FilesExpand file tree

 dev

/

AuthorizationSetup.cs

Copy path

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

152 lines (130 loc) · 6.29 KB

 dev

/

AuthorizationSetup.cs

Top

File metadata and controls

• Code
• Blame

152 lines (130 loc) · 6.29 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

using Blog.Core.AuthHelper;

using Blog.Core.Common;

using Blog.Core.Common.AppConfig;

using Microsoft.AspNetCore.Authentication;

using Microsoft.AspNetCore.Authentication.JwtBearer;

using Microsoft.AspNetCore.Authorization;

using Microsoft.AspNetCore.Builder;

using Microsoft.AspNetCore.Http;

using Microsoft.Extensions.DependencyInjection;

using Microsoft.IdentityModel.Tokens;

using System;

using System.Collections.Generic;

using System.IdentityModel.Tokens.Jwt;

using System.Linq;

using System.Security.Claims;

using System.Text;

using System.Threading.Tasks;

namespace Blog.Core.Extensions

{

/// <summary>

/// Db 启动服务

/// </summary>

public static class AuthorizationSetup

{

public static void AddAuthorizationSetup(this IServiceCollection services)

{

if (services == null) throw new ArgumentNullException(nameof(services));

#region 1、基于角色的API授权

// 1【授权】、这个很简单，其他什么都不用做， 只需要在API层的controller上边，增加特性即可，注意，只能是角色的:

// [Authorize(Roles = "Admin,System")]

#endregion

#region 2、基于策略的授权（简单版）

// 1【授权】、这个和上边的异曲同工，好处就是不用在controller中，写多个 roles 。

// 然后这么写 [Authorize(Policy = "Admin")]

services.AddAuthorization(options =>

{

options.AddPolicy("Client", policy => policy.RequireRole("Client").Build());

options.AddPolicy("Admin", policy => policy.RequireRole("Admin").Build());

options.AddPolicy("SystemOrAdmin", policy => policy.RequireRole("Admin", "System"));

options.AddPolicy("A_S_O", policy => policy.RequireRole("Admin", "System", "Others"));

});

#endregion

#region 参数

//读取配置文件

var symmetricKeyAsBase64 = AppSecretConfig.Audience_Secret_String;

var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);

var signingKey = new SymmetricSecurityKey(keyByteArray);

var Issuer = Appsettings.app(new string[] { "Audience", "Issuer" });

var Audience = Appsettings.app(new string[] { "Audience", "Audience" });

var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);

// 如果要数据库动态绑定，这里先留个空，后边处理器里动态赋值

var permission = new List<PermissionItem>();

// 角色与接口的权限要求参数

var permissionRequirement = new PermissionRequirement(

"/api/denied",// 拒绝授权的跳转地址（目前无用）

permission,

ClaimTypes.Role,//基于角色的授权

Issuer,//发行人

Audience,//听众

signingCredentials,//签名凭据

expiration: TimeSpan.FromSeconds(60 * 60)//接口的过期时间

);

#endregion

// 3、复杂的策略授权

services.AddAuthorization(options =>

{

options.AddPolicy(Permissions.Name,

policy => policy.Requirements.Add(permissionRequirement));

});

// 令牌验证参数

var tokenValidationParameters = new TokenValidationParameters

{

ValidateIssuerSigningKey = true,

IssuerSigningKey = signingKey,

ValidateIssuer = true,

ValidIssuer = Issuer,//发行人

ValidateAudience = true,

ValidAudience = Audience,//订阅人

ValidateLifetime = true,

ClockSkew = TimeSpan.FromSeconds(30),

RequireExpirationTime = true,

};

//2.1【认证】、core自带官方JWT认证

// 开启Bearer认证

services.AddAuthentication(o=> {

o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;

o.DefaultChallengeScheme = nameof(ApiResponseHandler);

o.DefaultForbidScheme = nameof(ApiResponseHandler);

})

// 添加JwtBearer服务

.AddJwtBearer(o =>

{

o.TokenValidationParameters = tokenValidationParameters;

o.Events = new JwtBearerEvents

{

OnChallenge = context =>

{

context.Response.Headers.Add("Token-Error", context.ErrorDescription);

return Task.CompletedTask;

},

OnAuthenticationFailed = context =>

{

var token= context.Request.Headers["Authorization"].ObjToString().Replace("Bearer ", "");

var jwtToken = (new JwtSecurityTokenHandler()).ReadJwtToken(token);

if (jwtToken.Issuer != Issuer)

{

context.Response.Headers.Add("Token-Error-Iss", "issuer is wrong!");

}

if (jwtToken.Audiences.FirstOrDefault() != Audience)

{

context.Response.Headers.Add("Token-Error-Aud", "Audience is wrong!");

}

// 如果过期，则把<是否过期>添加到，返回头信息中

if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))

{

context.Response.Headers.Add("Token-Expired", "true");

}

return Task.CompletedTask;

}

};

})

.AddScheme<AuthenticationSchemeOptions, ApiResponseHandler>(nameof(ApiResponseHandler), o => { });

// 这里冗余写了一次,因为很多人看不到

services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();

// 注入权限处理器

services.AddScoped<IAuthorizationHandler, PermissionHandler>();

services.AddSingleton(permissionRequirement);

}

}

}