TEAMModelOS/TEAMModelOS.Extension/IES.Exam/IES.ExamServer/Helpers/JwtAuthExtension.cs

using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;

namespace IES.ExamServer
{
    public class JwtAuthExtension
    {
        public static bool ValidateAuthToken(string token, string salt)
        {
            try
            {
                var handler = new JwtSecurityTokenHandler();
                var validationParameters = new TokenValidationParameters
                {
                    RequireExpirationTime = false,
                    ValidateIssuer = false,
                    ValidateAudience = false,
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt)),
                    ValidateLifetime = false,
                    //LifetimeValidator = LifetimeValidator,
                    ClockSkew = TimeSpan.Zero
                };
                ClaimsPrincipal principal = handler.ValidateToken(token, validationParameters, out SecurityToken securityToken);
                return true;
            }
            catch (Exception)
            {
                //Trace.WriteLine(ex.Message);
                return false;
            }
        }


        public static string CreateAuthToken(string? issuer, string? id, string? name, string? picture, string? salt, string? scope,   int timezone,   string? schoolID =null,string[]? roles = null,   int expire = 1, int year = -1)
        {
            // 設定要加入到 JWT Token 中的聲明資訊(Claims)  
            var payload = new JwtPayload {
                { JwtRegisteredClaimNames.Iss, issuer }, //發行者
                { JwtRegisteredClaimNames.Azp,schoolID}, // 學校簡碼，如果有的話
                { JwtRegisteredClaimNames.Sub, id }, // 用戶ID                  
                { JwtRegisteredClaimNames.Exp,DateTimeOffset.UtcNow.AddHours(expire).ToUnixTimeSeconds()},  // 到期的時間，必須為數字
                { "name",name}, // 用戶的顯示名稱
                { "picture",picture}, // 用戶頭像
                { "roles",roles}, // 登入者的角色，角色類型 (Admin、Teacher、Student) 
                { "scope",scope},  //登入者的入口类型。 (teacher 教师端登录的醍摩豆ID、tmduser学生端登录的醍摩豆ID、student学生端登录校内账号的学生ID)
                { "timezone",timezone},
                { JwtRegisteredClaimNames.Jti,Guid.NewGuid().ToString()}
            };
            // 建立一組對稱式加密的金鑰，主要用於 JWT 簽章之用
            var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(salt));
            // HmacSha256 有要求必須要大於 128 bits，所以 salt 不能太短，至少要 16 字元以上
            // https://stackoverflow.com/questions/47279947/idx10603-the-algorithm-hs256-requires-the-securitykey-keysize-to-be-greater
            //var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature);
            var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
            var header = new JwtHeader(signingCredentials);
            var secToken = new JwtSecurityToken(header, payload);
            // 產出所需要的 JWT securityToken 物件，並取得序列化後的 Token 結果(字串格式)
            var tokenHandler = new JwtSecurityTokenHandler();
            //var securityToken = tokenHandler.CreateToken(tokenDescriptor);
            var serializeToken = tokenHandler.WriteToken(secToken);

            return serializeToken;
        }
    }
}