Edition 0 Updated to asp. Net core 0
Yüklə 11,82 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Microsoft.AspNetCore.Authentication.JwtBearer
|
Consume security tokens
Authenticating against an OpenID Connect endpoint or issuing your own security tokens covers some scenarios. But what about a service that simply needs to limit access to those users who have valid security tokens that were provided by a different service? For that scenario, authentication middleware that handles JWT tokens is available in the Microsoft.AspNetCore.Authentication.JwtBearer package. JWT stands for “ JSON Web Token ” and is a common security token format (defined by RFC 7519) for communicating security claims. A simplified example of how to use middleware to consume such tokens might look like this code fragment, taken from the Ordering.Api microservice of eShopOnContainers. // Program.cs var identityUrl = builder. Configuration . GetValue < string >( "IdentityUrl" ); // Add Authentication services builder. Services . AddAuthentication (options => { options. DefaultAuthenticateScheme = AspNetCore. Authentication . JwtBearer . JwtBearerDefaults . AuthenticationScheme ; options. DefaultChallengeScheme = AspNetCore. Authentication . JwtBearer . JwtBearerDefaults . AuthenticationScheme ; }). AddJwtBearer (options => { options. Authority = identityUrl; options. RequireHttpsMetadata = false ; options. Audience = "orders" ; }); // Build the app app. UseAuthentication (); //… app. UseEndpoints (endpoints => { //... }); The parameters in this usage are: • Audience represents the receiver of the incoming token or the resource that the token grants access to. If the value specified in this parameter does not match the parameter in the token, the token will be rejected. • Authority is the address of the token-issuing authentication server. The JWT bearer authentication middleware uses this URI to get the public key that can be used to validate the token’s signature. The middleware also confirms that the iss parameter in the token matches this URI. Another parameter, RequireHttpsMetadata , is useful for testing purposes; you set this parameter to false so you can test in environments where you don ’t have certificates. In real -world deployments, JWT bearer tokens should always be passed only over HTTPS. 328 CHAPTER 8 | Make secure .NET Microservices and Web Applications With this middleware in place, JWT tokens are automatically extracted from authorization headers. They are then deserialized, validated (using the values in the Audience and Authority parameters), and stored as user information to be referenced later by MVC actions or authorization filters. The JWT bearer authentication middleware can also support more advanced scenarios, such as using a local certificate to validate a token if the authority is not available. For this scenario, you can specify a TokenValidationParameters object in the JwtBearerOptions object. Additional resources • Yüklə 11,82 Mb. Dostları ilə paylaş:
|