在 .NET Web API 中实现 JWT(JSON Web Token)用户认证,是一种安全且高效的身份验证方式。它允许客户端在登录后获得一个令牌,后续请求只需携带该令牌即可完成身份识别,无需反复登录。以下是完整的实现流程,涵盖从用户登录到受保护接口访问的全过程。
1. 安装必要包并配置 JWT 服务
在项目中启用 JWT 认证,首先要安装 Microsoft.AspNetCore.Authentication.JwtBearer 包。
可通过 NuGet 包管理器或命令行安装: Install-Package Microsoft.AspNetCore.Authentication.JwtBearer然后在 Program.cs 中配置 JWT 认证服务:
var builder = WebApplication.CreateBuilder(args);
// 添加认证服务
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = builder.Configuration["Jwt:Issuer"],
ValidAudience = builder.Configuration["Jwt:Audience"],
IssuerSigningKey = new SymmetricSecurityKey(
Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]))
};
});
// 添加授权服务
builder.Services.AddAuthorization();
var app = builder.Build();
// 启用认证和授权中间件
app.UseAuthentication();
app.UseAuthorization();
同时,在 appsettings.json 中添加 JWT 配置:
{
"Jwt": {
"Key": "your-super-secret-key-that-is-long-enough",
"Issuer": "https://localhost:5001",
"Audience": "https://localhost:5001"
}
}
2. 创建用户模型与登录接口
定义一个简单的用户模型用于模拟登录:
public class User
{
public string Username { get; set; }
public string Password { get; set; }
public string Role { get; set; }
}
创建一个登录控制器,生成 JWT 令牌:
[ApiController]
[Route("api/[controller]")]
public class AuthController : ControllerBase
{
private readonly IConfiguration _configuration;
public AuthController(IConfiguration configuration)
{
_configuration = configuration;
}
[HttpPost("login")]
public IActionResult Login([FromBody] User loginUser)
{
// 模拟验证用户(实际应查询数据库)
var user = AuthenticateUser(loginUser.Username, loginUser.Password);
if (user == null)
return Unauthorized();
var token = GenerateJwtToken(user);
return Ok(new { Token = token });
}
private User AuthenticateUser(string username, string password)
{
// 示例用户,实际应使用密码哈希和数据库验证
if (username == "admin" && password == "password")
{
return new User { Username = "admin", Role = "Admin" };
}
return null;
}
private string GenerateJwtToken(User user)
{
var securityKey = new SymmetricSecurityKey(
Encoding.UTF8.GetBytes(_configuration["Jwt:Key"]));
var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
var claims = new[]
{
new Claim(JwtRegisteredClaimNames.Sub, user.Username),
new Claim(ClaimTypes.Role, user.Role),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString())
};
var token = new JwtSecurityToken(
issuer: _configuration["Jwt:Issuer"],
audience: _configuration["Jwt:Audience"],
claims: claims,
expires: DateTime.Now.AddMinutes(30),
signingCredentials: credentials
);
return new JwtSecurityTokenHandler().WriteToken(token);
}
}
3. 创建受保护的 API 接口
使用 [Authorize] 特性保护需要认证的接口:
[ApiController]
[Route("api/[controller]")]
[Authorize]
public class SecureController : ControllerBase
{
[HttpGet]
public IActionResult Get()
{
return Ok(new
{
Message = "This is a secure endpoint.",
User = User.Identity.Name,
Role = User.FindFirst(ClaimTypes.Role)?.Value
});
}
[HttpGet("admin")]
[Authorize(Roles = "Admin")]
public IActionResult GetAdmin()
{
return Ok(new { Message = "Hello Admin!" });
}
}
此时,只有携带有效 JWT 的请求才能访问这些接口。
4. 前端调用与测试流程
前端首先调用登录接口获取 token:
// POST /api/auth/login
{
"username": "admin",
"password": "password"
}
成功后得到返回的 token:
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.x..."
}
后续请求在 Header 中携带 token:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.x...
调用受保护接口时,.NET 自动验证 token 并设置 User 主体信息。
基本上就这些。整个流程包括:配置 JWT 认证、生成 token、保护接口、前端传参。不复杂但容易忽略细节,比如密钥长度、时间有效性、中间件顺序等。只要按步骤实现,就能构建一个安全可靠的认证系统。
