FilesExpand file tree

 is4

/

AuthorizationSetup.cs

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

139 lines (117 loc) · 5.46 KB

 is4

/

AuthorizationSetup.cs

Top

File metadata and controls

• Code
• Blame

139 lines (117 loc) · 5.46 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

using Blog.Core.AuthHelper;

using Blog.Core.Common;

using Blog.Core.Common.AppConfig;

using Microsoft.AspNetCore.Authentication;

using Microsoft.AspNetCore.Authentication.JwtBearer;

using Microsoft.AspNetCore.Authorization;

using Microsoft.AspNetCore.Builder;

using Microsoft.AspNetCore.Http;

using Microsoft.Extensions.DependencyInjection;

using Microsoft.IdentityModel.Tokens;

using System;

using System.Collections.Generic;

using System.Security.Claims;

using System.Text;

using System.Threading.Tasks;

namespace Blog.Core.Extensions

{

/// <summary>

/// Db 启动服务

/// </summary>

public static class AuthorizationSetup

{

public static void AddAuthorizationSetup(this IServiceCollection services)

{

if (services == null) throw new ArgumentNullException(nameof(services));

// 简单角色授权版本

// [Authorize(Roles = "Admin,System")]

// 多角色授权策略 [Authorize(Policy = "Admin")]

services.AddAuthorization(options =>

{

options.AddPolicy("Client", policy => policy.RequireRole("Client").Build());

options.AddPolicy("Admin", policy => policy.RequireRole("Admin").Build());

options.AddPolicy("SystemOrAdmin", policy => policy.RequireRole("Admin", "System"));

options.AddPolicy("A_S_O", policy => policy.RequireRole("Admin", "System", "Others"));

});

#region 参数

//读取配置文件

var symmetricKeyAsBase64 = AppSecretConfig.Audience_Secret_String;

var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);

var signingKey = new SymmetricSecurityKey(keyByteArray);

var Issuer = Appsettings.app(new string[] { "Audience", "Issuer" });

var Audience = Appsettings.app(new string[] { "Audience", "Audience" });

var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);

// 如果要数据库动态绑定，这里先留个空，后边处理器里动态赋值

var permission = new List<PermissionItem>();

// 角色与接口的权限要求参数

var permissionRequirement = new PermissionRequirement(

"/api/denied",// 拒绝授权的跳转地址（目前无用）

permission,

ClaimTypes.Role,//基于角色的授权

Issuer,//发行人

Audience,//听众

signingCredentials,//签名凭据

expiration: TimeSpan.FromSeconds(60 * 60)//接口的过期时间

);

// 令牌验证参数

var tokenValidationParameters = new TokenValidationParameters

{

ValidateIssuerSigningKey = true,

IssuerSigningKey = signingKey,

ValidateIssuer = true,

ValidIssuer = Issuer,//发行人

ValidateAudience = true,

ValidAudience = Audience,//订阅人

ValidateLifetime = true,

ClockSkew = TimeSpan.FromSeconds(30),

RequireExpirationTime = true,

};

#endregion

// 3、复杂的策略授权

services.AddAuthorization(options =>

{

options.AddPolicy(Permissions.Name,

policy => policy.Requirements.Add(permissionRequirement));

});

//【认证】

services.AddAuthentication(o =>

{

o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;

o.DefaultChallengeScheme = nameof(ApiResponseHandler);

o.DefaultForbidScheme = nameof(ApiResponseHandler);

})

// 1.添加JwtBearer认证服务

//.AddJwtBearer(o =>

//{

// o.TokenValidationParameters = tokenValidationParameters;

// o.Events = new JwtBearerEvents

// {

// OnAuthenticationFailed = context =>

// {

// // 如果过期，则把<是否过期>添加到，返回头信息中

// if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))

// {

// context.Response.Headers.Add("Token-Expired", "true");

// }

// return Task.CompletedTask;

// }

// };

//})

// 2.添加Identityserver4认证

.AddIdentityServerAuthentication(options =>

{

options.Authority = Appsettings.app(new string[] { "Startup", "IdentityServer4", "AuthorizationUrl" });

options.RequireHttpsMetadata = false;

options.ApiName = "blog.core.api";

options.SupportedTokens = IdentityServer4.AccessTokenValidation.SupportedTokens.Jwt;

options.ApiSecret = "api_secret";

})

.AddScheme<AuthenticationSchemeOptions, ApiResponseHandler>(nameof(ApiResponseHandler), o => { });

// 这里冗余写了一次,因为很多人看不到

services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();

// 注入权限处理器

services.AddScoped<IAuthorizationHandler, PermissionHandler>();

services.AddSingleton(permissionRequirement);

}

}

}