在控制器方法使 JWT 令牌授权可选
问题说明
我在 ASP.NET Core 2 Web 应用程序中使用 JWT 令牌
I use JWT tokens in my ASP.NET Core 2 web application
如果 JWT 令牌失败,我仍然希望调用控制器方法,但 ASP.NET 标识 User
对象将为空.目前,如果身份验证失败,将不会输入控制器方法,因此我无法在该方法中应用逻辑来处理我想以访客身份处理而不是阻止他们的未经身份验证的用户.
If the JWT token fails I still want the controller method to be hit but the ASP.NET Identity User
object will just be null. Currently the controller method won't get entered if authentication fails so I can't apply logic inside the method to deal with non authenticated users which I want to deal with as guests instead of blocking them.
我的代码:
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication()
.AddJwtBearer(cfg =>
{
cfg.TokenValidationParameters = new TokenValidationParameters()
{
ValidIssuer = _config["Tokens:Issuer"],
ValidAudience = _config["Tokens:Audience"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Tokens:Key"]))
};
});
当用户登录时
private IActionResult CreateToken(ApplicationUser user, IList<string> roles)
{
var claims = new List<Claim>
{
new Claim(JwtRegisteredClaimNames.Sub, user.Id.ToString()),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim(JwtRegisteredClaimNames.UniqueName, user.UserName)
};
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Tokens:Key"]));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(
_config["Tokens:Issuer"],
_config["Tokens:Audience"],
claims.ToArray(),
expires: DateTime.Now.AddMinutes(60),
signingCredentials: creds);
var results = new
{
token = new JwtSecurityTokenHandler().WriteToken(token),
expiration = token.ValidTo,
};
return Created("", results);
我确保在经过身份验证后,各种 API 调用都会传递 JWT 令牌.
I make sure after authenticated the various API calls pass the JWT token.
在我的控制器中,我使用了 Authorize 属性
In my Controller I make use of an Authorize attribute
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
public class MyController : Controller
{
这允许我使用以下代码捕获登录用户以进行各种 API 调用
This allows me to capture the logged in user with the following code for the various API calls
var loggedInUser = User.Identity.Name;
如果我删除了授权属性,那么 User.Identity.Name
将始终为 null,即使用户已通过身份验证.
If I remove the authorize attribute then User.Identity.Name
will always be null even if the user is authenticated.
如果令牌无效,如何使用授权属性但仍允许输入控制器方法?我想对要输入的授权用户和非授权用户使用相同的方法.然后,我将使用 User.Identity.Name
来确定他们是否未经身份验证,并在他们的方法中包含来宾用户逻辑.
How do I use the authorize attribute but still allow the controller method to be entered if the token is not valid? I want to use the same method for both Authorized and non Authorized users to be entered. I will then use the User.Identity.Name
to determine if they are not authenticated and have guest user logic inside the method for them.
正确答案
这实际上比你想象的要容易.您可以只使用 both Authorize
和 AllowAnonymous
,如下所示:
It's actually easier than you might expect. You can just use both Authorize
and AllowAnonymous
, like so:
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[AllowAnonymous]
public class MyController : Controller
如果授权成功,您将拥有一个经过身份验证的 User
(User.Identity.IsAuthenticated = true
),否则,您将拥有一个匿名 User
.
If authorization was successful, you'll have an authenticated User
(User.Identity.IsAuthenticated = true
), otherwise, you will have an anonymous User
.
这篇好文章是转载于:学新通技术网
- 版权申明: 本站部分内容来自互联网,仅供学习及演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,请提供相关证据及您的身份证明,我们将在收到邮件后48小时内删除。
- 本站站名: 学新通技术网
- 本文地址: /reply/detail/tanghbcif
-
YouTube API 不能在 iOS (iPhone/iPad) 工作,但在桌面浏览器工作正常?
it1352 07-30 -
iPhone,一张图像叠加到另一张图像上以创建要保存的新图像?(水印)
it1352 07-17 -
保持在后台运行的 iPhone 应用程序完全可操作
it1352 07-25 -
使用 iPhone 进行移动设备管理
it1352 07-23 -
在android同时打开手电筒和前置摄像头
it1352 09-28 -
扫描 NFC 标签时是否可以启动应用程序?
it1352 08-02 -
检查邮件是否发送成功
it1352 07-25 -
Android微调工具-删除当前选择
it1352 06-20 -
希伯来语的空格句子标记化错误
it1352 06-22 -
Android App 和三星 Galaxy S4 不兼容
it1352 07-20