問題描述

我在 ASP.NET Core 2 Web 應用程序中使用 JWT 令牌

I use JWT tokens in my ASP.NET Core 2 web application

如果 JWT 令牌失敗，我仍然希望調用控制器方法，但 ASP.NET 標識 User 對象將為空.目前，如果身份驗證失敗，將不會輸入控制器方法，因此我無法在該方法中應用邏輯來處理我想以訪客身份處理而不是阻止他們的未經身份驗證的用戶.

If the JWT token fails I still want the controller method to be hit but the ASP.NET Identity User object will just be null. Currently the controller method won't get entered if authentication fails so I can't apply logic inside the method to deal with non authenticated users which I want to deal with as guests instead of blocking them.

我的代碼:

Startup.cs

    public void ConfigureServices(IServiceCollection services)
    {

        services.AddAuthentication()
            .AddJwtBearer(cfg =>
            {
                cfg.TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidIssuer = _config["Tokens:Issuer"],
                    ValidAudience = _config["Tokens:Audience"],
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Tokens:Key"]))
                };

            });

當用戶登錄時

   private IActionResult CreateToken(ApplicationUser user, IList<string> roles)
    {
        var claims = new List<Claim>
        {
          new Claim(JwtRegisteredClaimNames.Sub, user.Id.ToString()),
          new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
          new Claim(JwtRegisteredClaimNames.UniqueName, user.UserName)
        };



        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Tokens:Key"]));

        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

        var token = new JwtSecurityToken(
          _config["Tokens:Issuer"],
          _config["Tokens:Audience"],
          claims.ToArray(),
         expires: DateTime.Now.AddMinutes(60),
          signingCredentials: creds);

        var results = new
        {
            token = new JwtSecurityTokenHandler().WriteToken(token),
            expiration = token.ValidTo,
        };

        return Created("", results);

我確保在經過身份驗證后，各種 API 調用都會傳遞 JWT 令牌.

I make sure after authenticated the various API calls pass the JWT token.

在我的控制器中，我使用了 Authorize 屬性

In my Controller I make use of an Authorize attribute

[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
 public class MyController : Controller
{

這允許我使用以下代碼捕獲登錄用戶以進行各種 API 調用

This allows me to capture the logged in user with the following code for the various API calls

 var loggedInUser = User.Identity.Name;

如果我刪除了授權屬性，那么 User.Identity.Name 將始終為 null，即使用戶已通過身份驗證.

If I remove the authorize attribute then User.Identity.Name will always be null even if the user is authenticated.

如果令牌無效，如何使用授權屬性但仍允許輸入控制器方法?我想對要輸入的授權用戶和非授權用戶使用相同的方法.然后，我將使用 User.Identity.Name 來確定他們是否未經身份驗證，并在他們的方法中包含來賓用戶邏輯.

How do I use the authorize attribute but still allow the controller method to be entered if the token is not valid? I want to use the same method for both Authorized and non Authorized users to be entered. I will then use the User.Identity.Name to determine if they are not authenticated and have guest user logic inside the method for them.

推薦答案

這實際上比你想象的要容易.您可以只使用 both Authorize 和 AllowAnonymous，如下所示:

It's actually easier than you might expect. You can just use both Authorize and AllowAnonymous, like so:

[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[AllowAnonymous]
public class MyController : Controller

如果授權成功，您將擁有一個經過身份驗證的 User (User.Identity.IsAuthenticated = true)，否則，您將擁有一個匿名 User.

If authorization was successful, you'll have an authenticated User (User.Identity.IsAuthenticated = true), otherwise, you will have an anonymous User.

這篇關于如何在控制器方法中使 JWT 令牌授權可選的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！