身份驗證是這樣一個過程：由用戶提供憑據(jù)，然后將其與存儲在操作系統(tǒng)、數(shù)據(jù)庫、應(yīng)用或資源中的憑據(jù)進(jìn)行比較。?在授權(quán)過程中，如果憑據(jù)匹配，則用戶身份驗證成功，可執(zhí)行已向其授權(quán)的操作。?授權(quán)指判斷允許用戶執(zhí)行的操作的過程。也可以將身份驗證理解為進(jìn)入空間（例如服務(wù)器、數(shù)據(jù)庫、應(yīng)用或資源）的一種方式，而授權(quán)是用戶可以對該空間（服務(wù)器、數(shù)據(jù)庫或應(yīng)用）內(nèi)的哪些對象執(zhí)行哪些操作。

微軟官方文檔

asp.net core支持多種授權(quán)，本篇重點說明JWT的基于角色授權(quán)方式。

基于JWT角色身份驗證和授權(quán)，思路是在登錄時分發(fā)加密的Token，在訪問資源時帶有這個Token，服務(wù)端要驗證這個Token是不是自己分發(fā)的，如果是，再驗證訪問范圍是否正確，本篇的范圍就是那些資源是那種角色訪問，得到Token的用戶當(dāng)前是那種角色，也就是角色和資源的匹配。

用asp.net core實現(xiàn)步驟：

1、appsettings.json中配置JWT參

2、添加身份認(rèn)證和授權(quán)服務(wù)和中間件

3、定義生成Token的方法和驗證Toekn參數(shù)的方法

4、登錄時驗證身份并分發(fā)Toekn

using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Identity; using Microsoft.IdentityModel.Tokens; using System.IdentityModel.Tokens.Jwt; using System.Security.Claims; using System.Text;var builder = WebApplication.CreateBuilder(); //獲取JWT參數(shù)，并注入到服務(wù)容器 var jwtConfig = new JWTConfig(); builder.Configuration.GetSection("JWTConfig").Bind(jwtConfig); builder.Services.AddSingleton(jwtConfig); //添加JJWT方式的身份認(rèn)證和授權(quán)， builder.Services.AddAuthorization().AddAuthentication(options =>{options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;}).AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, opt =>{opt.RequireHttpsMetadata = false;opt.TokenValidationParameters = JwtToken.CreateTokenValidationParameters(jwtConfig);});var app = builder.Build(); //使用身份認(rèn)證和授權(quán)的中間件 app.UseAuthentication(); app.UseAuthorization();app.MapGet("/hellosystem", (ILogger<Program> logger, HttpContext context) => {var message = $"hello,system,{context.User?.Identity?.Name}";logger.LogInformation(message);return message; }).RequireAuthorization(new RoleData { Roles = "system" });app.MapGet("/helloadmin", (ILogger<Program> logger, HttpContext context) => {var message = $"hello,admin,{context.User?.Identity?.Name}";logger.LogInformation(message);return message; }).RequireAuthorization(new RoleData { Roles = "admin" });app.MapGet("/helloall", (ILogger<Program> logger, HttpContext context) => {var message = $"hello,all roles,{context.User?.Identity?.Name}";logger.LogInformation(message);return message; }).RequireAuthorization(new RoleData { Roles = "admin,system" });//登錄成功，并分發(fā)Token app.MapPost("/login", [AllowAnonymous] (ILogger<Program> logger, LoginModel login, JWTConfig jwtConfig) => {logger.LogInformation("login");if (login.UserName == "gsw" && login.Password == "111111"){var?now?=?DateTime.UtcNow;var claims = new Claim[] {new Claim(ClaimTypes.Role, "admin"),new Claim(ClaimTypes.Name, "桂素偉"),new Claim(ClaimTypes.Sid, login.UserName),new Claim(ClaimTypes.Expiration, now.AddSeconds(jwtConfig.Expires).ToString())};var token = JwtToken.BuildJwtToken(claims, jwtConfig);return token;}else{return "username or password is error";} });app.Run(); //登錄實體 public class LoginModel {public string? UserName { get; set; }public string? Password { get; set; } } //JWT配置 public class JWTConfig {public string? Secret { get; set; }public string? Issuer { get; set; }public string? Audience { get; set; }public int Expires { get; set; } } //JWT操作類型 public class JwtToken {//獲取Tokenpublic static dynamic BuildJwtToken(Claim[] claims, JWTConfig jwtConfig){var now = DateTime.UtcNow;var jwt = new JwtSecurityToken(issuer: jwtConfig.Issuer,audience: jwtConfig.Audience,claims: claims,notBefore: now,expires: now.AddSeconds(jwtConfig.Expires),signingCredentials: GetSigningCredentials(jwtConfig));var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);var response = new{Status = true,AccessToken = encodedJwt,ExpiresIn = now.AddSeconds(jwtConfig.Expires),TokenType = "Bearer"};return response;}static SigningCredentials GetSigningCredentials(JWTConfig jwtConfig){var keyByteArray = Encoding.ASCII.GetBytes(jwtConfig?.Secret!);var signingKey = new SymmetricSecurityKey(keyByteArray);return new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);}//驗證Token的參數(shù)public static TokenValidationParameters CreateTokenValidationParameters(JWTConfig jwtConfig){var keyByteArray = Encoding.ASCII.GetBytes(jwtConfig?.Secret!);var signingKey = new SymmetricSecurityKey(keyByteArray);return new TokenValidationParameters{ValidateIssuerSigningKey = true,IssuerSigningKey = signingKey,ValidateIssuer = true,ValidIssuer = jwtConfig?.Issuer,ValidateAudience = true,ValidAudience = jwtConfig?.Audience,ClockSkew = TimeSpan.Zero,RequireExpirationTime = true,};} } //mini?api添加驗證授權(quán)的參數(shù)類型 public class RoleData : IAuthorizeData {public string? Policy { get; set; }public string? Roles { get; set; }public string? AuthenticationSchemes { get; set; } }

驗證結(jié)果：

1、沒有登錄，返回401

2、登錄，取token

3、正確訪問

4、沒有授權(quán)訪問，返回403

總結(jié)

以上是生活随笔為你收集整理的.NET6之MiniAPI(九)：基于角色的身份验证和授权的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。