ASP.Net Core Identity JWT 基于角色的身份验证被禁止
Posted
技术标签:
【中文标题】ASP.Net Core Identity JWT 基于角色的身份验证被禁止【英文标题】:ASP.Net Core Identity JWT Role-Base Authentication is Forbidden 【发布时间】:2018-06-23 15:06:01 【问题描述】:美好的一天。
API 用于报价共享网络应用程序。
我已经设置了基于角色的 JWT 身份验证,其中我拥有“成员”和“管理员”角色,这些角色的用户已正确注册并能够检索令牌。
到目前为止,方法(或类)只有
[Authorize]
只要有注册的令牌就可以正确访问。
现在,一旦我添加了角色,就可以访问需要特定角色的方法或类
[Authorize(Role="Admin")]
被禁止 (403),即使我确实通过 Authorization 标头传递了正确的令牌。
请注意:我已验证用户已正确创建 (dbo.AspNetUsers)、角色已正确创建(dbo.AspNetRoles 包含“Admin”和“Member”角色)并且用户角色已正确映射 (dbo .AspNetUserRoles)。
这是 Startup 类,它包含一个由 Configure() 调用的 CreateRoles() 方法:
public class Startup
public Startup(IConfiguration configuration)
Configuration = configuration;
public IConfiguration Configuration get;
public void ConfigureServices(IServiceCollection services)
services.AddDbContext<QuotContext>(options =>
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
services.AddIdentity<Member, IdentityRole>()
.AddEntityFrameworkStores<QuotContext>()
.AddDefaultTokenProviders();
services.Configure<IdentityOptions>(options =>
// Password settings
options.Password.RequireDigit = false;
options.Password.RequiredLength = 4;
options.Password.RequireNonAlphanumeric = false;
options.Password.RequireUppercase = false;
options.Password.RequireLowercase = false;
options.Password.RequiredUniqueChars = 2;
// Lockout settings
options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(30);
options.Lockout.MaxFailedAccessAttempts = 10;
options.Lockout.AllowedForNewUsers = true;
// User settings
options.User.RequireUniqueEmail = true;
);
services.AddLogging(builder =>
builder.AddConfiguration(Configuration.GetSection("Logging"))
.AddConsole()
.AddDebug();
);
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); // => remove default claims
services
.AddAuthentication(options =>
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
)
.AddJwtBearer(cfg =>
cfg.RequireHttpsMetadata = false;
cfg.SaveToken = true;
cfg.TokenValidationParameters = new TokenValidationParameters
ValidIssuer = Configuration["JwtIssuer"],
ValidAudience = Configuration["JwtIssuer"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["JwtKey"])),
ClockSkew = TimeSpan.Zero // remove delay of token when expire
;
);
services.AddMvc();
public void Configure(IApplicationBuilder app, IHostingEnvironment env, IServiceProvider serviceProvider, QuotContext dbContext)
if (env.IsDevelopment())
app.UseDeveloperExceptionPage();
app.UseBrowserLink();
app.UseDatabaseErrorPage();
app.UseAuthentication();
app.UseMvc();
dbContext.Database.EnsureCreated();
CreateRoles(serviceProvider).Wait();
private async Task CreateRoles(IServiceProvider serviceProvider)
//initializing custom roles
var RoleManager = serviceProvider.GetRequiredService<RoleManager<IdentityRole>>();
var UserManager = serviceProvider.GetRequiredService<UserManager<Member>>();
string[] roleNames = "Admin", "Member" ;
IdentityResult roleResult;
foreach (var roleName in roleNames)
var roleExist = await RoleManager.RoleExistsAsync(roleName);
if (!roleExist)
roleResult = await RoleManager.CreateAsync(new IdentityRole(roleName));
var poweruser = new Member
UserName = Configuration["AppSettings:AdminEmail"],
Email = Configuration["AppSettings:AdminEmail"],
;
string password = Configuration["AppSettings:AdminPassword"];
var user = await UserManager.FindByEmailAsync(Configuration["AppSettings:AdminEmail"]);
if (user == null)
var createPowerUser = await UserManager.CreateAsync(poweruser, password);
if (createPowerUser.Succeeded)
await UserManager.AddToRoleAsync(poweruser, "Admin");
这是包含 Register() 和 Login() 方法的 MembersController 类:
[Authorize]
public class MembersController : Controller
private readonly QuotContext _context;
private readonly UserManager<Member> _userManager;
private readonly SignInManager<Member> _signInManager;
private readonly ILogger<MembersController> _logger;
private readonly IConfiguration _configuration;
public MembersController(QuotContext context, UserManager<Member> userManager,
SignInManager<Member> signInManager, ILogger<MembersController> logger,
IConfiguration configuration)
_context = context;
_userManager = userManager;
_signInManager = signInManager;
_logger = logger;
_configuration = configuration;
[HttpPost("register")]
[AllowAnonymous]
public async Task<IActionResult> Register([FromBody] RegisterModel model)
if (ModelState.IsValid)
var newMember = new Member
UserName = model.Email,
Email = model.Email,
PostCount = 0,
Reputation = 10,
ProfilePicture = "default.png"
;
var result = await _userManager.CreateAsync(newMember, model.Password);
if (result.Succeeded)
_logger.LogInformation(1, "User registered.");
await _signInManager.SignInAsync(newMember, false);
return Ok(new token = BuildToken(model.Email, newMember) );
_logger.LogInformation(1, "Registeration failed.");
return BadRequest();
return BadRequest();
[HttpPost("login")]
[AllowAnonymous]
public async Task<IActionResult> Login([FromBody] LoginModel model)
if (ModelState.IsValid)
var result = await _signInManager.PasswordSignInAsync(model.Email,
model.Password, model.RememberMe, lockoutOnFailure: false);
if (result.Succeeded)
_logger.LogInformation(1, "User logged in." + _configuration["AppSettings:AdminPassword"]);
var member = _userManager.Users.SingleOrDefault(r => r.Email == model.Email);
return Ok(new token = BuildToken(model.Email, member) );
_logger.LogInformation(1, "Login failed.");
return BadRequest();
return BadRequest(ModelState);
private string BuildToken(string email, Member member)
var claims = new List<Claim>
new Claim(JwtRegisteredClaimNames.Sub, email),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim(ClaimTypes.NameIdentifier, member.Id)
;
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JwtKey"]));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var expires = DateTime.Now.AddDays(Convert.ToDouble(_configuration["JwtExpireDays"]));
var token = new JwtSecurityToken(
_configuration["JwtIssuer"],
_configuration["JwtIssuer"],
claims,
expires: expires,
signingCredentials: creds
);
return new JwtSecurityTokenHandler().WriteToken(token);
这是两种方法的示例:第一种方法需要简单的身份验证,成功访问并提供用户令牌,第二种方法即使给定管理员令牌也被禁止:
public class AuthorsController : Controller
private readonly QuotContext _context;
public AuthorsController(QuotContext context)
_context = context;
[HttpGet]
[Authorize]
public IEnumerable<Author> GetAuthors()
return _context.Authors;
[HttpPost]
[Authorize(Roles = "Admin")]
public async Task<IActionResult> PostAuthor([FromBody] Author author)
if (!ModelState.IsValid)
return BadRequest(ModelState);
_context.Authors.Add(author);
await _context.SaveChangesAsync();
return StatusCode(201);
感谢您的帮助。 包含完整项目的 github 存储库:https://github.com/theStrayPointer/QuotAPI
【问题讨论】:
您如何检查我们的原则是否包含声明中的管理员角色和IsInRole 函数?
【参考方案1】:
我遇到了同样的问题。我刚刚找到了办法。事实上,JWT 令牌嵌入了角色。因此,您必须在生成令牌时在令牌中添加角色声明。
var roles = await _userManager.GetRolesAsync(user);
var claims = new[]
new Claim(JwtRegisteredClaimNames.Sub, user.Id.ToString()),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim(JwtRegisteredClaimNames.Iat, ToUnixEpochDate(dateTime).ToString(), ClaimValueTypes.Integer64)
;
ClaimsIdentity claimsIdentity = new ClaimsIdentity(claims, "Token");
// Adding roles code
// Roles property is string collection but you can modify Select code if it it's not
claimsIdentity.AddClaims(roles.Select(role => new Claim(ClaimTypes.Role, role)));
var token = new JwtSecurityToken
(
_configuration["Auth:Token:Issuer"],
_configuration["Auth:Token:Audience"],
claimsIdentity.Claims,
expires: dateTime,
notBefore: DateTime.UtcNow,
signingCredentials: new SigningCredentials(new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["Auth:Token:Key"])), SecurityAlgorithms.HmacSha256)
);
找到了here和here的解释。
【讨论】:
这帮助很大。 感谢朋友帮了大忙。 ***.com/a/59705766/1502140 希望对您有所帮助!!! 不敢相信允许在 JWT 声明中添加不同的角色作为新条目。以上是关于ASP.Net Core Identity JWT 基于角色的身份验证被禁止的主要内容,如果未能解决你的问题,请参考以下文章
ASP.Net Core Identity JWT 基于角色的身份验证被禁止
Asp.Net Core Identity 使用 JWT 中的哪些信息来将令牌授权为有效?
JWT 不记名令牌不适用于 ASP.Net Core 3.1 + Identity Server 4
使用 JWT Token-Asp.net Core Identity 通过 Web API 上的角色声明进行授权