using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Security.Claims;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
using Microsoft.AspNetCore;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Tokens;
namespace JsonWebTokenTesting
{
public class Program
{
public static void Main(string[] args)
{
CreateWebHostBuilder(args).Build().Run();
}
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseStartup<Startup>();
}
public class Startup
{
public Startup()
{
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
}
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("O73xQtVrtLnBIEA+Oaq79x1d2BGOFbmHroVuE4ogrOk=")),
ValidateIssuer = true,
ValidIssuer = "http://localhost:5000",
ValidateAudience = true,
ValidAudience = "http://localhost:5000",
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(0)
};
options.Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))
{
context.HttpContext.Response.Headers.Remove("Token-Expired");
context.HttpContext.Response.Headers.Add("Token-Expired", "Relative");
}
return Task.CompletedTask;
}
};
});
services.AddCors(options =>
{
options.AddPolicy("default", builder =>
{
builder.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod().AllowCredentials().WithExposedHeaders("Token-Expired");
});
});
services.AddMvc(options =>
{
options.Filters.Add(new ExceptionFilter());
});
}
public void Configure(IApplicationBuilder app)
{
app.UseDeveloperExceptionPage();
app.UseAuthentication();
app.UseCors("default");
app.UseMvc();
}
}
public class ExceptionFilter : IExceptionFilter
{
public void OnException(ExceptionContext context)
{
var exception = context.Exception;
var statusCode = StatusCodes.Status500InternalServerError;
if (exception is SecurityTokenException)
{
statusCode = StatusCodes.Status401Unauthorized;
context.HttpContext.Response.Headers.Remove("Token-Expired");
context.HttpContext.Response.Headers.Add("Token-Expired", "Absolute");
}
context.Result = new ObjectResult(exception.Message) { StatusCode = statusCode };
}
}
public class TokenCreateInput
{
public string Account { get; set; }
public string Password { get; set; }
}
public class TokenRefreshInput
{
public string AccessToken { get; set; }
public string RefreshToken { get; set; }
}
[Route("token")]
public class TokenController : ControllerBase
{
private static readonly Dictionary<string, dynamic> _dict = new Dictionary<string, dynamic>();
[HttpPost("create")]
public IActionResult Create([FromBody]TokenCreateInput input)
{
// todo: check the argument
var userId = "10086"; // todo: validate the user
var accessToken = CreateAccessToken(
new Claim[]
{
new Claim(JwtRegisteredClaimNames.Sub, userId)
}
);
var refreshToken = CreateRefreshToken();
_dict[userId] = new { RefreshToken = refreshToken, RefreshTokenExpires = DateTime.UtcNow.AddSeconds(60) };
return Ok(new { accessToken, refreshToken, _dict });
}
[HttpPost("refresh")]
public IActionResult Refresh([FromBody]TokenRefreshInput input)
{
// todo: check the argument
var principal = ValidateAccessToken(input.AccessToken);
var userId = principal.Claims.First(v => v.Type == JwtRegisteredClaimNames.Sub)?.Value;
_dict.TryGetValue(userId, out var details);
if (details.RefreshToken == input.RefreshToken && details.RefreshTokenExpires >= DateTime.UtcNow)
{
var accessToken = CreateAccessToken(
new Claim[]
{
new Claim(JwtRegisteredClaimNames.Sub, userId)
}
);
var refreshToken = CreateRefreshToken();
_dict[userId] = new { RefreshToken = refreshToken, RefreshTokenExpires = DateTime.UtcNow.AddSeconds(60) };
return Ok(new { accessToken, refreshToken, _dict });
}
else
{
throw new SecurityTokenException("Invalid RefreshToken");
}
}
private string CreateAccessToken(Claim[] claims)
{
return new JwtSecurityTokenHandler().WriteToken(
new JwtSecurityToken(
issuer: "http://localhost:5000",
audience: "http://localhost:5000",
claims: claims,
notBefore: DateTime.UtcNow,
expires: DateTime.UtcNow.AddSeconds(20),
signingCredentials: new SigningCredentials(
key: new SymmetricSecurityKey(Encoding.UTF8.GetBytes("O73xQtVrtLnBIEA+Oaq79x1d2BGOFbmHroVuE4ogrOk=")),
algorithm: SecurityAlgorithms.HmacSha256
)
)
);
}
private string CreateRefreshToken()
{
var random = new byte[32];
using (var generator = RandomNumberGenerator.Create())
{
generator.GetBytes(random);
return Convert.ToBase64String(random);
}
}
private ClaimsPrincipal ValidateAccessToken(string accessToken)
{
try
{
return new JwtSecurityTokenHandler().ValidateToken(
accessToken,
new TokenValidationParameters
{
ValidateAudience = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("O73xQtVrtLnBIEA+Oaq79x1d2BGOFbmHroVuE4ogrOk=")),
ValidateLifetime = false
},
out var validatedToken
);
}
catch (Exception)
{
throw new SecurityTokenException("Invalid AccessToken");
}
}
}
[Authorize]
[Route("users")]
public class UserController : ControllerBase
{
[HttpGet]
public IActionResult Get()
{
return Ok(User.FindFirst(v => v.Type == JwtRegisteredClaimNames.Sub)?.Value);
}
}
}
import axios from 'axios'
axios.defaults.baseURL = 'http://localhost:5000'
const tokenRefreshAsync = () => {
return new Promise((resolve, reject) => {
axios.post('token/refresh', {
AccessToken: localStorage.getItem('accessToken'),
RefreshToken: localStorage.getItem('refreshToken')
}).then(response => {
resolve(response.data)
}).catch(error => {
reject(error)
})
})
}
axios.interceptors.request.use(
config => {
const accessToken = localStorage.getItem('accessToken')
if (accessToken) {
config.headers = { 'Authorization': 'Bearer ' + accessToken }
}
return config
},
error => {
return Promise.reject(error)
}
)
axios.interceptors.response.use(
response => {
return response
},
async error => {
if (error && error.response) {
switch (error.response.status) {
case 401:
var tokenExpired = error.response.headers['token-expired']
if (tokenExpired === 'Relative') {
let { accessToken, refreshToken } = await tokenRefreshAsync()
localStorage.setItem('accessToken', accessToken)
localStorage.setItem('refreshToken', refreshToken)
return axios.request(error.config)
} else if (tokenExpired === 'Absolute') {
localStorage.removeItem('accessToken')
localStorage.removeItem('refreshToken')
window.alert('需要重新登录')
} else {
localStorage.removeItem('accessToken')
localStorage.removeItem('refreshToken')
window.alert('需要重新登录')
}
break
}
}
return Promise.reject(error)
}
)
const http = {
get: (url, params, config) => {
return new Promise((resolve, reject) => {
axios.get(url, { params: params }, config).then(response => {
resolve(response.data)
}).catch(error => {
reject(error)
})
})
},
post: (url, params, config) => {
return new Promise((resolve, reject) => {
axios.post(url, params, config).then(response => {
resolve(response.data)
}).catch(error => {
reject(error)
})
})
}
}
export default http
<template>
<div>
<button @click="tokenCreate">token/create</button>
<br />
<button @click="users">users</button>
</div>
</template>
<script>
export default {
data() {
return {
msg: 'Welcome to Your Vue.js App'
}
},
methods: {
async tokenCreate() {
let { accessToken, refreshToken } = await this.$http.post('token/create', {
Account: 'Alice',
Password: '12345'
})
localStorage.setItem('accessToken', accessToken)
localStorage.setItem('refreshToken', refreshToken)
},
async users() {
console.info(await this.$http.get('users'))
}
}
}
</script>
浙公网安备 33010602011771号