[Blazor] 一文理清 Blazor Identity 鉴权验证

忿忿的泥巴坨 · 2024-12-20 20:46:00

一文理清 Blazor Identity 鉴权验证

择要

在现代Web应用程序中，身份认证与授权是确保应用安全性和用户数据掩护的关键环节。Blazor作为基于C#和.NET的前端框架，提供了丰富的身份认证与授权机制。本文将深入解析Blazor的身份认证框架的构成，比较不同渲染模式下鉴权逻辑的异同，并通过具体案例演示如安在Blazor Server和Blazor WebAssembly中实现身份认证。通过本文的学习，读者将能够更好地理解并应用Blazor中的Identity，以构建安全可靠的Web应用程序。
鉴权框架的构成

Blazor的身份认证框架主要由以下三个核心部分组成：
基架： AuthenticationMiddleware (Microsoft.AspNetCore.Authentication)

AuthenticationMiddleware是ASP.NET Core中用于处理身份认证的中心件组件。它位于请求处理管道中，负责验证用户的身份并构建ClaimsPrincipal对象，将其附加到HttpContext.User属性中。全部后续的中心件和请求处理程序都可以访问该用户对象，从而了解当前请求的身份信息。
在Blazor应用程序中，AuthenticationMiddleware的作用是拦截HTTP请求，检查请求中是否包含有效的认证凭据（例如Cookie、JWT等）。如果凭据有效，它将解析并构建用户的身份信息；如果无效，则将用户视为未认证状态。
否
是
Cookie认证
JWT认证
其他方案
成功
失败
是
否
通过
不通过
HTTP请求
是否需要认证
直接访问资源
Authentication中心件
检查认证方案
解析Cookie
解析Authorization Header
...
验证Cookie有效性
验证Token署名
验证相应凭证
验证结果
创建ClaimsPrincipal
返回401/403
设置HttpContext.User
是否需要授权
Authorization中心件
访问资源
检查授权策略
访问资源
返回403

引用：

Microsoft 文档：身份验证中心件
Microsoft 文档：使用身份验证中心件

后端鉴权逻辑服务： IdentityCore (Microsoft.AspNetCore.Identity)

IdentityCore是ASP.NET Core提供的完整的身份管理框架。它为开发者提供了处理用户注册、登录、角色管理、暗码重置等功能的 APIs 和服务。IdentityCore高度可定制，可以使用不同的数据存储方式（如Entity Framework Core、MongoDB等）和暗码哈希算法。
在Blazor Server模式下，IdentityCore通常与AuthenticationMiddleware结合使用。后端服务器负责处理全部与身份相关的逻辑，包括验证用户凭据、管理用户数据和生成身份认证令牌等。
核心架构图

IdentityUser
+string Id
+string UserName
+string Email
+string PasswordHash
+string SecurityStamp
+bool EmailConfirmed
+bool TwoFactorEnabled
IdentityRole
+string Id
+string Name
+string NormalizedName
UserManager
+CreateAsync()
+FindByIdAsync()
+AddToRoleAsync()
+CheckPasswordAsync()
+GenerateEmailConfirmationTokenAsync()
SignInManager
+PasswordSignInAsync()
+SignInAsync()
+SignOutAsync()
+TwoFactorAuthenticatorSignInAsync()
RoleManager
+CreateAsync()
+FindByIdAsync()
+AddClaimAsync()
IdentityDbContext
+DbSet Users
+DbSet Roles
+DbSet UserClaims
+DbSet RoleClaims
UserStore
+CreateAsync()
+UpdateAsync()
+FindByIdAsync()
+AddToRoleAsync()
RoleStore
+CreateAsync()
+UpdateAsync()
+FindByIdAsync()
IdentityOptions
+PasswordOptions
+LockoutOptions
+UserOptions
+SignInOptions
IdentityBuilder
+AddEntityFrameworkStores()
+AddDefaultTokenProviders()
+AddDefaultUI()

配置与启动流程（图中的配置函数非常原始，案例中会使用较新的简化函数，不过最终都是调用它们）

OptionsEFIdentityServicesStartupOptionsEFIdentityServicesStartup服务配置阶段配置暗码规则锁定策略用户选项等中心件配置ConfigureServices()AddIdentity()注册核心服务AddEntityFrameworkStores()Configure()UseAuthentication()UseAuthorization()配置认证中心件配置授权中心件
用户注册与认证流程

EmailDBStoreSignInManagerUserManagerControllerClientEmailDBStoreSignInManagerUserManagerControllerClient注册流程alt[需要邮箱验证]登录流程alt[启用2FA]注册请求CreateAsync(user, password)验证暗码规则生成SecurityStampHash暗码CreateAsync(user)保存用户GenerateEmailConfirmationTokenAsync发送确认邮件登录请求PasswordSignInAsyncFindByNameAsyncFindByNameAsync查询用户CheckPasswordAsync要求2FA验证提供2FA码TwoFactorSignInAsync创建身份票据设置认证Cookie
授权与角色管理流程（更侧重于使用AuthorizationMiddleware）

DBStoreRoleManagerUserManagerControllerClientDBStoreRoleManagerUserManagerControllerClient角色管理授权验证alt[基于角色][基于Claims]创建角色请求CreateAsync(role)CreateAsync(role)保存角色分配角色请求AddToRoleAsync(user, role)AddToRoleAsync更新用户角色关系请求受掩护资源[Authorize(Roles = "Admin")]IsInRoleAsyncIsInRoleAsync查询角色关系GetClaimsAsyncGetClaimsAsync查询Claims
扩展点和自定义实现

«interface»
IUserStore
+CreateAsync()
+UpdateAsync()
+DeleteAsync()
+FindByIdAsync()
«interface»
IUserPasswordStore
+SetPasswordHashAsync()
+GetPasswordHashAsync()
«interface»
IUserRoleStore
+AddToRoleAsync()
+RemoveFromRoleAsync()
+GetRolesAsync()
«interface»
IUserClaimStore
+AddClaimsAsync()
+RemoveClaimsAsync()
+GetClaimsAsync()
CustomUserStore
-IRepository repository
+CreateAsync()
+UpdateAsync()
+FindByIdAsync()
«interface»
IPasswordHasher
+HashPassword()
+VerifyHashedPassword()
«interface»
IPasswordValidator
+ValidateAsync()
«interface»
IUserValidator
+ValidateAsync()

主要特点：
模块化设计：核心身份模子、用户管理服务、存储抽象层、验证器接口
灵活的扩展性：自定义用户模子、自定义存储实现、可配置的选项、验证器扩展
完整的认证流程：用户注册、暗码验证、双因素认证、外部登录
丰富的授权机制：基于角色、基于Claims、基于策略、动态授权
安全特性：暗码哈希、账户锁定、安全戳验证、令牌管理
引用：

Microsoft 文档：ASP.NET Core 上的 Identity 简介
Microsoft 文档：在 ASP.NET Core 项目中添加 Identity

前端鉴权逻辑服务： AuthenticationStateProvider (Microsoft.AspNetCore.Components.Authorization)

AuthenticationStateProvider是Blazor中用于提供当前用户身份状态的抽象类。它的主要作用是向Blazor组件提供身份认证状态（AuthenticationState），以便组件能够根据用户的身份进行相应的显示和操作。
在Blazor应用程序中，AuthenticationStateProvider的具体实现方式取决于应用的渲染模式和身份认证方案。对于Blazor Server，这个提供程序可以直接从服务器的HttpContext.User获取身份信息；对于Blazor WebAssembly，由于代码在客户端运行，需要通过其他方式（如调用后端API或解析令牌）获取用户身份。
状态存储Identity服务自定义AuthProviderAuthenticationStateProviderCascadingAuthenticationStateBlazor组件状态存储Identity服务自定义AuthProviderAuthenticationStateProviderCascadingAuthenticationStateBlazor组件初始化阶段alt[自定义认证逻辑][默认实现]状态访问alt[通过注入访问][通过级联参数访问]状态变动Server模式授权验证alt[未授权][已授权]组件初始化GetAuthenticationStateAsync()委托处理获取用户信息返回用户数据构建AuthenticationState缓存状态获取当前用户返回ClaimsPrincipalnew AuthenticationState()返回AuthenticationState通过级联参数提供状态[CascadingParameter]Task@inject AuthenticationStateProvider返回Provider实例GetAuthenticationStateAsync()await AuthenticationState获取User信息处理授权逻辑用户状态变动更新AuthenticationState更新缓存状态NotifyAuthenticationStateChanged关照状态变动触发重新渲染@attribute [Authorize]GetAuthenticationStateAsync()获取缓存状态返回状态重定向到登录页允许访问渲染受掩护内容
主要特点：
状态管理：缓存认证状态、状态变动关照、状态同步更新
组件集成：CascadingAuthenticationState提供状态共享、AuthorizeView用于条件渲染、Authorize特性支持
自定义能力：自定义认证逻辑、自定义授权策略、状态持久化
安全特性：状态验证、角色授权、Claims基础授权
性能优化：状态缓存、按需刷新、组件重渲染控制
引用：

Microsoft 文档：ASP.NET Core Blazor 身份验证和授权

不同渲染模式中鉴权逻辑的异同

相同点

组件在获取用户信息与鉴权状态时，都同一使用CascadingAuthenticationState

无论是Blazor Server还是Blazor WebAssembly，组件在需要访问用户身份信息时，都通过CascadingAuthenticationState提供的AuthenticationState。这使得组件能够以一致的方式获取用户的身份认证状态，无需关注底层的实现细节。
使用级联参数获取用户信息

@code {
[CascadingParameter] private Task<AuthenticationState> stateTask { get; set; }
private ClaimsPrincipal user;
protected override async Task OnInitializedAsync()
{
var authState = await stateTask;
user = authState.User;
}
}

复制代码

使用服务获取用户信息

@inject AuthenticationStateProvider AuthenticationStateProvider
@code {
private ClaimsPrincipal user;
protected override async Task OnInitializedAsync()
{
var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync();
user = authState.User;
}
}

复制代码

引用：

Microsoft 文档：使身份验证状态成为级联参数

不同点

Server模式实现RevalidatingServerAuthenticationStateProvider（基于AuthenticationStateProvider）重点在验证ClaimPrincipal中的安全戳

在Blazor Server模式下，应用程序在服务器上运行，客户端通过SignalR持久连接与服务器通讯。默认情况下，Blazor Server使用ServerAuthenticationStateProvider，它直接从HttpContext.User获取用户的身份信息。
为了增强安全性，Blazor Server提供了RevalidatingServerAuthenticationStateProvider。它继承自ServerAuthenticationStateProvider，能够在指定的时间间隔内重新验证用户的身份状态。这主要通过检查ClaimsPrincipal中的安全戳（Security Stamp）来实现。当用户的安全戳发生变化（如暗码更改、账户被禁用等），该提供程序会检测到并更新用户的身份状态，要求用户重新登录。
HttpContext认证状态存储Blazor组件RevalidatingAuthProviderAuthenticationStateProviderBlazor CircuitSignalR HubCookie中心件数据库User StoreUserManagerSignInManagerIdentity服务认证中心件服务器浏览器用户HttpContext认证状态存储Blazor组件RevalidatingAuthProviderAuthenticationStateProviderBlazor CircuitSignalR HubCookie中心件数据库User StoreUserManagerSignInManagerIdentity服务认证中心件服务器浏览器用户SecurityStamp生成阶段Guid.NewGuid().ToString()如暗码修改/角色变动等alt[用户注册][安全相关操作]登录阶段包含用户Claims和SecurityStampHttpContext可用new AuthenticationState(Principal)认证状态持久化验证当前用户状态opt[需要重新验证]alt[首次请求或状态逾期]后台定期验证par[获取Claims中的SecurityStamp][获取数据库中的SecurityStamp]alt[SecurityStamp不匹配][SecurityStamp匹配]loop[每30分钟]注册请求CreateAsync生成新SecurityStamp保存用户信息存储SecurityStampUpdateSecurityStampAsync生成新SecurityStamp更新用户信息更新SecurityStamp登录请求SignInAsync验证凭据获取用户信息返回用户数据验证成功验证成功创建ClaimsPrincipal创建认证Cookie设置Cookie首次HTTP请求(带Cookie)返回初始HTML（App.razor）WebSocket连接请求(带Cookie)创建Circuit验证请求Cookie解析认证Cookie还原ClaimsPrincipal返回Principal创建AuthenticationState初始化认证状态存储认证状态GetAuthenticationStateAsync()检查状态是否需要重新验证返回验证时间ValidateAuthenticationStateAsync返回AuthenticationState用户交互处理请求❌无法访问HttpContext获取认证状态返回认证状态ValidateAuthenticationStateAsync从Claims获取SecurityStampGetSecurityStampAsync查询用户获取SecurityStamp返回当前SecurityStamp返回结果返回SecurityStamp更新认证状态NotifyAuthenticationStateChanged更新UI状态继续使用当前认证状态
引用：

Microsoft 文档：在服务器上重新验证身份
Microsoft 文档：RevalidatingServerAuthenticationStateProvider 源码示例

Webassembly模式实现AuthenticationStateProvider与HttpMessageHandler（可选）重点在访问个人信息终结点（或从自包含令牌）解析ClaimPrincipal

在Blazor WebAssembly模式下，应用程序在客户端浏览器中运行，没有直接访问服务器HttpContext的能力。因此，获取用户身份信息需要通过其他方式。例如，实现自定义的AuthenticationStateProvider，通过调用后端API（如用户信息终结点）获取用户信息，或者解析存储在客户端的JWT令牌来构建ClaimsPrincipal。
别的，为了在客户端向受掩护的API发送请求时主动附加身份认证令牌，或是在令牌逾期后主动刷新令牌，可以配置HttpClient使用自定义的HttpMessageHandler。这样，可以在请求头中添加必要的身份认证信息（如Bearer Token）或拦截401相应并刷新令牌重试请求。
Token服务后端APIHttpClientHandlerAuthenticationProviderBlazor组件Blazor WebAssembly应用浏览器用户Token服务后端APIHttpClientHandlerAuthenticationProviderBlazor组件Blazor WebAssembly应用浏览器用户alt[Token存在且未过-期][Token不存在或已-逾期]alt[验证成功][验证失败]alt[刷新成功][刷新失败]alt[Token有效][Token无效或逾期（返回401）]alt[刷新成功][刷新失败]alt[Token即将逾期][Token仍旧有效]loop[每固定时间间隔]打开应用URL加载Blazor WebAssembly应用初始化认证状态检查当地存储的Token使用现有Token设置为未认证状态返回认证状态渲染组件点击登录按钮调用Login方法发送登录请求(带用户凭据)验证用户凭据返回访问Token和刷新Token存储Token（如localStorage）更新认证状态为已认证关照认证状态已改变重新渲染受限页面返回错误信息关照登录失败GetAuthenticationStateAsync()使用Token请求用户信息（/userinfo）添加Authorization头返回用户信息返回AuthenticationState（包含用户信息）发起HTTP请求（携带API地址）拦截请求，添加Authorization头发送请求（带Token）返回请求数据返回数据返回401 Unauthorized关照Token无效实验刷新Token发送刷新Token请求验证刷新Token返回新的访问Token和刷新Token返回新的Token更新存储的Token关照重试原请求重新发送原请求（带新Token）返回请求数据返回数据返回刷新失败信息关照刷新失败清除Token，更新为未认证状态关照认证状态已改变（未认证）重定向到登录页或显示登录按钮检查Token有效期刷新Token验证刷新Token返回新的Token更新Token更新存储的Token返回刷新失败信息关照刷新失败清除Token，更新为未认证状态关照认证状态已改变（未认证）重定向到登录页或显示登录按钮无需操作
引用：

Microsoft 文档：在 Blazor WebAssembly 中实现自定义 AuthenticationStateProvider
Microsoft 文档：向 HttpClient 请求添加令牌

眼见为实：通过案例实现两种渲染模式的鉴权

下面，我们将通过具体的案例，演示如安在Blazor Server和Blazor WebAssembly应用程序中实现身份认证。
Server + Cookie

注册服务

builder.Services.AddCascadingAuthenticationState(); // 添加级联参数获取认证信息
builder.Services.AddScoped<AuthenticationStateProvider, IdentityRevalidatingAuthenticationStateProvider>(); // 注册自实现的StateProvider
builder.Services.AddAuthentication(options =>
{
//在这里设定默认方案
options.DefaultScheme = IdentityConstants.ApplicationScheme;
options.DefaultSignInScheme = IdentityConstants.ExternalScheme;
options.DefaultSignOutScheme = IdentityConstants.ExternalScheme;
}).AddIdentityCookies(options =>
{
});
builder.Services.AddIdentityCore<ApplicationUser>(options => //ApplicationUser继承自IdentityUser
{
//在这里设定鉴权配置，比如验证邮箱（这里不验证）、密码规则（这里设置最简规则）
options.SignIn.RequireConfirmedAccount = false;
options.Password.RequiredLength = 6;
options.Password.RequireDigit = false;
options.Password.RequireLowercase = false;
options.Password.RequireNonAlphanumeric = false;
options.Password.RequireUppercase = false;
})
.AddRoles<IdentityRole>() //需要自定义角色时，继承IdentityRole
.AddEntityFrameworkStores<ApplicationDbContext>() //ApplicationDbContext需要继承IdentityDbContext，其他ORM请自行搜索Store实现
.AddSignInManager() //使用Cookie时，推荐注册
.AddDefaultTokenProviders();
builder.Services.AddSingleton<IEmailSender<ApplicationUser>, IdentityNoOpEmailSender>();
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();

复制代码

其中，AddIdentityCookies方法的源代码如下：

/// <summary>
/// Adds the cookie authentication needed for sign in manager.
/// </summary>
/// <param name="builder">The current <see cref="AuthenticationBuilder"/> instance.</param>
/// <param name="configureCookies">Action used to configure the cookies.</param>
/// <returns>The <see cref="IdentityCookiesBuilder"/> which can be used to configure the identity cookies.</returns>
public static IdentityCookiesBuilder AddIdentityCookies(this AuthenticationBuilder builder, Action<IdentityCookiesBuilder> configureCookies)
{
var cookieBuilder = new IdentityCookiesBuilder();
cookieBuilder.ApplicationCookie = builder.AddApplicationCookie();
cookieBuilder.ExternalCookie = builder.AddExternalCookie();
cookieBuilder.TwoFactorRememberMeCookie = builder.AddTwoFactorRememberMeCookie();
cookieBuilder.TwoFactorUserIdCookie = builder.AddTwoFactorUserIdCookie();
configureCookies?.Invoke(cookieBuilder);
return cookieBuilder;
}

复制代码

IdentityNoOpEmailSender

public sealed class IdentityNoOpEmailSender : IEmailSender<ApplicationUser>
{
private readonly IEmailSender emailSender = new NoOpEmailSender(); //案例不实现真正的邮件发送
public Task SendConfirmationLinkAsync(ApplicationUser user, string email, string confirmationLink) =>
emailSender.SendEmailAsync(email, "Confirm your email", $"Please confirm your account by <a target="_blank" href='https://www.cnblogs.com/{confirmationLink}'>clicking here</a>.");
public Task SendPasswordResetLinkAsync(ApplicationUser user, string email, string resetLink) =>
emailSender.SendEmailAsync(email, "Reset your password", $"Please reset your password by <a target="_blank" href='https://www.cnblogs.com/{resetLink}'>clicking here</a>.");
public Task SendPasswordResetCodeAsync(ApplicationUser user, string email, string resetCode) =>
emailSender.SendEmailAsync(email, "Reset your password", $"Please reset your password using the following code: {resetCode}");
}

复制代码

IdentityRevalidatingAuthenticationStateProvider

public sealed class IdentityRevalidatingAuthenticationStateProvider(
ILoggerFactory loggerFactory,
IServiceScopeFactory scopeFactory,
IOptions<IdentityOptions> options)
: RevalidatingServerAuthenticationStateProvider(loggerFactory)
{
protected override TimeSpan RevalidationInterval => TimeSpan.FromMinutes(30);
protected override async Task<bool> ValidateAuthenticationStateAsync(
AuthenticationState authenticationState, CancellationToken cancellationToken)
{
// Get the user manager from a new scope to ensure it fetches fresh data
await using var scope = scopeFactory.CreateAsyncScope();
var userManager = scope.ServiceProvider.GetRequiredService<UserManager<ApplicationUser>>();
return await ValidateSecurityStampAsync(userManager, authenticationState.User);
}
private async Task<bool> ValidateSecurityStampAsync(UserManager<ApplicationUser> userManager, ClaimsPrincipal principal)
{
var user = await userManager.GetUserAsync(principal);
if (user is null)
{
return false;
}
else if (!userManager.SupportsUserSecurityStamp)
{
return true;
}
else
{
var principalStamp = principal.FindFirstValue(options.Value.ClaimsIdentity.SecurityStampClaimType);
var userStamp = await userManager.GetSecurityStampAsync(user);
return principalStamp == userStamp;
}
}
}

复制代码

登录时，可以使用表单提交，也可以使用Ajax POST（制作动态网页时的首选），后端处理的逻辑代码相同，即都通过SignInManager实现发送Set-Cookie请求
表单处理：

public async Task LoginUser()
{
// This doesn't count login failures towards account lockout
// To enable password failures to trigger account lockout, set lockoutOnFailure: true
var result = await SignInManager.PasswordSignInAsync(Input.Email, Input.Password, Input.RememberMe, lockoutOnFailure: false);
if (result.Succeeded)
{
RedirectManager.RedirectTo("/");
}
else if (result.RequiresTwoFactor)
{
RedirectManager.RedirectTo(
"Account/LoginWith2fa",
new() { ["returnUrl"] = ReturnUrl, ["rememberMe"] = Input.RememberMe });
}
else if (result.IsLockedOut)
{
RedirectManager.RedirectTo("Account/Lockout");
}
else
{
errorMessage = $@"账号或密码错误";
}
}

复制代码

WebAPI：

app.MapPost("Login", async (CheckDto Input,
UserManager<ApplicationUser> userManager,
SignInManager<ApplicationUser> signInManager) =>
{
var emailResult = await userManager.FindByEmailAsync(dto.username);
if (emailResult is null) return Results.BadRequest("账号未注册");
if (await userManager.CheckPasswordAsync(emailResult, dto.password))
{
await signInManager.SignInAsync(emailResult, false);
return Results.Ok();
}
return Results.BadRequest("密码错误"); //401不能返回错误信息，故使用400
});

复制代码

WebAssembly + Cookie + UserInfo Endpoint

此方式是微软推荐的鉴权方式，相比于JWT安全性较高
注册服务（使用.NET 8以后新增的方法）

builder.Services.AddAuthorization();
builder.Services.AddIdentityApiEndpoints<ApplicationUser>()
.AddEntityFrameworkStores<ApplicationDbContext>();
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.MapIdentityApi<ApplicationUser>();

复制代码

源码解读：

/// <summary>
/// Adds a set of common identity services to the application to support <see cref="IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi{TUser}(IEndpointRouteBuilder)"/>
/// and configures authentication to support identity bearer tokens and cookies.
/// </summary>
/// <param name="services">The <see cref="IServiceCollection"/>.</param>
/// <param name="configure">Configures the <see cref="IdentityOptions"/>.</param>
/// <returns>The <see cref="IdentityBuilder"/>.</returns>
public static IdentityBuilder AddIdentityApiEndpoints<TUser>(this IServiceCollection services, Action<IdentityOptions> configure)
where TUser : class, new()
{
ArgumentNullException.ThrowIfNull(services);
ArgumentNullException.ThrowIfNull(configure);
services
.AddAuthentication(IdentityConstants.BearerAndApplicationScheme)
.AddScheme<AuthenticationSchemeOptions, CompositeIdentityHandler>(IdentityConstants.BearerAndApplicationScheme, null, compositeOptions =>
{
compositeOptions.ForwardDefault = IdentityConstants.BearerScheme;
compositeOptions.ForwardAuthenticate = IdentityConstants.BearerAndApplicationScheme;
})
.AddBearerToken(IdentityConstants.BearerScheme)
.AddIdentityCookies();
return services.AddIdentityCore<TUser>(configure)
.AddApiEndpoints();
}
/// <summary>
/// Add endpoints for registering, logging in, and logging out using ASP.NET Core Identity.
/// </summary>
/// <typeparam name="TUser">The type describing the user. This should match the generic parameter in <see cref="UserManager{TUser}"/>.</typeparam>
/// <param name="endpoints">
/// The <see cref="IEndpointRouteBuilder"/> to add the identity endpoints to.
/// Call <see cref="EndpointRouteBuilderExtensions.MapGroup(IEndpointRouteBuilder, string)"/> to add a prefix to all the endpoints.
/// </param>
/// <returns>An <see cref="IEndpointConventionBuilder"/> to further customize the added endpoints.</returns>
public static IEndpointConventionBuilder MapIdentityApi<TUser>(this IEndpointRouteBuilder endpoints)
where TUser : class, new()
{
ArgumentNullException.ThrowIfNull(endpoints);
var timeProvider = endpoints.ServiceProvider.GetRequiredService<TimeProvider>();
var bearerTokenOptions = endpoints.ServiceProvider.GetRequiredService<IOptionsMonitor<BearerTokenOptions>>();
var emailSender = endpoints.ServiceProvider.GetRequiredService<IEmailSender<TUser>>();
var linkGenerator = endpoints.ServiceProvider.GetRequiredService<LinkGenerator>();
// We'll figure out a unique endpoint name based on the final route pattern during endpoint generation.
string? confirmEmailEndpointName = null;
var routeGroup = endpoints.MapGroup("");
// NOTE: We cannot inject UserManager<TUser> directly because the TUser generic parameter is currently unsupported by RDG.
// https://github.com/dotnet/aspnetcore/issues/47338
routeGroup.MapPost("/register", async Task<Results<Ok, ValidationProblem>>
([FromBody] RegisterRequest registration, HttpContext context, [FromServices] IServiceProvider sp) =>
{
var userManager = sp.GetRequiredService<UserManager<TUser>>();
if (!userManager.SupportsUserEmail)
{
throw new NotSupportedException($"{nameof(MapIdentityApi)} requires a user store with email support.");
}
var userStore = sp.GetRequiredService<IUserStore<TUser>>();
var emailStore = (IUserEmailStore<TUser>)userStore;
var email = registration.Email;
if (string.IsNullOrEmpty(email) || !_emailAddressAttribute.IsValid(email))
{
return CreateValidationProblem(IdentityResult.Failed(userManager.ErrorDescriber.InvalidEmail(email)));
}
var user = new TUser();
await userStore.SetUserNameAsync(user, email, CancellationToken.None);
await emailStore.SetEmailAsync(user, email, CancellationToken.None);
var result = await userManager.CreateAsync(user, registration.Password);
if (!result.Succeeded)
{
return CreateValidationProblem(result);
}
await SendConfirmationEmailAsync(user, userManager, context, email);
return TypedResults.Ok();
});
routeGroup.MapPost("/login", async Task<Results<Ok<AccessTokenResponse>, EmptyHttpResult, ProblemHttpResult>>
([FromBody] LoginRequest login, [FromQuery] bool? useCookies, [FromQuery] bool? useSessionCookies, [FromServices] IServiceProvider sp) =>
{
var signInManager = sp.GetRequiredService<SignInManager<TUser>>();
var useCookieScheme = (useCookies == true) || (useSessionCookies == true);
var isPersistent = (useCookies == true) && (useSessionCookies != true);
signInManager.AuthenticationScheme = useCookieScheme ? IdentityConstants.ApplicationScheme : IdentityConstants.BearerScheme;
var result = await signInManager.PasswordSignInAsync(login.Email, login.Password, isPersistent, lockoutOnFailure: true);
if (result.RequiresTwoFactor)
{
if (!string.IsNullOrEmpty(login.TwoFactorCode))
{
result = await signInManager.TwoFactorAuthenticatorSignInAsync(login.TwoFactorCode, isPersistent, rememberClient: isPersistent);
}
else if (!string.IsNullOrEmpty(login.TwoFactorRecoveryCode))
{
result = await signInManager.TwoFactorRecoveryCodeSignInAsync(login.TwoFactorRecoveryCode);
}
}
if (!result.Succeeded)
{
return TypedResults.Problem(result.ToString(), statusCode: StatusCodes.Status401Unauthorized);
}
// The signInManager already produced the needed response in the form of a cookie or bearer token.
return TypedResults.Empty;
});
routeGroup.MapPost("/refresh", async Task<Results<Ok<AccessTokenResponse>, UnauthorizedHttpResult, SignInHttpResult, ChallengeHttpResult>>
([FromBody] RefreshRequest refreshRequest, [FromServices] IServiceProvider sp) =>
{
var signInManager = sp.GetRequiredService<SignInManager<TUser>>();
var refreshTokenProtector = bearerTokenOptions.Get(IdentityConstants.BearerScheme).RefreshTokenProtector;
var refreshTicket = refreshTokenProtector.Unprotect(refreshRequest.RefreshToken);
// Reject the /refresh attempt with a 401 if the token expired or the security stamp validation fails
if (refreshTicket?.Properties?.ExpiresUtc is not { } expiresUtc ||
timeProvider.GetUtcNow() >= expiresUtc ||
await signInManager.ValidateSecurityStampAsync(refreshTicket.Principal) is not TUser user)
{
return TypedResults.Challenge();
}
var newPrincipal = await signInManager.CreateUserPrincipalAsync(user);
return TypedResults.SignIn(newPrincipal, authenticationScheme: IdentityConstants.BearerScheme);
});
routeGroup.MapGet("/confirmEmail", async Task<Results<ContentHttpResult, UnauthorizedHttpResult>>
([FromQuery] string userId, [FromQuery] string code, [FromQuery] string? changedEmail, [FromServices] IServiceProvider sp) =>
{
var userManager = sp.GetRequiredService<UserManager<TUser>>();
if (await userManager.FindByIdAsync(userId) is not { } user)
{
// We could respond with a 404 instead of a 401 like Identity UI, but that feels like unnecessary information.
return TypedResults.Unauthorized();
}
try
{
code = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(code));
}
catch (FormatException)
{
return TypedResults.Unauthorized();
}
IdentityResult result;
if (string.IsNullOrEmpty(changedEmail))
{
result = await userManager.ConfirmEmailAsync(user, code);
}
else
{
// As with Identity UI, email and user name are one and the same. So when we update the email,
// we need to update the user name.
result = await userManager.ChangeEmailAsync(user, changedEmail, code);
if (result.Succeeded)
{
result = await userManager.SetUserNameAsync(user, changedEmail);
}
}
if (!result.Succeeded)
{
return TypedResults.Unauthorized();
}
return TypedResults.Text("Thank you for confirming your email.");
})
.Add(endpointBuilder =>
{
var finalPattern = ((RouteEndpointBuilder)endpointBuilder).RoutePattern.RawText;
confirmEmailEndpointName = $"{nameof(MapIdentityApi)}-{finalPattern}";
endpointBuilder.Metadata.Add(new EndpointNameMetadata(confirmEmailEndpointName));
});
routeGroup.MapPost("/resendConfirmationEmail", async Task<Ok>
([FromBody] ResendConfirmationEmailRequest resendRequest, HttpContext context, [FromServices] IServiceProvider sp) =>
{
var userManager = sp.GetRequiredService<UserManager<TUser>>();
if (await userManager.FindByEmailAsync(resendRequest.Email) is not { } user)
{
return TypedResults.Ok();
}
await SendConfirmationEmailAsync(user, userManager, context, resendRequest.Email);
return TypedResults.Ok();
});
routeGroup.MapPost("/forgotPassword", async Task<Results<Ok, ValidationProblem>>
([FromBody] ForgotPasswordRequest resetRequest, [FromServices] IServiceProvider sp) =>
{
var userManager = sp.GetRequiredService<UserManager<TUser>>();
var user = await userManager.FindByEmailAsync(resetRequest.Email);
if (user is not null && await userManager.IsEmailConfirmedAsync(user))
{
var code = await userManager.GeneratePasswordResetTokenAsync(user);
code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
await emailSender.SendPasswordResetCodeAsync(user, resetRequest.Email, HtmlEncoder.Default.Encode(code));
}
// Don't reveal that the user does not exist or is not confirmed, so don't return a 200 if we would have
// returned a 400 for an invalid code given a valid user email.
return TypedResults.Ok();
});
routeGroup.MapPost("/resetPassword", async Task<Results<Ok, ValidationProblem>>
([FromBody] ResetPasswordRequest resetRequest, [FromServices] IServiceProvider sp) =>
{
var userManager = sp.GetRequiredService<UserManager<TUser>>();
var user = await userManager.FindByEmailAsync(resetRequest.Email);
if (user is null || !(await userManager.IsEmailConfirmedAsync(user)))
{
// Don't reveal that the user does not exist or is not confirmed, so don't return a 200 if we would have
// returned a 400 for an invalid code given a valid user email.
return CreateValidationProblem(IdentityResult.Failed(userManager.ErrorDescriber.InvalidToken()));
}
IdentityResult result;
try
{
var code = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(resetRequest.ResetCode));
result = await userManager.ResetPasswordAsync(user, code, resetRequest.NewPassword);
}
catch (FormatException)
{
result = IdentityResult.Failed(userManager.ErrorDescriber.InvalidToken());
}
if (!result.Succeeded)
{
return CreateValidationProblem(result);
}
return TypedResults.Ok();
});
var accountGroup = routeGroup.MapGroup("/manage").RequireAuthorization();
accountGroup.MapPost("/2fa", async Task<Results<Ok<TwoFactorResponse>, ValidationProblem, NotFound>>
(ClaimsPrincipal claimsPrincipal, [FromBody] TwoFactorRequest tfaRequest, [FromServices] IServiceProvider sp) =>
{
var signInManager = sp.GetRequiredService<SignInManager<TUser>>();
var userManager = signInManager.UserManager;
if (await userManager.GetUserAsync(claimsPrincipal) is not { } user)
{
return TypedResults.NotFound();
}
if (tfaRequest.Enable == true)
{
if (tfaRequest.ResetSharedKey)
{
return CreateValidationProblem("CannotResetSharedKeyAndEnable",
"Resetting the 2fa shared key must disable 2fa until a 2fa token based on the new shared key is validated.");
}
if (string.IsNullOrEmpty(tfaRequest.TwoFactorCode))
{
return CreateValidationProblem("RequiresTwoFactor",
"No 2fa token was provided by the request. A valid 2fa token is required to enable 2fa.");
}
if (!await userManager.VerifyTwoFactorTokenAsync(user, userManager.Options.Tokens.AuthenticatorTokenProvider, tfaRequest.TwoFactorCode))
{
return CreateValidationProblem("InvalidTwoFactorCode",
"The 2fa token provided by the request was invalid. A valid 2fa token is required to enable 2fa.");
}
await userManager.SetTwoFactorEnabledAsync(user, true);
}
else if (tfaRequest.Enable == false || tfaRequest.ResetSharedKey)
{
await userManager.SetTwoFactorEnabledAsync(user, false);
}
if (tfaRequest.ResetSharedKey)
{
await userManager.ResetAuthenticatorKeyAsync(user);
}
string[]? recoveryCodes = null;
if (tfaRequest.ResetRecoveryCodes || (tfaRequest.Enable == true && await userManager.CountRecoveryCodesAsync(user) == 0))
{
var recoveryCodesEnumerable = await userManager.GenerateNewTwoFactorRecoveryCodesAsync(user, 10);
recoveryCodes = recoveryCodesEnumerable?.ToArray();
}
if (tfaRequest.ForgetMachine)
{
await signInManager.ForgetTwoFactorClientAsync();
}
var key = await userManager.GetAuthenticatorKeyAsync(user);
if (string.IsNullOrEmpty(key))
{
await userManager.ResetAuthenticatorKeyAsync(user);
key = await userManager.GetAuthenticatorKeyAsync(user);
if (string.IsNullOrEmpty(key))
{
throw new NotSupportedException("The user manager must produce an authenticator key after reset.");
}
}
return TypedResults.Ok(new TwoFactorResponse
{
SharedKey = key,
RecoveryCodes = recoveryCodes,
RecoveryCodesLeft = recoveryCodes?.Length ?? await userManager.CountRecoveryCodesAsync(user),
IsTwoFactorEnabled = await userManager.GetTwoFactorEnabledAsync(user),
IsMachineRemembered = await signInManager.IsTwoFactorClientRememberedAsync(user),
});
});
accountGroup.MapGet("/info", async Task<Results<Ok<InfoResponse>, ValidationProblem, NotFound>>
(ClaimsPrincipal claimsPrincipal, [FromServices] IServiceProvider sp) =>
{
var userManager = sp.GetRequiredService<UserManager<TUser>>();
if (await userManager.GetUserAsync(claimsPrincipal) is not { } user)
{
return TypedResults.NotFound();
}
return TypedResults.Ok(await CreateInfoResponseAsync(user, userManager));
});
accountGroup.MapPost("/info", async Task<Results<Ok<InfoResponse>, ValidationProblem, NotFound>>
(ClaimsPrincipal claimsPrincipal, [FromBody] InfoRequest infoRequest, HttpContext context, [FromServices] IServiceProvider sp) =>
{
var userManager = sp.GetRequiredService<UserManager<TUser>>();
if (await userManager.GetUserAsync(claimsPrincipal) is not { } user)
{
return TypedResults.NotFound();
}
if (!string.IsNullOrEmpty(infoRequest.NewEmail) && !_emailAddressAttribute.IsValid(infoRequest.NewEmail))
{
return CreateValidationProblem(IdentityResult.Failed(userManager.ErrorDescriber.InvalidEmail(infoRequest.NewEmail)));
}
if (!string.IsNullOrEmpty(infoRequest.NewPassword))
{
if (string.IsNullOrEmpty(infoRequest.OldPassword))
{
return CreateValidationProblem("OldPasswordRequired",
"The old password is required to set a new password. If the old password is forgotten, use /resetPassword.");
}
var changePasswordResult = await userManager.ChangePasswordAsync(user, infoRequest.OldPassword, infoRequest.NewPassword);
if (!changePasswordResult.Succeeded)
{
return CreateValidationProblem(changePasswordResult);
}
}
if (!string.IsNullOrEmpty(infoRequest.NewEmail))
{
var email = await userManager.GetEmailAsync(user);
if (email != infoRequest.NewEmail)
{
await SendConfirmationEmailAsync(user, userManager, context, infoRequest.NewEmail, isChange: true);
}
}
return TypedResults.Ok(await CreateInfoResponseAsync(user, userManager));
});
}

复制代码

可以看到，基架生成的info接口返回的用户信息非常有限，实际业务中需要自行写一个返回角色/Claims信息的userinfo接口（注入UserManager和RoleManager查询）
根据基架生成的API，编写前端代码：
注册服务：

// 注册LocalStorage服务
builder.Services.AddBlazoredLocalStorageAsSingleton();
// 注册鉴权服务
builder.Services.AddSingleton<AuthenticationStateProvider, CookieAuthenticationStateProvider>();
// 注册通用客户端的鉴权拦截器（令牌过期重试）
builder.Services.AddSingleton<AuthenticationStateHandler>();
// 注册鉴权专用客户端
builder.Services.AddHttpClient("auth", client =>
{
client.BaseAddress = new Uri("API_URL");
});
// 注册业务通用客户端
builder.Services.AddHttpClient("backend", client =>
{
client.BaseAddress = new Uri("API_URL");
}).AddHttpMessageHandler<AuthenticationStateHandler>();
// 设为默认客户端
builder.Services.AddSingleton(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("backend"));
// 注册鉴权基架
builder.Services.AddAuthorizationCore();
builder.Services.AddCascadingAuthenticationState();

复制代码

AuthenticationStateHandler:

public class AuthenticationStateHandler(AuthenticationStateProvider stateProvider, NavigationManager navigationManager) : DelegatingHandler
{
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
var response = await base.SendAsync(request, cancellationToken);
//如果令牌过期，刷新令牌并重试请求
if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
{
var authState = await stateProvider.GetAuthenticationStateAsync();
if (authState.User.Identity?.IsAuthenticated ?? false)
{
if (await (stateProvider as CookieAuthenticationStateProvider).RefreshTokenAsync())
{
return await SendAsync(request, cancellationToken);
}
}
navigationManager.NavigateTo("/login");
}
return response;
}
}

复制代码

CookieAuthenticationStateProvider:

public sealed class CookieAuthenticationStateProvider(IServiceProvider serviceProvider, IHttpClientFactory httpClientFactory, ILocalStorageService localStorage, ISyncLocalStorageService syncLocalStorage) : AuthenticationStateProvider
{
//token过期时间
private static TimeSpan UserCacheRefreshInterval = TimeSpan.FromHours(1);
//上次获取token时间
private static DateTimeOffset UserLastCheckTime = DateTimeOffset.FromUnixTimeSeconds(0);
//缓存用户状态
private ClaimsPrincipal CachedUser = new(new ClaimsIdentity());
//默认用户状态（未登录）
private static readonly Task<AuthenticationState> defaultUnanthenticatedTask = Task.FromResult(new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity())));
//刷新令牌
private string? refresh_token { get; set; } = syncLocalStorage.GetItem<string>("refresh_token");
//访问令牌
private string? access_token { get; set; } = syncLocalStorage.GetItem<string>("access_token");
//鉴权专用客户端示例
private HttpClient client = httpClientFactory.CreateClient("auth");
//解析令牌获取身份信息
private async Task ParseTokenAsync()
{
var response = await client.GetAsync("/info"); //推荐自己写userinfo接口代替
if (response.IsSuccessStatusCode)
{
var infoResponse = await response.Content.ReadFromJsonAsync<InfoResponse>();
if (infoResponse != null)
{
var claims = new List<Claim>
{
new Claim(ClaimTypes.Email, infoResponse.Email),
new Claim("IsEmailConfirmed", infoResponse.IsEmailConfirmed.ToString())
};
CachedUser = new ClaimsPrincipal(new ClaimsIdentity(claims, "Bearer"));
}
}
else
{
CachedUser = new ClaimsPrincipal(new ClaimsIdentity());
}
}
//设置客户端携带令牌
private void SetClientToken()
{
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", access_token);
serviceProvider.GetRequiredService<HttpClient>().DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", access_token);
}
//处理令牌接口返回值
private async Task<bool> ParseResponseAsync(AccessTokenResponse token)
{
if (token != null)
{
refresh_token = token.RefreshToken;
access_token = token.AccessToken;
await localStorage.SetItemAsync("access_token", access_token);
await localStorage.SetItemAsync("refresh_token", refresh_token);
UserCacheRefreshInterval = TimeSpan.FromSeconds(token.ExpiresIn);
UserLastCheckTime = DateTimeOffset.UtcNow;
SetClientToken();
await ParseTokenAsync();
NotifyAuthenticationStateChanged(GetAuthenticationStateAsync());
return true;
}
return false;
}
//注册
public async Task<RegisterResponse> RegisterAsync(RegisterModel model)
{
var response = await client.PostAsJsonAsync(@"register", model);
var reg = await response.Content.ReadFromJsonAsync<RegisterResponse>();
if (reg.Succeeded) await ParseResponseAsync(reg.TokenResponse);
return reg;
}
//登录
public async Task<bool> LoginAsync(string username, string password)
{
var response = await client.PostAsJsonAsync(@"login", new LoginRequest { Username = username, Password = password } );
if (response.StatusCode == HttpStatusCode.Unauthorized)
{
return false;
}
var token = await response.Content.ReadFromJsonAsync<AccessTokenResponse>();
return await ParseResponseAsync(token);
}
//登出
public async Task LogoutAsync()
{
await client.PostAsync(@"logout",new StringContent(string.Empty));
refresh_token = null;
access_token = null;
await localStorage.RemoveItemAsync("access_token");
await localStorage.RemoveItemAsync("refresh_token");
UserLastCheckTime = DateTimeOffset.FromUnixTimeSeconds(0);
CachedUser = new ClaimsPrincipal(new ClaimsIdentity());
NotifyAuthenticationStateChanged(defaultUnanthenticatedTask);
}
//刷新令牌
public async Task<bool> RefreshTokenAsync()
{
if (refresh_token is null) return false;
SetClientToken();
var response = await client.PostAsJsonAsync(@"refresh", new { RefreshToken = refresh_token });
if (response.StatusCode == HttpStatusCode.Unauthorized)
{
return false;
}
var token = await response.Content.ReadFromJsonAsync<AccessTokenResponse>();
return await ParseResponseAsync(token);
}
//获取用户鉴权信息
public override async Task<AuthenticationState> GetAuthenticationStateAsync()
{
if (DateTimeOffset.UtcNow - UserLastCheckTime < UserCacheRefreshInterval || await RefreshTokenAsync())
{
return new AuthenticationState(CachedUser);
}
return await defaultUnanthenticatedTask;
}
}

复制代码

WebAssembly + JWT

此方法安全性较低，不推荐
注册服务

// JWT 配置
var jwtSettings = builder.Configuration.GetSection("JwtSettings");
var secretKey = Encoding.UTF8.GetBytes(jwtSettings["SecretKey"]!);
// 添加认证服务
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = jwtSettings["Issuer"],
ValidAudience = jwtSettings["Audience"],
IssuerSigningKey = new SymmetricSecurityKey(secretKey)
};
});
// 添加授权服务
builder.Services.AddAuthorization();
// 添加 JWT 服务
builder.Services.AddScoped<JwtService>();
// 添加 Identity 服务（如果需要）
builder.Services.AddIdentityCore<ApplicationUser>(options =>
{
options.Password.RequireDigit = false;
options.Password.RequireLowercase = false;
options.Password.RequireNonAlphanumeric = false;
options.Password.RequireUppercase = false;
options.Password.RequiredLength = 6;
options.SignIn.RequireConfirmedEmail = false;
}).AddRoles<IdentityRole<Guid>>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders()
.AddRoleManager<RoleManager<IdentityRole<Guid>>>()
.AddUserManager<UserManager<ApplicationUser>>();
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();

复制代码

appsettings.json

"JwtSettings": {
"SecretKey": "your-very-looong-secret-key-here",
"Issuer": "your-issuer",
"Audience": "your-audience"
}

复制代码

JwtService

public class JwtService(IConfiguration configuration)
{
public AccessTokenResponse GenerateTokens(ApplicationUser user, IList<string> roles)
{
// 生成访问令牌
var accessToken = GenerateAccessToken(user, roles);
// 生成刷新令牌
var refreshToken = GenerateRefreshToken();
// 计算过期时间（以秒为单位）
var expiresIn = Convert.ToInt32(TimeSpan.FromHours(1).TotalSeconds);
return new AccessTokenResponse(accessToken, expiresIn, refreshToken);
}
private string GenerateAccessToken(ApplicationUser user, IList<string> roles)
{
var secretKey = Encoding.UTF8.GetBytes(configuration["JwtSettings:SecretKey"]!);
var signingCredentials = new SigningCredentials(
new SymmetricSecurityKey(secretKey),
SecurityAlgorithms.HmacSha256Signature
);
var claims = new List<Claim>
{
new(ClaimTypes.NameIdentifier, user.Id.ToString()),
new(ClaimTypes.Name, user.UserName!)
};
claims.AddRange(roles.Select(role => new Claim(ClaimTypes.Role, role)));
var token = new JwtSecurityToken(
issuer: configuration["JwtSettings:Issuer"],
audience: configuration["JwtSettings:Audience"],
claims: claims,
expires: DateTime.UtcNow.AddHours(1),
signingCredentials: signingCredentials
);
return new JwtSecurityTokenHandler().WriteToken(token);
}
private string GenerateRefreshToken()
{
var randomNumber = new byte[64];
using var rng = RandomNumberGenerator.Create();
rng.GetBytes(randomNumber);
return Convert.ToBase64String(randomNumber);
}
public ClaimsPrincipal? GetPrincipalFromExpiredToken(string token)
{
var secretKey = configuration["JwtSettings:SecretKey"]!;
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = false, // 不验证过期时间
ValidateIssuerSigningKey = true,
ValidIssuer = configuration["JwtSettings:Issuer"],
ValidAudience = configuration["JwtSettings:Audience"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secretKey))
};
var tokenHandler = new JwtSecurityTokenHandler();
var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out SecurityToken securityToken);
if (securityToken is not JwtSecurityToken jwtSecurityToken ||
!jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256Signature,
StringComparison.InvariantCultureIgnoreCase))
{
return null;
}
return principal;
}
}

复制代码

IdentityEndpoints

public static void MapIdentityEndpoints(this IEndpointRouteBuilder routes)
{
var group = routes.MapGroup("/Account").WithTags("Account");
group.MapPost("/Login", async (
LoginRequest model,
UserManager<ApplicationUser> userManager,
JwtService jwtService) =>
{
var user = await userManager.FindByNameAsync(model.Username);
if (user == null)
{
return Results.Unauthorized();
}
var isPasswordValid = await userManager.CheckPasswordAsync(user, model.Password);
if (!isPasswordValid)
{
return Results.Unauthorized();
}
var roles = await userManager.GetRolesAsync(user);
var tokenResponse = jwtService.GenerateTokens(user, roles);
// 保存刷新令牌到用户记录
user.RefreshToken = tokenResponse.RefreshToken;
user.RefreshTokenExpiryTime = DateTime.UtcNow.AddDays(7); // 刷新令牌7天有效
await userManager.UpdateAsync(user);
return Results.Ok(tokenResponse);
})
.AllowAnonymous()
.WithName("Login")
.WithOpenApi();
group.MapGet("/User", (HttpContext context) =>
{
var user = context.User;
return Results.Ok(new
{
Username = user.Identity?.Name,
UserId = user.FindFirst(ClaimTypes.NameIdentifier)?.Value,
Roles = user.Claims
.Where(c => c.Type == ClaimTypes.Role)
.Select(c => c.Value)
.ToList()
});
})
.RequireAuthorization()
.WithName("User")
.WithOpenApi();
group.MapPost("/Refresh", async (
RefreshTokenModel model,
UserManager<ApplicationUser> userManager,
JwtService jwtService,
HttpContext context) =>
{
// 从请求头获取过期的访问令牌
string? accessToken = context.Request.Headers["Authorization"]
.FirstOrDefault()?.Split(" ").Last();
if (string.IsNullOrEmpty(accessToken))
{
return Results.BadRequest("Access token is required");
}
// 从过期的访问令牌中获取用户信息
var principal = jwtService.GetPrincipalFromExpiredToken(accessToken);
if (principal == null)
{
return Results.BadRequest("Invalid access token");
}
var username = principal.Identity?.Name;
var user = await userManager.FindByNameAsync(username!);
if (user == null ||
user.RefreshToken != model.RefreshToken ||
user.RefreshTokenExpiryTime <= DateTime.UtcNow)
{
return Results.BadRequest("Invalid refresh token");
}
// 生成新的令牌
var roles = await userManager.GetRolesAsync(user);
var newTokenResponse = jwtService.GenerateTokens(user, roles);
// 更新数据库中的刷新令牌
user.RefreshToken = newTokenResponse.RefreshToken;
user.RefreshTokenExpiryTime = DateTime.UtcNow.AddDays(7);
await userManager.UpdateAsync(user);
return Results.Ok(newTokenResponse);
})
.AllowAnonymous()
.WithName("Refresh")
.WithOpenApi(); ;
group.MapPost("/Logout", async (
UserManager<ApplicationUser> userManager,
HttpContext context) =>
{
var user = context.User;
var appUser = await userManager.FindByNameAsync(user.Identity?.Name!);
if (appUser == null)
{
return Results.NotFound();
}
// 清除刷新令牌
appUser.RefreshToken = null;
appUser.RefreshTokenExpiryTime = null;
await userManager.UpdateAsync(appUser);
return Results.Ok();
})
.RequireAuthorization()
.WithName("Logout")
.WithOpenApi();
group.MapPost("/Register", async (
RegisterModel model,
UserManager<ApplicationUser> userManager,
JwtService jwtService) =>
{
// 验证模型
if (model.Password != model.ConfirmPassword)
{
return Results.BadRequest(new RegisterResponse(
false,
["密码和确认密码不匹配"], null, null
));
}
// 检查用户名是否已存在
var existingUser = await userManager.FindByNameAsync(model.Username);
if (existingUser != null)
{
return Results.BadRequest(new RegisterResponse(
false,
["用户名已存在"], null, null
));
}
// 检查邮箱是否已存在
var existingEmail = await userManager.FindByEmailAsync(model.Email);
if (existingEmail != null)
{
return Results.BadRequest(new RegisterResponse(
false,
["邮箱已被使用"], null, null
));
}
// 创建新用户
var user = new ApplicationUser
{
UserName = model.Username,
Email = model.Email,
EmailConfirmed = true // 如果需要邮箱验证，设置为 false
};
// 添加用户
var result = await userManager.CreateAsync(user, model.Password);
if (!result.Succeeded)
{
return Results.BadRequest(new RegisterResponse(
false,
result.Errors.Select(e => e.Description), null, null
));
}
// 添加默认角色
// await userManager.AddToRoleAsync(user, "User");
// 生成令牌
var roles = await userManager.GetRolesAsync(user);
var tokenResponse = jwtService.GenerateTokens(user, roles);
// 保存刷新令牌
user.RefreshToken = tokenResponse.RefreshToken;
user.RefreshTokenExpiryTime = DateTime.UtcNow.AddDays(7);
await userManager.UpdateAsync(user);
// 返回成功响应和令牌
return Results.Ok(new RegisterResponse(true, [], tokenResponse, "注册成功"));
})
.AllowAnonymous()
.WithName("Register")
.WithOpenApi();
}

复制代码

前端只需要修改上一案例中的ParseTokenAsync方法

private async Task ParseTokenAsync()
{
var handler = new JwtSecurityTokenHandler();
var token = handler.ReadJwtToken(access_token);
CachedUser = new ClaimsPrincipal(new ClaimsIdentity(token.Claims, "Bearer"));
}

复制代码

结语

详细案例文章、视频、源码请等候后续发布

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。

		自动登录	找回密码
密码			立即注册

[Blazor] 一文理清 Blazor Identity 鉴权验证

0 个回复

快速回复

楼主热帖

标签云