基于Cookie传递token的主要思路是通过用户身份验证后,将生成的token保存到Response.Cookies返回客户端,后续客户端访问服务接口时会自动携带Cookie到服务端以便验证身份。之前一直搞不清楚的是服务端程序如何从Cookie读取token进行认证(一般都是将token放到header中以特定键值对形式自动验证身份),不过参考文献2中给出示例,主要是处理JwtBearerEvents.OnMessageReceived事件,该事件是接收到 protocol message时触发,此时可以从Cookie中取出token并将其赋予MessageReceivedContext.Token属性,以便支撑身份验证。主要代码如下所示:
[HttpPost]
public async Task<ApiResult> LoginPlus([FromBody] UserInfo info)
{try{if (_dbClient.Queryable<AppUser>().Any(r => (r.Account == info.Name) && (r.Password == info.Password))){AppUser curUser = _dbClient.Queryable<AppUser>().First(r => (r.Account == info.Name) && (r.Password == info.Password));ApiResult result = new ApiResult();result.UserName = curUser.Name;var cookieOptions = new CookieOptions{HttpOnly = true, Secure = true, Expires = DateTime.UtcNow.AddDays(7) };Response.Cookies.Append("auth_token", GetToken(info.Name), cookieOptions);return result;}else{return new ApiResult("身份验证失败", 500, false);}}catch (Exception ex){return new ApiResult(ex.Message, 500, false);}
}
builder.Services.AddAuthentication(options =>
{...
}).AddJwtBearer(options =>
{...options.Events = new JwtBearerEvents{OnMessageReceived = context =>{var accessToken = context.Request.Cookies["auth_token"];if (!string.IsNullOrEmpty(accessToken)){//Bearer Token. This will give the application an opportunity to //retrieve a token from an alternative location.context.Token = accessToken;}return Task.CompletedTask;}};
});
先在postman中进行验证,如下面两图所示,调用LoginPlus后,会在客户端Cookie中存储值为auth_token的token数据。
调用另一需授权的服务时,不需要设置header,也不需要其它操作,postman会自动携带Cookie调用服务,也能正常调用并返回数据。如果手工删除Cookie,再调用服务时则会报401错误。
参考文献:
[1]百度AI智能问答,搜索条件:asp.net core 通过Cookie传递token
[2]https://www.cnblogs.com/CreateMyself/p/15755657.html
