4

我们有一个 ASP CORE 3 API 项目,我们需要使用 API 令牌来保护它。这些 API 令牌将从数据库中提供和加载,但作为概念证明,我们将硬编码以进行测试。我们所看到的所有令牌授权都是指 JWT。我们不想使用 JWT。我们只需提供允许访问我们的 API 的 API 密钥 - 然后用户可以通过在标头中传递令牌来调用 API 方法,例如 X-CUSTOM-TOKEN:abcdefg。

如何修改 startup.cs 和管道,以便在每次请求时检查此 X-CUSTOM-TOKEN 标头?一个正确方向的简单点会很棒。

编辑:好的,这看起来是一个很好的开始!非常感谢!

您的示例似乎表明用户 API 令牌是用户令牌。我们的要求是我们需要一个 API Key 来使用 API,然后还需要一个 User Token 来调用某些控制器。

示例:myapi.com/Auth/SSO(通过 API Token 和 User Information 登录,返回 User information + User Token)

myapi.com/Schedule/Create(需要 API 令牌标头和带有用户令牌的标头)

你能建议如何修改你的代码来支持这个吗?

4

2 回答 2

14

您可以为此场景创建自定义身份验证方案,因为已经有一个内置的Authentication中间件。此外,自定义身份验证方案允许您与内置身份验证/授权子系统集成。您不必实现自己的挑战/禁止逻辑。

例如,创建一个处理程序和选项,如下所示:

public class MyCustomTokenAuthOptions : AuthenticationSchemeOptions
{
    public const string DefaultScemeName= "MyCustomTokenAuthenticationScheme";
    public string  TokenHeaderName{get;set;}= "X-CUSTOM-TOKEN";
}

public class MyCustomTokenAuthHandler : AuthenticationHandler<MyCustomTokenAuthOptions>
{
    public MyCustomTokenAuthHandler(IOptionsMonitor<MyCustomTokenAuthOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock) 
        : base(options, logger, encoder, clock) { }

    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
    {
        if (!Request.Headers.ContainsKey(Options.TokenHeaderName))
            return Task.FromResult(AuthenticateResult.Fail($"Missing Header For Token: {Options.TokenHeaderName}"));

        var token = Request.Headers[Options.TokenHeaderName];
        // get username from db or somewhere else accordining to this token
        var username= "Username-From-Somewhere-By-Token";
        var claims = new[] {
            new Claim(ClaimTypes.NameIdentifier, username),
            new Claim(ClaimTypes.Name, username),
            // add other claims/roles as you like
        };
        var id = new ClaimsIdentity(claims, Scheme.Name);
        var principal = new ClaimsPrincipal(id);
        var ticket = new AuthenticationTicket(principal, Scheme.Name);
        return Task.FromResult(AuthenticateResult.Success(ticket));
    }
}

然后在您的启动中配置此身份验证方案:

services.AddAuthentication(MyCustomTokenAuthOptions.DefaultScemeName)
    .AddScheme<MyCustomTokenAuthOptions,MyCustomTokenAuthHandler>(
        MyCustomTokenAuthOptions.DefaultScemeName,
        opts =>{
            // you can change the token header name here by :
            //     opts.TokenHeaderName = "X-Custom-Token-Header";
        }
    );

也不要忘记Authentication在方法中启用中间件Configure(IApplicationBuilder app, IWebHostEnvironment env)

    app.UseRouting();

    app.UseAuthentication();       // add this line, the order is important
    app.UseAuthorization(); 

    app.UseEndpoints(endpoints =>{  ... });

最后,保护您的端点,例如:

[Authorize(AuthenticationSchemes=MyCustomTokenAuthOptions.DefaultScemeName)]
public IActionResult ScretApi()
{
    return new JsonResult(...);
}

或直接使用 Authorize() ,因为我们已将 MyCustomTokenAuth 方案设置为默认身份验证方案:

[Authorize()]
public IActionResult ScretApi()
{
    return new JsonResult(...);
}

[编辑]

我们的要求是我们需要一个 API Key 来使用 API,然后还需要一个 User Token 来调用某些控制器。

行。假设我们有一个TokenChecker检查 api 密钥并且令牌是正确的(由于我不知道具体的业务逻辑,我只是​​回到true这里):

public static class TokenChecker{
    public static Task<bool> CheckApiKey(StringValues apiKey) {
        return Task.FromResult(true);// ... return true/false according to the business
    }

    public static Task<bool> CheckToken(StringValues userToken) {
        return Task.FromResult(true);// ... return true/false according to the business
    }
}

并更改上述身份验证方案以检查 ApiKey 和 UserToken 标头,如下所示:

public class MyCustomTokenAuthOptions : AuthenticationSchemeOptions
{
    public const string DefaultScemeName= "MyCustomTokenAuthenticationScheme";
    public string  ApiKeyHeaderName{get;set;}= "X-Api-Key";
    public string  UserTokenHeaderName{get;set;}= "X-User-Token";
}

public class MyCustomTokenAuthHandler : AuthenticationHandler<MyCustomTokenAuthOptions>
{
    public MyCustomTokenAuthHandler(IOptionsMonitor<MyCustomTokenAuthOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock) 
        : base(options, logger, encoder, clock) { }

    protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
    {
        if (!Request.Headers.ContainsKey(Options.ApiKeyHeaderName))
            return AuthenticateResult.Fail($"Missing Header For Token: {Options.ApiKeyHeaderName}");
        if (!Request.Headers.ContainsKey(Options.UserTokenHeaderName))
            return AuthenticateResult.Fail($"Missing Header For Token: {Options.UserTokenHeaderName}");

        var apiKey= Request.Headers[Options.ApiKeyHeaderName];
        var userToken = Request.Headers[Options.UserTokenHeaderName];
        var succeeded= await TokenChecker.CheckToken(userToken) && await TokenChecker.CheckApiKey(apiKey);
        if(!succeeded ){ return AuthenticateResult.Fail("incorrect ApiKey or UserToken"); }

        var username = "the-username-from-user-token"; //e.g. decode the userToken header
        var claims = new[] {
            new Claim(ClaimTypes.NameIdentifier, username),
            new Claim(ClaimTypes.Name, username),
            // add other claims/roles as you like
        };
        var id = new ClaimsIdentity(claims, Scheme.Name);
        var principal = new ClaimsPrincipal(id);
        var ticket = new AuthenticationTicket(principal, Scheme.Name);
        return AuthenticateResult.Success(ticket);
    }
}

并更改您的 Auth/SSO 端点以返回用户令牌:

public class AuthController: Controller
{
    private readonly MyCustomTokenAuthOptions _myCustomAuthOpts;
    // inject the options so that we can know the actual header name
    public AuthController(IOptionsMonitor<MyCustomTokenAuthOptions> options)
    {
        this._myCustomAuthOpts= options.CurrentValue;
    }

    [HttpPost("/Auth/SSO")]
    public async System.Threading.Tasks.Task<IActionResult> CreateUserTokenAsync()
    {
        var apiKeyHeaderName =_myCustomAuthOpts.ApiKeyHeaderName ;
        if (!Request.Headers.ContainsKey(apiKeyHeaderName))
            return BadRequest($"Missing Header For Token: {apiKeyHeaderName}");

        // check key
        var succeeded = await TokenChecker.CheckApiKey(Request.Headers[apiKeyHeaderName]);
        if(!succeeded)
            return BadRequest($"Incorrect Api Key");
        return Json(... {userInfo, apiKey} ... );
    }
}
于 2019-12-11T02:03:41.257 回答
0

您可以创建自定义中间件来检查标头并验证令牌的值,然后只需将其注入中间件管道,我认为这就是您所需要的。

于 2019-12-10T23:13:39.297 回答