.exe -i -H "Authorization: Bearer eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNobWFjLXNoYTI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6ImFkbWluIiwiaXNzIjoiZG90bmV0LXVzZXItand0cyIsImF1ZCI6WyJodHRwOi8vbG9jYWxob3N0OjI5NzU0IiwiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNjAiLCJodHRwOi8vbG9jYWxob3N0OjUyNzYiLCJodHRwczovL2xvY2FsaG9zdDo3MjUzIl0sImlhdCI6MTcwMTY2NjIxNiwibmJmIjoxNzAxNjY2MjE2LCJleHAiOjE3MDE2NjgwMTZ9.P9t7vIFfM7cddRPs4OQUTVVdo57nWTLt_ea2UynGUpo" http://localhost:5276/secret
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Date: Mon, 04 Dec 2023 05:03:50 GMT
Server: Kestrel
Transfer-Encoding: chunked

Hello admin. My secret

Solon Auth 認證框架使用演示（更簡單的認證框架）
2021-06-09
框架
在JBOSS中實現使用者安全認證
2002-09-21
使用Autodesk OAuth服務在使用者認證的示例
2013-09-09
OAuth
Net8 使用BouncyCastle 生成自簽名證書
2024-03-13
AST
oracle os認證和口令檔案認證的簡要解析
2008-03-11
Oracle
怎樣在 Laravel 中處理前端認證
2019-07-04
Laravel前端
devise中如何使用auth_token認證與 RubyChina api認證的區別
2012-07-13
devAPI
Django框架中的使用者認證的實現
2012-12-09
Django框架
使用OpenSSH證書認證
2020-08-19
Oracle中兩種認證方式：OS認證與口令檔案認證
2017-08-15
Oracle
在 SSH 中使用 RSA 和 DSA 認證（詳解）
2018-08-08
深入解析：JWT Bearer 認證在 .NET Core 中的應用
2024-11-01
JWT
keycloak~在認證的action中自定義重定向地址
2024-04-03
mongodb的使用者認證
2016-05-12
MongoDB
解決在.net8 WebAPI中使用AbstractInterceptorAttribute 實現AOP 攔截器
2024-09-04
WebAPI
在Spring Boot中實現OAuth2.0認證
2024-07-20
Spring BootOAuth
使用Node在服務端呼叫HTTP-Basic認證的API
2018-02-02
服務端HTTPAPI
[譯]React中的使用者認證(登入態管理)
2019-05-28
React
Laravel 使用者認證最簡單的實現比 Jetstream 要簡單很多
2021-01-16
Laravel
開源認證和訪問控制的利器keycloak使用簡介
2020-11-26
國密在車聯網安全認證場景中的應用
2022-05-27
CKAD認證中的部署教程
2021-11-24
Oracle中的鑑權口令認證
2008-04-29
Oracle
Django的使用者認證元件
2018-11-01
Django元件
Lumen 8.0 使用 Jwt 認證的 Api
2020-09-18
JWTAPI
【Mongo】mongodb的使用者認證
2018-05-29
MongoDB
LNMP—Nginx的使用者認證
2017-11-12
LNMPNginx
認證系統之登入認證系統的進階使用 (二)
2020-12-14
Django REST framework中認證和許可權的使用方法
2020-11-04
DjangoRESTFramework
laravel使用者認證
2021-03-28
Laravel
MongoDB：使用者認證
2015-01-28
MongoDB
jwt 多使用者認證，一次簡單處理。
2019-03-22
JWT
.NET Core中的認證管理解析
2016-08-18
MySQL密碼加密認證的簡單指令碼
2018-04-04
MySql密碼加密指令碼
常見的PAM認證模組簡介(3) (zt)
2006-12-16
常見的PAM認證模組簡介(2)(zt)
2006-12-16
常見的PAM認證模組簡介(1) (zt)
2006-12-16
如何利用go-zero在Go中快速實現JWT認證
2020-10-26
GoJWT