如何在C#AspNetCore网站中使用JWT JSON Web令牌?
[英]How to use JWT JSON Web Tokens in C# AspNetCore Websites?
问题描述
I am trying to pull together a website that uses JWTs for login. 
我正在尝试将使用JWT进行登录的网站整合在一起。 My problem is that I do not understand how a website should use the JWTs. 我的问题是我不明白网站应该如何使用JWT。
The idea is to split my monolithic architecture into: 我的想法是将我的整体架构分成:
- An IdentityServer for authentication and issuing JWTs. 用于身份验证和颁发JWT的IdentityServer。
- An ApplicationServer API that has endpoints protected by JWT based roles. 具有受基于JWT角色保护的端点的ApplicationServer API。
- Front-end Apps and Websites that request JWTs from the IdentityServer, and use them to access data on the ApplicationServer. 从IdentityServer请求JWT的前端应用程序和网站,并使用它们访问ApplicationServer上的数据。
This will allow me to use one IdentityServer for many projects, and possibly farm front end development out to 3rd parties, and allow me to concentrate on the application API details. 这将允许我为许多项目使用一个IdentityServer,并可能将前端开发用于第三方,并允许我专注于应用程序API详细信息。
I have the IdentityServer built. 我已经构建了IdentityServer。 It can take a username/password, validate, and issue an access token and a refresh token. 它可以使用用户名/密码,验证并发出访问令牌和刷新令牌。 Super. 超。 The access token is short-lived and non-secure, and intended to be refreshed periodically. 访问令牌是短暂的且不安全的,并且旨在定期刷新。 The intention is to store this on the client side, either app or web page. 目的是将其存储在客户端,即应用程序或网页。 The refresh token is longer-lived, and intended to be stored securely. 刷新令牌的寿命较长,并且旨在安全存储。 On a website, this would be stored server-side, and in an app, stored in secure storage for the 'session' duration. 在网站上,这将存储在服务器端,并存储在应用程序中,存储在“会话”持续时间的安全存储中。
I have a front end website shell set up with some test actions. 我有一个前端网站shell设置了一些测试操作。 The user must be authenticated to access them, where being authenticated means having a valid access token. 必须对用户进行身份验证才能访问它们,其中进行身份验证意味着具有有效的访问令牌。
- When the user accesses an action initially, they have no token. 当用户最初访问操作时,他们没有令牌。
- The front-end webserver should redirect them to a login page, and request credentials (username and password). 前端Web服务器应将它们重定向到登录页面,并请求凭据(用户名和密码)。
- The webserver forwards credentials to IdentityServer, which should return access and refresh tokens to the webserver if the credentials are valid. Web服务器将凭据转发给IdentityServer,如果凭据有效,则应返回访问权限并将令牌刷新到Web服务器。
- The webserver would cache the refresh token and send the access token back to the webpage. Web服务器将缓存刷新令牌并将访问令牌发送回网页。
- The client-side webpage would then cache the access token and send that with each further page request. 然后,客户端网页将缓存访问令牌并将其与每个进一步的页面请求一起发送。
- The webserver would decode the access token, possibly refresh it if necessary, and send back the pages with the updated access token. Web服务器将解码访问令牌,如果需要可能会刷新它,并使用更新的访问令牌发回页面。
- The conversation (session) ends when a request comes in with a stale access token and enough time has elapsed for the refresh token to expire, and the user is re-directed to the login page. 当请求进入过时的访问令牌并且刷新令牌已经过了足够的时间并且用户被重定向到登录页面时,会话(会话)结束。
I am a little lost as to how to return the access token to the webpage. 关于如何将访问令牌返回到网页,我有点迷茫。
Also, I do not understand how the web page could either automatically attach a token with each request if it has one, or how a web page could respond to a 401 challenge if it does not. 此外,我不明白网页如何自动附加每个请求的令牌(如果有的话),或者网页如何响应401挑战(如果没有)。
Is a cookie the only way to attach data to an HTTP conversation, and persist it on the client side during navigation? Cookie是将数据附加到HTTP对话的唯一方法,并在导航期间将其保留在客户端吗?
Are JWTs purely for SinglePageApps (SPAs) where a page is initially served, and then all subsequent data is handled by Ajax (where I can set the header no problem)? JWT是纯粹用于最初提供页面的SinglePageApps(SPA),然后所有后续数据都由Ajax处理(我可以设置头文件没有问题)?
Alternatively, is it possible to write the webpages such that they always populate the Authorization header with the access token, if it exists? 或者,是否可以编写网页,以便它们始终使用访问令牌填充Authorization标头(如果存在)?
I realise that I may have thought myself into a knot, any help would be appreciated. 我意识到我可能已经把自己想成了一个结,任何帮助都会受到赞赏。
1 个解决方案
解决方案1
0 2017-08-11 12:15:50
You should have a read up on Auth0's documentation for Resource Owners Password Grant https://auth0.com/docs/api-auth/grant/password 您应该阅读Auth0的资源所有者密码授权文档https://auth0.com/docs/api-auth/grant/password
I would keep the refresh token and the access token together on the client. 我会在客户端上保持刷新令牌和访问令牌。
My approach would be. 我的方法是。
Client knows it doesnt have an access token -> shows login button. 客户端知道它没有访问令牌 - >显示登录按钮。 Login button clicked -> redirect to authentication server with login page. 单击登录按钮 - >使用登录页面重定向到身份验证服务器。 It includes a state/code and a callback url. 它包括状态/代码和回调网址。 Client receives a callback from the user and treats it as the client logging in. The Client stores the access token and refresh token (if supplied) in the localstorage. 客户端从用户接收回调并将其视为登录的客户端。客户端将访问令牌和刷新令牌(如果提供)存储在localstorage中。 It then passes the access token to requests to the api that it wants to access. 然后它将访问令牌传递给它想要访问的api的请求。 The API checks if the access token is for it and is valid, allows authorisation and completes request. API检查访问令牌是否适合它并且是否有效,允许授权并完成请求。 The API doesn't have any knowledge of refresh tokens. API不具备刷新令牌的任何知识。
Hope it helps 希望能帮助到你
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.