# 模块二 基础巩固 安全 ## 2.8 安全 * 认证 VS 授权 * ASP .NET Core 认证授权中间件 * 认证 * JWT 认证 * 授权 ### 认证 VS 授权 * 认证是一个识别用户是谁的过程 * 授权是一个决定用户可以干什么的过程 * 401 Unauthorized 未授权 * 403 Forbidden 禁止访问 ### ASP .NET Core 认证授权中间件 ![](https://3083743005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8gwpNo3eyzHkX0O40HRA%2Fuploads%2FeuSB9KSaWBCmIAc2nqPS%2F235.jpg?alt=media\&token=8afb9df6-9c39-440e-b425-5b70f89b921c) 在接收到请求之后,认证(Authentication)和授权(Authorization) 发生在 路由(Routing) 和 终结点(Endpoint) 之间 #### 执行过程 ![](https://3083743005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8gwpNo3eyzHkX0O40HRA%2Fuploads%2FqCAaP7MaJFQkK5W5oqro%2F236.jpg?alt=media\&token=60a2a4d5-7b03-404a-be3d-573fcc2c62e4) ### 认证 认证是一个识别用户是谁的过程 #### 代码示例 Web api jwt authentication 在 LighterApi 项目的 Startup.cs 中配置添加服务 ConfigureServices ``` services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer( options => options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, // 是否验证 Issuer ValidateAudience = true, // 是否验证 Audience ValidateLifetime = true, // 是否验证失效时间 ClockSkew = TimeSpan.FromSeconds(30), ValidateIssuerSigningKey = true, // 是否验证 SecurityKey ValidAudience = "https://localhost:6001", ValidIssuer = "https://localhost:6001", IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("secret88secret666")) // 拿到 SecurityKey }); ``` Configure ``` app.UseAuthentication(); app.UseAuthorization(); ``` 添加标签 \[Authorize] ``` [Authorize] public class ProjectController : ControllerBase ``` 通过 postman 调用接口,返回 401 Unauthorized 需要通过登录接口获取 token,再带上 token 访问 ### JWT 认证 * 什么是 JWT * 颁发 token 代码示例 #### 什么是 JWT JWT 是一个 token,由三部分组成,格式为 xxx.yyy.zzz * Header(algorithm + type) * Payload(claims) * Singature ![](https://3083743005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8gwpNo3eyzHkX0O40HRA%2Fuploads%2FV68E3OJKwFdMUXabJ0qD%2F237.jpg?alt=media\&token=2333d0f6-1b4e-4295-a45c-941a6f52655d) #### 颁发 token 代码示例 ``` namespace LighterApi.Controller { [ApiController] [Route("api/[controller]")] public class IdentityController : ControllerBase { [HttpPost] [Route("signin")] public IActionResult SignIn() { var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("secret88secret666")); var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256); var token = new JwtSecurityToken( issuer: "https://localhost:6001", audience: "https://localhost:6001", new List {new Claim("name", "mingson")}, expires: DateTime.Now.AddMinutes(120), signingCredentials: credentials); return Ok(new JwtSecurityTokenHandler().WriteToken(token)); } } } ``` 启动程序,访问接口,获取 token ![](https://3083743005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8gwpNo3eyzHkX0O40HRA%2Fuploads%2FAySsGgoSkzk2KRBBEphr%2F238.jpg?alt=media\&token=0d953b55-ba2e-47aa-826b-06e81a1faf5a) 通过官网解析 ![](https://3083743005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8gwpNo3eyzHkX0O40HRA%2Fuploads%2F8bxGkFQADUfddC7DuhHS%2F239.jpg?alt=media\&token=e085310d-c15a-4ebe-8bd0-502631ea13a2) 带上 token 访问接口 ![](https://3083743005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8gwpNo3eyzHkX0O40HRA%2Fuploads%2F81q4F0eWUq5BvqbHXmzL%2F240.jpg?alt=media\&token=e96dd617-9ee9-4b0e-b6a4-9920a41f16cd) ### 授权 为接口添加访问需要的角色,具备角色才能访问 ``` [Authorize(Roles = "Administrators, Mentor")] ``` SignIn 接口返回 token 中加入角色 ``` new Claim(ClaimTypes.Role, "Administrators"), ``` 启动程序,获取包含角色的 token ![](https://3083743005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8gwpNo3eyzHkX0O40HRA%2Fuploads%2Fcu6foDsrJVIqb25Ars29%2F241.jpg?alt=media\&token=5be4cb0f-a9d3-42af-aea3-10d0d6895762) 带上 token 访问需要角色的接口 ![](https://3083743005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8gwpNo3eyzHkX0O40HRA%2Fuploads%2FCNddT34XKA2QNpqTe7RR%2F242.jpg?alt=media\&token=68edd13d-b691-4cdf-a4ef-729180703d68) ### GitHub源码链接: