JwtAuthExtension.cs 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301
  1. using Microsoft.AspNetCore.Authentication.JwtBearer;
  2. using Microsoft.AspNetCore.Authorization;
  3. using Microsoft.Extensions.Configuration;
  4. using Microsoft.Extensions.DependencyInjection;
  5. using Microsoft.IdentityModel.Tokens;
  6. using System;
  7. using System.Threading.Tasks;
  8. using System.Security.Claims;
  9. using System.IdentityModel.Tokens.Jwt;
  10. using System.Collections.Generic;
  11. using System.Text;
  12. using System.ComponentModel;
  13. namespace TEAMModelOS.SDK.Extension
  14. {
  15. public static class JwtAuthExtension
  16. {
  17. public static string CreateAuthToken(string issuer, string id, string name, string picture, string salt, string scope, string Website, string areaId = "", string schoolID = "", string standard = "", string[] roles = null, string[] permissions = null, int expire = 1)
  18. {
  19. // 設定要加入到 JWT Token 中的聲明資訊(Claims)
  20. var payload = new JwtPayload {
  21. { JwtRegisteredClaimNames.Iss, issuer }, //發行者
  22. { JwtRegisteredClaimNames.Sub, id }, // 用戶ID
  23. { JwtRegisteredClaimNames.Azp,schoolID}, // 學校簡碼,如果有的話
  24. { JwtRegisteredClaimNames.Exp,DateTimeOffset.UtcNow.AddHours(expire).ToUnixTimeSeconds().ToString()}, // 到期的時間,必須為數字
  25. { "name",name}, // 用戶的顯示名稱
  26. { "picture",picture}, // 用戶頭像
  27. { "roles",roles}, // 登入者的角色,角色類型 (Admin、Teacher、Student)
  28. { "permissions",permissions}, //登入者的權限請求
  29. { "standard",standard} ,//登入者的能力点标准
  30. { "scope",scope}, //登入者的入口类型。 (teacher 教师端登录的醍摩豆ID、tmduser学生端登录的醍摩豆ID、student学生端登录校内账号的学生ID)
  31. { "area",areaId==null?"":areaId},
  32. { JwtRegisteredClaimNames.Website,Website},
  33. };
  34. // 建立一組對稱式加密的金鑰,主要用於 JWT 簽章之用
  35. var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt));
  36. // HmacSha256 有要求必須要大於 128 bits,所以 salt 不能太短,至少要 16 字元以上
  37. // https://stackoverflow.com/questions/47279947/idx10603-the-algorithm-hs256-requires-the-securitykey-keysize-to-be-greater
  38. var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
  39. var header = new JwtHeader(signingCredentials);
  40. var secToken = new JwtSecurityToken(header, payload);
  41. // 產出所需要的 JWT securityToken 物件,並取得序列化後的 Token 結果(字串格式)
  42. var tokenHandler = new JwtSecurityTokenHandler();
  43. //var securityToken = tokenHandler.CreateToken(tokenDescriptor);
  44. var serializeToken = tokenHandler.WriteToken(secToken);
  45. return serializeToken;
  46. }
  47. /// <summary>
  48. ///
  49. /// </summary>
  50. /// <param name="issuer">颁发者</param>
  51. /// <param name="id">第三方合作uuid</param>
  52. /// <param name="salt"></param>
  53. /// <param name="expire"></param>
  54. /// <returns></returns>
  55. public static (string jwt , string jti) CreateBusinessApiToken(string location, string id, string salt ,string scope)
  56. {
  57. var keys = OpenApiJtwIssuer.OpenApiJtw签发者.GetDescriptionText().Split(',');
  58. string issuer = "";
  59. if (location.Equals("China-Dep"))
  60. {
  61. issuer = keys[0];
  62. }
  63. else if (location.Equals("China-Test"))
  64. {
  65. issuer = keys[0];
  66. }
  67. else if (location.Equals("China"))
  68. {
  69. issuer = keys[1];
  70. }
  71. else if (location.Equals("Global-Dep"))
  72. {
  73. issuer = keys[2];
  74. }
  75. else if (location.Equals("Global-Test"))
  76. {
  77. issuer = keys[2];
  78. }
  79. else if (location.Equals("Global"))
  80. {
  81. issuer = keys[3];
  82. }
  83. string jti = Guid.NewGuid().ToString();
  84. // 設定要加入到 JWT Token 中的聲明資訊(Claims)
  85. var payload = new JwtPayload {
  86. { JwtRegisteredClaimNames.Iss, issuer }, //發行者 iss: jwt签发者
  87. { JwtRegisteredClaimNames.Sub, id }, // APPID sub: jwt所面向的用户
  88. {JwtRegisteredClaimNames.Jti, jti},
  89. { "scope",scope}
  90. };
  91. // 建立一組對稱式加密的金鑰,主要用於 JWT 簽章之用
  92. var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt));
  93. // HmacSha256 有要求必須要大於 128 bits,所以 salt 不能太短,至少要 16 字元以上
  94. // https://stackoverflow.com/questions/47279947/idx10603-the-algorithm-hs256-requires-the-securitykey-keysize-to-be-greater
  95. var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
  96. var header = new JwtHeader(signingCredentials);
  97. var secToken = new JwtSecurityToken(header, payload);
  98. // 產出所需要的 JWT securityToken 物件,並取得序列化後的 Token 結果(字串格式)
  99. var tokenHandler = new JwtSecurityTokenHandler();
  100. //var securityToken = tokenHandler.CreateToken(tokenDescriptor);
  101. var serializeToken = tokenHandler.WriteToken(secToken);
  102. return (serializeToken,jti);
  103. }
  104. /// <summary>
  105. ///
  106. /// </summary>
  107. /// <param name="issuer">颁发者</param>
  108. /// <param name="id">第三方合作uuid</param>
  109. /// <param name="salt"></param>
  110. /// <param name="expire"></param>
  111. /// <returns></returns>
  112. public static (string jwt, string jti) CreateSchoolApiToken(string location, string id, string salt, string scope, List<int> auth, string schoolID = "")
  113. {
  114. var keys = OpenApiJtwIssuer.OpenApiJtw签发者.GetDescriptionText().Split(',');
  115. string issuer = "";
  116. if (location.Equals("China-Dep"))
  117. {
  118. issuer = keys[0];
  119. }
  120. else if (location.Equals("China-Test"))
  121. {
  122. issuer = keys[0];
  123. }
  124. else if (location.Equals("China"))
  125. {
  126. issuer = keys[1];
  127. }
  128. else if (location.Equals("Global-Dep"))
  129. {
  130. issuer = keys[2];
  131. }
  132. else if (location.Equals("Global-Test"))
  133. {
  134. issuer = keys[2];
  135. }
  136. else if (location.Equals("Global"))
  137. {
  138. issuer = keys[3];
  139. }
  140. string jti = Guid.NewGuid().ToString();
  141. // 設定要加入到 JWT Token 中的聲明資訊(Claims)
  142. var payload = new JwtPayload {
  143. { JwtRegisteredClaimNames.Iss, issuer }, //發行者 iss: jwt签发者
  144. { JwtRegisteredClaimNames.Sub, id }, // APPID sub: jwt所面向的用户
  145. {JwtRegisteredClaimNames.Jti, jti},
  146. { "scope",scope},
  147. { "auth",auth},
  148. { JwtRegisteredClaimNames.Azp,schoolID}, // 學校簡碼,如果有的話
  149. };
  150. // 建立一組對稱式加密的金鑰,主要用於 JWT 簽章之用
  151. var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt));
  152. // HmacSha256 有要求必須要大於 128 bits,所以 salt 不能太短,至少要 16 字元以上
  153. // https://stackoverflow.com/questions/47279947/idx10603-the-algorithm-hs256-requires-the-securitykey-keysize-to-be-greater
  154. var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
  155. var header = new JwtHeader(signingCredentials);
  156. var secToken = new JwtSecurityToken(header, payload);
  157. // 產出所需要的 JWT securityToken 物件,並取得序列化後的 Token 結果(字串格式)
  158. var tokenHandler = new JwtSecurityTokenHandler();
  159. //var securityToken = tokenHandler.CreateToken(tokenDescriptor);
  160. var serializeToken = tokenHandler.WriteToken(secToken);
  161. return (serializeToken, jti);
  162. }
  163. public static string CreateApiToken(string issuer, string id, string salt, string name, List<int> auth, string schoolID = "", int expire = 1)
  164. {
  165. // 設定要加入到 JWT Token 中的聲明資訊(Claims)
  166. var payload = new JwtPayload {
  167. { JwtRegisteredClaimNames.Iss, issuer }, //發行者 iss: jwt签发者
  168. { JwtRegisteredClaimNames.Sub, id }, // APPID sub: jwt所面向的用户
  169. { JwtRegisteredClaimNames.Aud, "" }, // aud: 接收jwt的一方
  170. { JwtRegisteredClaimNames.Azp,schoolID}, // 學校簡碼,如果有的話
  171. {JwtRegisteredClaimNames.Jti,Guid.NewGuid().ToString() },
  172. { "name",name}, // 用戶的顯示名稱
  173. //{ JwtRegisteredClaimNames.Exp,DateTimeOffset.UtcNow.AddHours(expire).ToUnixTimeSeconds().ToString()}, // 到期的時間,必須為數字
  174. //{ "name",name}, // 用戶的顯示名稱
  175. //{ "picture",picture}, // 用戶頭像
  176. { "auth",auth}, // 登入者的角色,角色類型 (Admin、Teacher、Student)
  177. // { "permissions",permissions} //登入者的權限請求
  178. };
  179. // 建立一組對稱式加密的金鑰,主要用於 JWT 簽章之用
  180. var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt));
  181. // HmacSha256 有要求必須要大於 128 bits,所以 salt 不能太短,至少要 16 字元以上
  182. // https://stackoverflow.com/questions/47279947/idx10603-the-algorithm-hs256-requires-the-securitykey-keysize-to-be-greater
  183. var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
  184. var header = new JwtHeader(signingCredentials);
  185. var secToken = new JwtSecurityToken(header, payload);
  186. // 產出所需要的 JWT securityToken 物件,並取得序列化後的 Token 結果(字串格式)
  187. var tokenHandler = new JwtSecurityTokenHandler();
  188. //var securityToken = tokenHandler.CreateToken(tokenDescriptor);
  189. var serializeToken = tokenHandler.WriteToken(secToken);
  190. return serializeToken;
  191. }
  192. public static bool ValidateApiToken(string token, string salt)
  193. {
  194. try
  195. {
  196. var handler = new JwtSecurityTokenHandler();
  197. var validationParameters = new TokenValidationParameters
  198. {
  199. RequireExpirationTime = false,
  200. ValidateIssuer = false,
  201. ValidateAudience = false,
  202. IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt)),
  203. ValidateLifetime = false,
  204. //LifetimeValidator = LifetimeValidator,
  205. ClockSkew = TimeSpan.Zero
  206. };
  207. ClaimsPrincipal principal = handler.ValidateToken(token, validationParameters, out SecurityToken securityToken);
  208. return true;
  209. }
  210. catch (Exception)
  211. {
  212. //Trace.WriteLine(ex.Message);
  213. return false;
  214. }
  215. }
  216. public static bool ValidateAuthToken(string token, string salt)
  217. {
  218. try
  219. {
  220. var handler = new JwtSecurityTokenHandler();
  221. var validationParameters = new TokenValidationParameters
  222. {
  223. RequireExpirationTime = true,
  224. ValidateIssuer = false,
  225. ValidateAudience = false,
  226. IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt)),
  227. ValidateLifetime = false,
  228. //LifetimeValidator = LifetimeValidator,
  229. ClockSkew = TimeSpan.Zero
  230. };
  231. ClaimsPrincipal principal = handler.ValidateToken(token, validationParameters, out SecurityToken securityToken);
  232. return true;
  233. }
  234. catch (Exception)
  235. {
  236. //Trace.WriteLine(ex.Message);
  237. return false;
  238. }
  239. }
  240. /// <summary>
  241. /// 第三方登录后的id_token
  242. /// </summary>
  243. /// <param name="issuser"></param>
  244. /// <param name="id"></param>
  245. /// <param name="name"></param>
  246. /// <param name="picture"></param>
  247. /// <param name="webSite"></param>
  248. /// <param name="salt"></param>
  249. /// <param name="roles"></param>
  250. /// <param name="permissions"></param>
  251. /// <param name="expire"></param>
  252. /// <returns></returns>
  253. public static string CreateBizLoginAuthToken(string issuser, string id, string name, string picture, string webSite, string salt, string[] roles = null, string[] permissions = null, int expire = 1)
  254. {
  255. var payload = new JwtPayload
  256. {
  257. { JwtRegisteredClaimNames.Iss,issuser}, //发行者
  258. { JwtRegisteredClaimNames.Sub,id}, //用户ID
  259. { JwtRegisteredClaimNames.Exp,DateTimeOffset.UtcNow.AddHours(expire).ToUnixTimeSeconds().ToString()},//到期时间
  260. { "name",name},//用户显示名称
  261. { "picture",picture}, // 用户头像
  262. { "roles",roles}, //登陆者的角色, (admin、dea)
  263. { "permissions",permissions}, //登陆者的权限
  264. { JwtRegisteredClaimNames.Website,webSite}, // 平台站点
  265. };
  266. // 建立加密的秘钥
  267. var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt));
  268. // HmacSha256 有要求必须要大于 128 bits,所以 salt 不能太短,至少要 16 字元以上
  269. // https://stackoverflow.com/questions/47279947/idx10603-the-algorithm-hs256-requires-the-securitykey-keysize-to-be-greater
  270. var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
  271. var header = new JwtHeader(signingCredentials);
  272. var secToken = new JwtSecurityToken(header, payload);
  273. // 產出所需要的 JWT securityToken 物件,並取得序列化後的 Token 結果(字串格式)
  274. var tokenHandler = new JwtSecurityTokenHandler();
  275. //var securityToken = tokenHandler.CreateToken(tokenDescriptor);
  276. var serializeToken = tokenHandler.WriteToken(secToken);
  277. return serializeToken;
  278. }
  279. }
  280. public enum OpenApiJtwIssuer
  281. {
  282. [Description("open-test.teammodel.cn,open.teammodel.cn,open-test.teammodel.net,open.teammodel.net")]
  283. OpenApiJtw签发者,
  284. }
  285. }