具有Identity Core角色的JWT授权

问题描述 投票:1回答:2

我在Roles理解Identity Core时遇到了麻烦

我的AccountController看起来像这样,我在Roles方法中添加了GenerateJWTToken

[HttpPost("Login")]
    public async Task<object> Login([FromBody] LoginBindingModel model)
    {
        var result = await this.signInManager.PasswordSignInAsync(model.UserName, model.Password, false, false);

        if (result.Succeeded)
        {
            var appUser = this.userManager.Users.SingleOrDefault(r => r.UserName == model.UserName);
            return await GenerateJwtToken(model.UserName, appUser);
        }

        throw new ApplicationException("INVALID_LOGIN_ATTEMPT");
    }

    [HttpPost("Register")]
    public async Task<object> Register([FromBody] RegistrationBindingModel model)
    {
        var user = new ApplicationUser
        {
            UserName = model.UserName,
            Email = model.Email,
            FirstName = model.FirstName,
            LastName = model.LastName
        };
        var result = await this.userManager.CreateAsync(user, model.Password);

        if (result.Succeeded)
        {
            await this.signInManager.SignInAsync(user, false);
            return await this.GenerateJwtToken(model.UserName, user);
        }

        throw new ApplicationException("UNKNOWN_ERROR");
    }

    private async Task<object> GenerateJwtToken(string userName, IdentityUser user)
    {
        var claims = new List<Claim>
        {
            new Claim(JwtRegisteredClaimNames.Sub, userName),
            new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
            new Claim(ClaimTypes.NameIdentifier, user.Id),
            new Claim(ClaimTypes.Role, Role.Viewer.ToString()),
            new Claim(ClaimTypes.Role, Role.Developer.ToString()),
            new Claim(ClaimTypes.Role, Role.Manager.ToString())
        };

        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(this.configuration["JwtKey"]));
        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
        var expires = DateTime.Now.AddDays(Convert.ToDouble(this.configuration["JwtExpireDays"]));

        var token = new JwtSecurityToken(
            this.configuration["JwtIssuer"],
            this.configuration["JwtIssuer"],
            claims,
            expires: expires,
            signingCredentials: creds);

        return new JwtSecurityTokenHandler().WriteToken(token);
    }

从这段代码中,我的令牌与[Authorize]控制器的属性完美配合。

我的问题是,在哪一步添加role到我的注册user使用(例如)[Authorize("Admin")]?如何将role保存到数据库?

[Route("api/[controller]")]
[Authorize] //in this form it works ok, but how to add roles to it with JWT Token?
            //how to register user to role and get this role to JWT Token?
[ApiController]
public class DefaultController : ControllerBase

我的ApplicationUser

public class ApplicationUser : IdentityUser
{
    public string FirstName { get; set; }

    public string LastName { get; set; }
}

Roles的枚举:

public enum Role
{
    Viewer,
    Developer,
    Manager
}

如何将有关用户角色的信息保存到Identity Database,并在登录时获得该角色以正确运行[Authorize]属性?

编辑:

我想要做的是将Roles存储在用户的枚举中。我想注册用户为DeveloperManager等。我相信我可以通过ApplicationUser并添加Role属性,但从它我无法通过属性[Authorization(role)]获得授权

c# asp.net-core asp.net-identity claims-based-identity
2个回答
1
投票

在您的情况下,您不需要使用IdentityUser和身份数据库,而是使用JWT。使用已定义的User属性创建Roles模型,并将其简单地保存在数据库中。喜欢:

public class User
{
   public string FirstName { get; set; }
   public string LastName { get; set; }
   public Role Role { get; set; }
}

public enum Role
{
   Viewer,
   Developer,
   Manager
}

令牌:

var user = // ...
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(your_seccret_key);
var tokenDescriptor = new SecurityTokenDescriptor
{
    Subject = new ClaimsIdentity(new Claim[] 
         {
             new Claim(ClaimTypes.Name, user.FirstName),
             new Claim(ClaimTypes.Name, user.LastName),
             new Claim(ClaimTypes.Role, user.Role)
         }),
     Expires = DateTime.UtcNow.AddDays(1),
     SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key),SecurityAlgorithms.HmacSha256Signature)
 };
 var token = tokenHandler.CreateToken(tokenDescriptor);
 user.Token = tokenHandler.WriteToken(token);

控制器方法:

[Authorize(Roles = Role.Developer)]
[HttpGet("GetSomethongForAuthorizedOnly")]
public async Task<object> GetSomething()
{ 
   // .... todo
}
1
投票

您可以将内置的角色管理与ASP.NET身份一起使用。由于您使用的是ASP.NET Core 2.1,因此您可以首先参考以下链接以在身份系统中启用角色:

https://stackoverflow.com/a/54069826/5751404

启用角色后,您可以注册角色/用户,然后向用户添加角色,如:

private async Task CreateUserRoles()
{   
    IdentityResult roleResult;
    //Adding Admin Role
    var roleCheck = await _roleManager.RoleExistsAsync("Admin");
    if (!roleCheck)
    {

        IdentityRole adminRole = new IdentityRole("Admin");
        //create the roles and seed them to the database
        roleResult = await _roleManager.CreateAsync(adminRole);

        _roleManager.AddClaimAsync(adminRole, new Claim(ClaimTypes.AuthorizationDecision, "edit.post")).Wait();
        _roleManager.AddClaimAsync(adminRole, new Claim(ClaimTypes.AuthorizationDecision, "delete.post")).Wait();

        ApplicationUser user = new ApplicationUser {
            UserName = "YourEmail", Email = "YourEmail",

        };
        _userManager.CreateAsync(user, "YourPassword").Wait();

        await _userManager.AddToRoleAsync(user, "Admin");
    }

}

因此,当该用户登录您的应用程序时,您可以在ClaimsPrincipal中找到role声明,并且可以使用带有角色的Authorizeattribute。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.