ASP.NET核心JWT承载令牌自定义验证

Question

经过大量阅读，我找到了一种实现自定义JWT承载令牌验证器的方法，如下所示。

Starup.cs代码：

public void Configure(IApplicationBuilder app, IHostingEnvironment env, 
         ILoggerFactory loggerFactory, IApplicationLifetime appLifetime)
{
    loggerFactory.AddConsole(Configuration.GetSection("Logging"));
    loggerFactory.AddDebug();

    app.UseStaticFiles();

    app.UseIdentity();

    ConfigureAuth(app);

    app.UseMvcWithDefaultRoute();            
}

private void ConfigureAuth(IApplicationBuilder app)
    {

        var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration.GetSection("TokenAuthentication:SecretKey").Value));


        var tokenValidationParameters = new TokenValidationParameters
        {
            // The signing key must match!
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = signingKey,
            // Validate the JWT Issuer (iss) claim
            ValidateIssuer = true,
            ValidIssuer = Configuration.GetSection("TokenAuthentication:Issuer").Value,
            // Validate the JWT Audience (aud) claim
            ValidateAudience = true,
            ValidAudience = Configuration.GetSection("TokenAuthentication:Audience").Value,
            // Validate the token expiry
            ValidateLifetime = true,
            // If you want to allow a certain amount of clock drift, set that here:
            ClockSkew = TimeSpan.Zero
        };

        var jwtBearerOptions = new JwtBearerOptions();
        jwtBearerOptions.AutomaticAuthenticate = true;
        jwtBearerOptions.AutomaticChallenge = true;
        jwtBearerOptions.TokenValidationParameters = tokenValidationParameters;
        jwtBearerOptions.SecurityTokenValidators.Clear();
        //below line adds the custom validator class
        jwtBearerOptions.SecurityTokenValidators.Add(new CustomJwtSecurityTokenHandler());
        app.UseJwtBearerAuthentication(jwtBearerOptions);

        var tokenProviderOptions = new TokenProviderOptions
        {
            Path = Configuration.GetSection("TokenAuthentication:TokenPath").Value,
            Audience = Configuration.GetSection("TokenAuthentication:Audience").Value,
            Issuer = Configuration.GetSection("TokenAuthentication:Issuer").Value,
            SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256)
        };

        app.UseMiddleware<TokenProviderMiddleware>(Options.Create(tokenProviderOptions));
    }

以下是自定义验证器类：

public class CustomJwtSecurityTokenHandler : ISecurityTokenValidator
{
    private int _maxTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
    private JwtSecurityTokenHandler _tokenHandler;

    public CustomJwtSecurityTokenHandler()
    {
        _tokenHandler = new JwtSecurityTokenHandler();
    }

    public bool CanValidateToken
    {
        get
        {
            return true;
        }
    }

    public int MaximumTokenSizeInBytes
    {
        get
        {
            return _maxTokenSizeInBytes;
        }

        set
        {
            _maxTokenSizeInBytes = value;
        }
    }

    public bool CanReadToken(string securityToken)
    {
        return _tokenHandler.CanReadToken(securityToken);            
    }

    public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
    {
        //How to access HttpContext/IP address from here?

        var principal = _tokenHandler.ValidateToken(securityToken, validationParameters, out validatedToken);

        return principal;
    }
}

如果被盗令牌，我想添加一层额外的安全性来验证请求是否来自生成令牌的同一客户端。

问题：

1. 有什么方法可以访问HttpContext类中的CustomJwtSecurityTokenHandler，以便我可以根据当前客户端/请求者添加自定义验证吗？
2. 我们是否可以使用此类方法/中间件验证请求者的真实性？

Answer 1

在ASP.NET Core HttpContext中可以使用IHttpContextAccessor服务获取。使用DI将IHttpContextAccessor实例传递到您的处理程序并获取IHttpContextAccessor.HttpContext属性的值。

默认情况下，

IHttpContextAccessor服务未注册，因此您首先需要在Startup.ConfigureServices方法中添加以下内容：

services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();

然后修改您的CustomJwtSecurityTokenHandler课程：

private readonly IHttpContextAccessor _httpContextAccessor;

public CustomJwtSecurityTokenHandler(IHttpContextAccessor httpContextAccessor)
{
    _httpContextAccessor = httpContextAccessor;
    _tokenHandler = new JwtSecurityTokenHandler();
}

... 

public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
    var httpContext = _httpContextAccessor.HttpContext;
}

您还应该使用DI技术进行JwtSecurityTokenHandler实例化。如果您不熟悉所有这些内容，请查看Dependency Injection文档。

更新：如何手动解决依赖关系（更多信息here）

修改Configure方法以使用IServiceProvider serviceProvider：

public void Configure(IApplicationBuilder app, IHostingEnvironment env, 
         ILoggerFactory loggerFactory, IApplicationLifetime appLifetime,
         IServiceProvider serviceProvider)
{
    ...
    var httpContextAccessor = serviceProvider.GetService<IHttpContextAccessor>();
    // and extend ConfigureAuth
    ConfigureAuth(app, httpContextAccessor);
    ...
}

Answer 2

对于自定义JWT验证器，我创建了IOAuthBearerAuthenticationProvider继承的JWTCosumerProvider类。并实现ValidateIdentity（）方法来检查我首先存储了客户端IP地址的身份声明，然后将其与当前请求的ID地址进行比较。

public Task ValidateIdentity(OAuthValidateIdentityContext context)
    {

        var requestIPAddress = context.Ticket.Identity.FindFirst(ClaimTypes.Dns)?.Value;

        if (requestIPAddress == null)
            context.SetError("Token Invalid", "The IP Address not right");

        string clientAddress = JWTHelper.GetClientIPAddress();
        if (!requestIPAddress.Equals(clientAddress))
            context.SetError("Token Invalid", "The IP Address not right");


        return Task.FromResult<object>(null);
    }

JWTHelper.GetClientIPAddress（）

internal static string GetClientIPAddress()
    {
        System.Web.HttpContext context = System.Web.HttpContext.Current;
        string ipAddress = context.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];

        if (!string.IsNullOrEmpty(ipAddress))
        {
            string[] addresses = ipAddress.Split(',');
            if (addresses.Length != 0)
            {
                return addresses[0];
            }
        }

        return context.Request.ServerVariables["REMOTE_ADDR"];
    }

希望获得帮助！

Answer 3

只是为了补充另一个解决方案而不注入 ISecurityTokenValidator，就像

在您的 ISecurityTokenValidator 实现中（本例中为 CustomJwtSecurityTokenHandler）

public class CustomJwtSecurityTokenHandler : ISecurityTokenValidator {
   ...

   //Set IHttpContextAccessor as public property to set later in Starup class
   public IHttpContextAccessor _httpContextAccessor { get; set; };

   //Remove injection of httpContextAccessor;
   public CustomJwtSecurityTokenHandler()
   {
   _tokenHandler = new JwtSecurityTokenHandler();
   }

   ...

并在启动类中将属性“CustomJwtSecurityTokenHandler”配置为全局成员

public readonly CustomJwtSecurityTokenHandler customJwtSecurityTokenHandler = new()

在 Startup 类的 ConfigureServices 方法中添加全局 customJwtSecurityTokenHandler。

 public void ConfigureServices(IServiceCollection services)
 {

      ...

      services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
           .AddJwtBearer(
                o =>
                {
                    ...
                    //Add the global ISercurityTokenValidator implementation
                    o.SecurityTokenValidators.Add(this.customJwtSecurityTokenHandler );
                }
            );

      ...
} 

然后在Startup类的Configure方法中将IHttpContextAccessor实例传递给全局customJwtSecurityTokenHandler(ISecurityTokenValidator)的属性

public void Configure(IApplicationBuilder app, IHostingEnvironment env, 
         ILoggerFactory loggerFactory, IApplicationLifetime appLifetime,
         IServiceProvider serviceProvider)
{
    ...
    var httpContextAccessor = serviceProvider.GetService<IHttpContextAccessor>();
    //And add to property, and not by constructor
    customJwtSecurityTokenHandler.httpContextAccessor = httpContextAccessor;
    ...
}

在我的例子中，我已经在 ConfigureService 中配置了 SecurityTokenValidator，所以此时不​​存在 IServiceProvider 的任何实例，然后在 Configure 方法中，您可以使用 IServiceProvider 来获取 IHttpContextAccessor