JwtAuthExtension.cs 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303
  1. using Microsoft.AspNetCore.Authentication.JwtBearer;
  2. using Microsoft.AspNetCore.Authorization;
  3. using Microsoft.Extensions.Configuration;
  4. using Microsoft.Extensions.DependencyInjection;
  5. using Microsoft.IdentityModel.Tokens;
  6. using System;
  7. using System.Threading.Tasks;
  8. using System.Security.Claims;
  9. using System.IdentityModel.Tokens.Jwt;
  10. using System.Collections.Generic;
  11. using System.Text;
  12. using System.ComponentModel;
  13. namespace TEAMModelOS.SDK.Extension
  14. {
  15. public static class JwtAuthExtension
  16. {
  17. public static string CreateAuthToken(string issuer, string id, string name, string picture, string salt, string scope, string Website, string areaId = "", string schoolID = "", string standard = "", string[] roles = null, string[] permissions = null, int expire = 1)
  18. {
  19. // 設定要加入到 JWT Token 中的聲明資訊(Claims)
  20. var payload = new JwtPayload {
  21. { JwtRegisteredClaimNames.Iss, issuer }, //發行者
  22. { JwtRegisteredClaimNames.Sub, id }, // 用戶ID
  23. { JwtRegisteredClaimNames.Azp,schoolID}, // 學校簡碼,如果有的話
  24. { JwtRegisteredClaimNames.Exp,DateTimeOffset.UtcNow.AddHours(expire).ToUnixTimeSeconds()}, // 到期的時間,必須為數字
  25. { "name",name}, // 用戶的顯示名稱
  26. { "picture",picture}, // 用戶頭像
  27. { "roles",roles}, // 登入者的角色,角色類型 (Admin、Teacher、Student)
  28. { "permissions",permissions}, //登入者的權限請求
  29. { "standard",standard} ,//登入者的能力点标准
  30. { "scope",scope}, //登入者的入口类型。 (teacher 教师端登录的醍摩豆ID、tmduser学生端登录的醍摩豆ID、student学生端登录校内账号的学生ID)
  31. { "area",areaId==null?"":areaId},
  32. { JwtRegisteredClaimNames.Website,Website},
  33. };
  34. // 建立一組對稱式加密的金鑰,主要用於 JWT 簽章之用
  35. var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt));
  36. // HmacSha256 有要求必須要大於 128 bits,所以 salt 不能太短,至少要 16 字元以上
  37. // https://stackoverflow.com/questions/47279947/idx10603-the-algorithm-hs256-requires-the-securitykey-keysize-to-be-greater
  38. var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
  39. var header = new JwtHeader(signingCredentials);
  40. var secToken = new JwtSecurityToken(header, payload);
  41. // 產出所需要的 JWT securityToken 物件,並取得序列化後的 Token 結果(字串格式)
  42. var tokenHandler = new JwtSecurityTokenHandler();
  43. //var securityToken = tokenHandler.CreateToken(tokenDescriptor);
  44. var serializeToken = tokenHandler.WriteToken(secToken);
  45. return serializeToken;
  46. }
  47. /// <summary>
  48. ///
  49. /// </summary>
  50. /// <param name="issuer">颁发者</param>
  51. /// <param name="id">第三方合作uuid</param>
  52. /// <param name="salt"></param>
  53. /// <param name="expire"></param>
  54. /// <returns></returns>
  55. public static (string jwt , string jti) CreateBusinessApiToken(string location, string id, string salt,int customize = 0 )
  56. {
  57. string scope = "business";
  58. if (customize != 0)
  59. scope = "customize";
  60. var keys = OpenApiJtwIssuer.OpenApiJtw签发者.GetDescriptionText().Split(',');
  61. string issuer = "";
  62. if (location.Equals("China-Dep"))
  63. {
  64. issuer = keys[0];
  65. }
  66. else if (location.Equals("China-Test"))
  67. {
  68. issuer = keys[0];
  69. }
  70. else if (location.Equals("China"))
  71. {
  72. issuer = keys[1];
  73. }
  74. else if (location.Equals("Global-Dep"))
  75. {
  76. issuer = keys[2];
  77. }
  78. else if (location.Equals("Global-Test"))
  79. {
  80. issuer = keys[2];
  81. }
  82. else if (location.Equals("Global"))
  83. {
  84. issuer = keys[3];
  85. }
  86. string jti = Guid.NewGuid().ToString();
  87. // 設定要加入到 JWT Token 中的聲明資訊(Claims)
  88. var payload = new JwtPayload {
  89. { JwtRegisteredClaimNames.Iss, issuer }, //發行者 iss: jwt签发者
  90. { JwtRegisteredClaimNames.Sub, id }, // APPID sub: jwt所面向的用户
  91. {JwtRegisteredClaimNames.Jti, jti},
  92. { "scope",scope}
  93. };
  94. // 建立一組對稱式加密的金鑰,主要用於 JWT 簽章之用
  95. var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt));
  96. // HmacSha256 有要求必須要大於 128 bits,所以 salt 不能太短,至少要 16 字元以上
  97. // https://stackoverflow.com/questions/47279947/idx10603-the-algorithm-hs256-requires-the-securitykey-keysize-to-be-greater
  98. var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
  99. var header = new JwtHeader(signingCredentials);
  100. var secToken = new JwtSecurityToken(header, payload);
  101. // 產出所需要的 JWT securityToken 物件,並取得序列化後的 Token 結果(字串格式)
  102. var tokenHandler = new JwtSecurityTokenHandler();
  103. //var securityToken = tokenHandler.CreateToken(tokenDescriptor);
  104. var serializeToken = tokenHandler.WriteToken(secToken);
  105. return (serializeToken,jti);
  106. }
  107. /// <summary>
  108. ///
  109. /// </summary>
  110. /// <param name="issuer">颁发者</param>
  111. /// <param name="id">第三方合作uuid</param>
  112. /// <param name="salt"></param>
  113. /// <param name="expire"></param>
  114. /// <returns></returns>
  115. public static (string jwt, string jti) CreateSchoolApiToken(string location, string id, string salt,List<int> auth, string schoolID = "")
  116. {
  117. string scope = "school";
  118. var keys = OpenApiJtwIssuer.OpenApiJtw签发者.GetDescriptionText().Split(',');
  119. string issuer = "";
  120. if (location.Equals("China-Dep"))
  121. {
  122. issuer = keys[0];
  123. }
  124. else if (location.Equals("China-Test"))
  125. {
  126. issuer = keys[0];
  127. }
  128. else if (location.Equals("China"))
  129. {
  130. issuer = keys[1];
  131. }
  132. else if (location.Equals("Global-Dep"))
  133. {
  134. issuer = keys[2];
  135. }
  136. else if (location.Equals("Global-Test"))
  137. {
  138. issuer = keys[2];
  139. }
  140. else if (location.Equals("Global"))
  141. {
  142. issuer = keys[3];
  143. }
  144. string jti = Guid.NewGuid().ToString();
  145. // 設定要加入到 JWT Token 中的聲明資訊(Claims)
  146. var payload = new JwtPayload {
  147. { JwtRegisteredClaimNames.Iss, issuer }, //發行者 iss: jwt签发者
  148. { JwtRegisteredClaimNames.Sub, id }, // APPID sub: jwt所面向的用户
  149. {JwtRegisteredClaimNames.Jti, jti},
  150. { "scope",scope},
  151. { "auth",auth},
  152. { JwtRegisteredClaimNames.Azp,schoolID}, // 學校簡碼,如果有的話
  153. };
  154. // 建立一組對稱式加密的金鑰,主要用於 JWT 簽章之用
  155. var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt));
  156. // HmacSha256 有要求必須要大於 128 bits,所以 salt 不能太短,至少要 16 字元以上
  157. // https://stackoverflow.com/questions/47279947/idx10603-the-algorithm-hs256-requires-the-securitykey-keysize-to-be-greater
  158. var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
  159. var header = new JwtHeader(signingCredentials);
  160. var secToken = new JwtSecurityToken(header, payload);
  161. // 產出所需要的 JWT securityToken 物件,並取得序列化後的 Token 結果(字串格式)
  162. var tokenHandler = new JwtSecurityTokenHandler();
  163. //var securityToken = tokenHandler.CreateToken(tokenDescriptor);
  164. var serializeToken = tokenHandler.WriteToken(secToken);
  165. return (serializeToken, jti);
  166. }
  167. public static string CreateApiToken(string issuer, string id, string salt, string name, List<int> auth, string schoolID = "", int expire = 1)
  168. {
  169. // 設定要加入到 JWT Token 中的聲明資訊(Claims)
  170. var payload = new JwtPayload {
  171. { JwtRegisteredClaimNames.Iss, issuer }, //發行者 iss: jwt签发者
  172. { JwtRegisteredClaimNames.Sub, id }, // APPID sub: jwt所面向的用户
  173. { JwtRegisteredClaimNames.Aud, "" }, // aud: 接收jwt的一方
  174. { JwtRegisteredClaimNames.Azp,schoolID}, // 學校簡碼,如果有的話
  175. {JwtRegisteredClaimNames.Jti,Guid.NewGuid().ToString() },
  176. { "name",name}, // 用戶的顯示名稱
  177. //{ JwtRegisteredClaimNames.Exp,DateTimeOffset.UtcNow.AddHours(expire).ToUnixTimeSeconds()}, // 到期的時間,必須為數字
  178. //{ "name",name}, // 用戶的顯示名稱
  179. //{ "picture",picture}, // 用戶頭像
  180. { "auth",auth}, // 登入者的角色,角色類型 (Admin、Teacher、Student)
  181. // { "permissions",permissions} //登入者的權限請求
  182. };
  183. // 建立一組對稱式加密的金鑰,主要用於 JWT 簽章之用
  184. var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt));
  185. // HmacSha256 有要求必須要大於 128 bits,所以 salt 不能太短,至少要 16 字元以上
  186. // https://stackoverflow.com/questions/47279947/idx10603-the-algorithm-hs256-requires-the-securitykey-keysize-to-be-greater
  187. var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
  188. var header = new JwtHeader(signingCredentials);
  189. var secToken = new JwtSecurityToken(header, payload);
  190. // 產出所需要的 JWT securityToken 物件,並取得序列化後的 Token 結果(字串格式)
  191. var tokenHandler = new JwtSecurityTokenHandler();
  192. //var securityToken = tokenHandler.CreateToken(tokenDescriptor);
  193. var serializeToken = tokenHandler.WriteToken(secToken);
  194. return serializeToken;
  195. }
  196. public static bool ValidateApiToken(string token, string salt)
  197. {
  198. try
  199. {
  200. var handler = new JwtSecurityTokenHandler();
  201. var validationParameters = new TokenValidationParameters
  202. {
  203. RequireExpirationTime = false,
  204. ValidateIssuer = false,
  205. ValidateAudience = false,
  206. IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt)),
  207. ValidateLifetime = false,
  208. //LifetimeValidator = LifetimeValidator,
  209. ClockSkew = TimeSpan.Zero
  210. };
  211. ClaimsPrincipal principal = handler.ValidateToken(token, validationParameters, out SecurityToken securityToken);
  212. return true;
  213. }
  214. catch (Exception)
  215. {
  216. //Trace.WriteLine(ex.Message);
  217. return false;
  218. }
  219. }
  220. public static bool ValidateAuthToken(string token, string salt)
  221. {
  222. try
  223. {
  224. var handler = new JwtSecurityTokenHandler();
  225. var validationParameters = new TokenValidationParameters
  226. {
  227. RequireExpirationTime = true,
  228. ValidateIssuer = false,
  229. ValidateAudience = false,
  230. IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt)),
  231. ValidateLifetime = false,
  232. //LifetimeValidator = LifetimeValidator,
  233. ClockSkew = TimeSpan.Zero
  234. };
  235. ClaimsPrincipal principal = handler.ValidateToken(token, validationParameters, out SecurityToken securityToken);
  236. return true;
  237. }
  238. catch (Exception)
  239. {
  240. //Trace.WriteLine(ex.Message);
  241. return false;
  242. }
  243. }
  244. /// <summary>
  245. /// 第三方登录后的id_token
  246. /// </summary>
  247. /// <param name="issuser"></param>
  248. /// <param name="id"></param>
  249. /// <param name="name"></param>
  250. /// <param name="picture"></param>
  251. /// <param name="webSite"></param>
  252. /// <param name="salt"></param>
  253. /// <param name="roles"></param>
  254. /// <param name="permissions"></param>
  255. /// <param name="expire"></param>
  256. /// <returns></returns>
  257. public static string CreateBizLoginAuthToken(string issuser, string id, string name, string picture, string webSite, string salt, string[] roles = null, string[] permissions = null, int expire = 1)
  258. {
  259. var payload = new JwtPayload
  260. {
  261. { JwtRegisteredClaimNames.Iss,issuser}, //发行者
  262. { JwtRegisteredClaimNames.Sub,id}, //用户ID
  263. { JwtRegisteredClaimNames.Exp,DateTimeOffset.UtcNow.AddHours(expire).ToUnixTimeSeconds()},//到期时间
  264. { "name",name},//用户显示名称
  265. { "picture",picture}, // 用户头像
  266. { "roles",roles}, //登陆者的角色, (admin、dea)
  267. { "permissions",permissions}, //登陆者的权限
  268. { JwtRegisteredClaimNames.Website,webSite}, // 平台站点
  269. };
  270. // 建立加密的秘钥
  271. var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt));
  272. // HmacSha256 有要求必须要大于 128 bits,所以 salt 不能太短,至少要 16 字元以上
  273. // https://stackoverflow.com/questions/47279947/idx10603-the-algorithm-hs256-requires-the-securitykey-keysize-to-be-greater
  274. var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
  275. var header = new JwtHeader(signingCredentials);
  276. var secToken = new JwtSecurityToken(header, payload);
  277. // 產出所需要的 JWT securityToken 物件,並取得序列化後的 Token 結果(字串格式)
  278. var tokenHandler = new JwtSecurityTokenHandler();
  279. //var securityToken = tokenHandler.CreateToken(tokenDescriptor);
  280. var serializeToken = tokenHandler.WriteToken(secToken);
  281. return serializeToken;
  282. }
  283. }
  284. public enum OpenApiJtwIssuer
  285. {
  286. [Description("open-test.teammodel.cn,open.teammodel.cn,open-test.teammodel.net,open.teammodel.net")]
  287. OpenApiJtw签发者,
  288. }
  289. }