或者应该包含什么信息呢？

　　　　1.这个人是谁？

　　　　2.这个人可以用此token访问什么样的内容？（scope）

　　　　3.token的过期时间 (expire)

　　　　4.谁发行的token。

　　　　5.其他任何你希望加入的声明（Claims）

　那我们为什么要使用token呢？使用session或者用redis来实现stateServer不好吗？

　　　　1.token是低（无）状态的，Statelessness

　　　　2.token可以与移动端应用紧密结合

　　　　3.支持多平台服务器和分布式微服务

拿到token后如何带入HTTP请求传给后台？

　答案是两种方式，Cookies和Authorization Header。那么什么时候放到Cookies中，什么时候又放到Authentication中呢？

第一，如果是在Web应用，则放到Cookies当中，并且应该是HttpOnly的，js不能直接对其进行操作，安全性会比将其存在Web Stroage中好一些，因为在Web Storage当中的内容，可以很容的被潜在的XSS脚本攻击并获取。在HttpOnly的cookies当中会相对安全一些，不过也有潜在的CSRF跨站伪造请求的危险，不过这种hack的手段成功率是很低的，有兴趣的朋友可以自行看一下CSRF原理。

第二，如果是手机移动端应用的话，那一定是存储在App本地，并由Authorization Header带到后台并得到身份认证。

WebApp Cookies Authentication

上一段前两周写的最原始的小Demo吧，没有数据库访问等，可根据demo自行改变 ，现在的新代码已经加入了很多业务在其中

startup.cs代码

using Microsoft.AspNetCore.Authentication.Cookies;

using Microsoft.AspNetCore.Builder;

using Microsoft.AspNetCore.Hosting;

using Microsoft.AspNetCore.Http;

using Microsoft.AspNetCore.Http.Authentication;

using Microsoft.Extensions.Configuration;

using Microsoft.Extensions.DependencyInjection;

using Microsoft.Extensions.Logging;

using System.Collections.Generic;

using System.Security.Claims;

using Wings.AuthenticationApp.Middleware;

namespace Wings.AuthenticationApp

{

public class Startup

{

public Startup(IHostingEnvironment env)

{

var builder = new ConfigurationBuilder()

.SetBasePath(env.ContentRootPath)

.AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)

.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)

.AddEnvironmentVariables();

Configuration = builder.Build();

}

public IConfigurationRoot Configuration { get; }

// This method gets called by the runtime. Use this method to add services to the container.

public void ConfigureServices(IServiceCollection services)

{

// Add framework services.

services.AddMvc();

}

// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)

{

loggerFactory.AddConsole(Configuration.GetSection("Logging"));

loggerFactory.AddDebug();

app.UseCookieAuthentication(CookieAuthMiddleware.GetOptions());

app.UseOwin();

app.UseCors(a => { a.AllowAnyOrigin(); });

app.UseMvc();

// Listen for login and logout requests

app.Map("/login", builder =>

{

builder.Run(async context =>

{

var name = context.Request.Form["name"];

var pwd = context.Request.Form["pwd"];

if (name == "wushuang" && pwd == "wushuang")

{

var claims = new List<Claim>() { new Claim("name", name), new Claim("role", "admin") };

var identity = new ClaimsIdentity(claims, "password");

var principal = new ClaimsPrincipal(identity);

await context.Authentication.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal);

context.Response.Redirect("http://www.baidu.com");

}

else

{

await context.Authentication.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);

context.Response.Redirect("http://www.google.com");

}

});

});

//app.Map("/logout", builder =>

//{

//    builder.Run(async context =>

//    {

//        // Sign the user out / clear the auth cookie

//        await context.Authentication.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);

//        // Perform a simple redirect after logout

//        context.Response.Redirect("/");

//    });

//});

}

}

}

下面是Middleware---->CookieAuthMiddleware.cs的代码，

using Microsoft.AspNetCore.Authentication.Cookies;

using Microsoft.AspNetCore.Builder;

using Microsoft.AspNetCore.Http;

using System;

using System.Collections.Generic;

using System.Linq;

using System.Security.Claims;

using System.Security.Principal;

using System.Threading.Tasks;

namespace Wings.AuthenticationApp.Middleware

{

public class CookieAuthMiddleware

{

public static CookieAuthenticationOptions GetOptions()

{

return new CookieAuthenticationOptions

{

AutomaticAuthenticate = true,

AutomaticChallenge = true,

LoginPath = new PathString("/login"),

LogoutPath = new PathString("/logout"),

AccessDeniedPath = new PathString("/test"),

CookieHttpOnly = false,  //默认就是True了

CookieName = "wings_access_token",

SlidingExpiration = true,

CookieManager = new ChunkingCookieManager()

};

}

}

public static class IdentityExtension

{

public static string FullName(this IIdentity identity)

{

var claim = ((ClaimsIdentity)identity).FindFirst("name");

return (claim != null) ? claim.Value : string.Empty;

}

public static string Role(this IIdentity identity)

{

var claim = ((ClaimsIdentity)identity).FindFirst("role");

return (claim != null) ? claim.Value : string.Empty;

}

}

}

对应如上demo,简单测试一下，结果如下：

首先使用错误的密码，来请求token endpoint，接下来我们看一下即使窗口，当有请求进入的时候，我用如下代码判断用户的认证情况，拿到的结果必然是false：

接下来，我使用正确的账号密码，来打入token,判断结果一定为true，所以我使用自定义的拓展方法，来获取下，该用户token的信息:

如上demo没有加入一些容错机制，请注意。在用户认证成功后，可以进入带有Authorize Attribute的Action,否则401.如下是几个重要参数的解释

自定义Authentication Middle生产Token

Startup.cs

using System;

using System.Collections.Generic;

using System.Linq;

using System.Threading.Tasks;

using Microsoft.AspNetCore.Builder;

using Microsoft.AspNetCore.Hosting;

using Microsoft.Extensions.Configuration;

using Microsoft.Extensions.DependencyInjection;

using Microsoft.Extensions.Logging;

using Wings.TokenAuth.Middleware;

using System.Security.Claims;

using Microsoft.IdentityModel.Tokens;

using System.Text;

using Microsoft.Extensions.Options;

namespace Wings.TokenAuth

{

public class Startup

{

public Startup(IHostingEnvironment env)

{

var builder = new ConfigurationBuilder()

.SetBasePath(env.ContentRootPath)

.AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)

.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)

.AddEnvironmentVariables();

Configuration = builder.Build();

}

public IConfigurationRoot Configuration { get; }

// This method gets called by the runtime. Use this method to add services to the container.

public void ConfigureServices(IServiceCollection services)

{

// Add framework services.

services.AddMvc();

}

// The secret key every token will be signed with.

// In production, you should store this securely in environment variables

// or a key management tool. Don't hardcode this into your application!

private static readonly string secretKey = "mysupersecret_secretkey!123";

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)

{

loggerFactory.AddConsole(LogLevel.Debug);

loggerFactory.AddDebug();

app.UseStaticFiles();

// Add JWT generation endpoint:

var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey));

var options = new TokenProviderOptions

{

Audience = "ExampleAudience",

Issuer = "ExampleIssuer",

SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256),

};

app.UseMiddleware<TokenProviderMiddleware>(Options.Create(options));

app.UseMvc();

}

}

}

TokenProviderOptions.cs

using Microsoft.AspNetCore.Http;

using Microsoft.Extensions.Options;

using Microsoft.IdentityModel.Tokens;

using Newtonsoft.Json;

using System;

using System.Collections.Generic;

using System.IdentityModel.Tokens.Jwt;

using System.Linq;

using System.Security.Claims;

using System.Threading.Tasks;

namespace Wings.TokenAuth.Middleware

{

public class TokenProviderOptions

{

public string Path { get; set; } = "/token";

public string Issuer { get; set; }

public string Audience { get; set; }

public TimeSpan Expiration { get; set; } = TimeSpan.FromMinutes(5);

public SigningCredentials SigningCredentials { get; set; }

}

public class TokenProviderMiddleware

{

private readonly RequestDelegate _next;

private readonly TokenProviderOptions _options;

public TokenProviderMiddleware(

RequestDelegate next,

IOptions<TokenProviderOptions> options)

{

_next = next;

_options = options.Value;

}

public Task Invoke(HttpContext context)

{

// If the request path doesn't match, skip

if (!context.Request.Path.Equals(_options.Path, StringComparison.Ordinal))

{

　　　　　　　　　　　　 //use new JwtSecurityTokenHandler().ValidateToken() to valid token

return _next(context);

}

// Request must be POST with Content-Type: application/x-www-form-urlencoded

if (!context.Request.Method.Equals("POST")

|| !context.Request.HasFormContentType)

{

context.Response.StatusCode = 400;

return context.Response.WriteAsync("Bad request.");

}

return GenerateToken(context);

}

private async Task GenerateToken(HttpContext context)

{

var username = context.Request.Form["username"];

var password = context.Request.Form["password"];

var identity = await GetIdentity(username, password);

if (identity == null)

{

context.Response.StatusCode = 400;

await context.Response.WriteAsync("Invalid username or password.");

return;

}

var now = DateTime.UtcNow;

// Specifically add the jti (random nonce), iat (issued timestamp), and sub (subject/user) claims.

// You can add other claims here, if you want:

var claims = new Claim[]

{

new Claim(JwtRegisteredClaimNames.Sub, username),

new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),

new Claim(JwtRegisteredClaimNames.Iat, ToUnixEpochDate(now).ToString(), ClaimValueTypes.Integer64)

};

// Create the JWT and write it to a string

var jwt = new JwtSecurityToken(

issuer: _options.Issuer,

audience: _options.Audience,

claims: claims,

notBefore: now,

expires: now.Add(_options.Expiration),

signingCredentials: _options.SigningCredentials);

var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);

var response = new

{

access_token = encodedJwt,

expires_in = (int)_options.Expiration.TotalSeconds

};

// Serialize and return the response

context.Response.ContentType = "application/json";

await context.Response.WriteAsync(JsonConvert.SerializeObject(response, new JsonSerializerSettings { Formatting = Formatting.Indented }));

}

private Task<ClaimsIdentity> GetIdentity(string username, string password)

{

// DON'T do this in production, obviously!

if (username == "wushuang" && password == "wushuang")

{

return Task.FromResult(new ClaimsIdentity(new System.Security.Principal.GenericIdentity(username, "Token"), new Claim[] { }));

}

// Credentials are invalid, or account doesn't exist

return Task.FromResult<ClaimsIdentity>(null);

}

public static long ToUnixEpochDate(DateTime date)

=> (long)Math.Round((date.ToUniversalTime() - new DateTimeOffset(1970, 1, 1, 0, 0, 0, TimeSpan.Zero)).TotalSeconds);

}

}

下面上测试结果：

使用错误的账户和密码请求token

使用正确的账户和密码来请求，返回结果如下：

如果，您认为阅读这篇博客让您有些收获，不妨点击一下右下加【推荐】按钮。
如果，您希望更容易地发现我的新博客，不妨点击下方红色【关注】的。
因为，我的分享热情也离不开您的肯定支持。

感谢您的阅读，我将持续输出分享，我是蜗牛, 保持学习，谨记谦虚。不端不装，有趣有梦。

参考文章和论文，不仅限于如下几篇，感谢国外大佬们有深度的分享：

http://stackoverflow.com/questions/29055477/oauth-authorization-service-in-asp-net-core

https://stormpath.com/blog/token-authentication-asp-net-core

https://docs.microsoft.com/en-us/aspnet/core/fundamentals/middleware#fundamentals-middleware

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie#controlling-cookie-options

https://stormpath.com/blog/token-authentication-asp-net-core

相关文章：

• AspNet Identity 和 Owin 谁是谁

• ASP.NET Core 之 Identity 入门（一）

• ASP.NET Core 之 Identity 入门（二）

• ASP.NET Core 之 Identity 入门（三）

原文链接：http://www.cnblogs.com/tdws/p/6536864.html

---

.NET社区新闻，深度好文，微信中搜索dotNET跨平台或扫描二维码关注