英文:
How to develop a custom AuthorizeAttribute that accepts a token passed as URL parameter
问题
我已创建了一个Web API(ASP.Net Core 6),其中有一个端点用于查看资源(在新标签页中打开)。由于资源在新标签页中打开,我无法在该端点上实现授权功能。因此,我想要实现一个自定义授权属性,它接受用户令牌,可以作为URL参数传递(http://{website}/{action}?token={token})并验证令牌。
我已经查看了类似的问题和帖子。其中一些是帖子 1和帖子 2。
但是仍然没有成功。是否有人可以展示我如何实现这一点。由于我是.NET的初学者,我期望您的支持。谢谢!
英文:
I have created a web API (ASP.Net core 6) and there is one endpoint to view resources(opens in new tab). Since it (resource) opens in new tab I can not implement authorization functionality on that endpoint. So I want to implement a custom authorization attribute that accepts the users token which can be passed as URL parameter (http://{website}/{action}?token={token}) and validate the token.
I have followed similar questions and posts. Few of them are post 1 and post 2.
Still No success. Could someone please show how I can achieve this. Since I am a beginner with .Net I expects your support. Thank you!
答案1
得分: 1
您的问题中提到的帖子都与 asp.net 而不是 asp.net core 有关,身份验证/授权现在将在中间件中执行,您可以查看这个文档来了解在 .net core 中进行身份验证/授权的信息。
如果您尝试使用 JwtAuthentication,您可以指定从何处读取令牌,在这里有一个相关案例(在这种情况下,我尝试从 cookie 中读取 jwt 令牌并从令牌中读取声明)。
如果您坚持要创建一个接受令牌、验证并分配声明给 HttpContext 的属性,您可以尝试使用 AuthorizationFilter:
public class MyAuthorizeFilterAttribute : Attribute, IAuthorizationFilter
{
public void OnAuthorization(AuthorizationFilterContext context)
{
var token = context.HttpContext.Request.Query["token"].ToString();
if (!String.IsNullOrEmpty(token))
{
// 从令牌中读取声明并分配给 HttpContext.User
}
else
{
context.Result = new UnauthorizedResult();
}
}
}
英文:
The posts in your question are all for asp.net not
for asp.net core ,Authentication/Authorization would be executed in middleware now ,you could check this document related to learn Authentication\Authorization in .net core
And if you try with JwtAuthentication,you could specific where to read the token,here's a related case(In this case,i tried to read jwt token from cookie and read claim from token)
If you insist on creating an Attribute to accept token,validate and assign claims to httpcontext,you could try with AuthorizationFilter:
public class MyAuthorizeFilterAttribute : Attribute,IAuthorizationFilter
{
public void OnAuthorization(AuthorizationFilterContext context)
{
var token = context.HttpContext.Request.Query["token"].ToString();
if (!String.IsNullOrEmpty(token))
{
//read claims from token and assign to HttpContext.User
}
else
{
context.Result = new UnauthorizedResult();
}
}
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论