Shulou(Shulou.com)06/01 Report--

This article is to share with you about how to write AspNetCore authentication and authorization code, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

In ordinary MVC projects, we generally use Cookie as an authentication and authorization method, which is simple to use. Write the user information to Cookie; after a successful login, but when we do WebApi, it is obvious that Cookie is a little inappropriate.

At present, the popular authentication and authorization method in WebApi in dotnet core is Jwt (Json Web Token) technology. Jwt is a stateless distributed authentication method. Jwt encrypts the user login information and stores it in the returned Token, which means that the user information is stored in the client. There are two ways of Jwt encryption: symmetric encryption and asymmetric encryption, asymmetric encryption is the way of RSA encryption.

The idea of writing your own authentication and authorization code is the same as that of Jwt; the difference is:

The main results are as follows: 1. the encryption method is only the symmetrical encryption method which is simple and efficient. Ha ha! (the disadvantage is that it is more secure without asymmetric encryption.)

2. The user login information is mainly saved in Redis, that is, the server.

The benefits of writing by yourself:

1. Strong expansibility, which can be expanded according to your own needs, such as adding multi-device login and crowding offline function conveniently when verifying authorization.

2. The Token failure time of users can be adjusted at any time.

Authentication and authorization process

1. Request login API first. Login is successful, and a Token is generated for the user.

Log in to get the ticket field in the Token picture.

2. The client gets the Token and adds the Token information to the request header and passes it to the server in other requests.

Development ideas

1. Add a filter. Add a Filters to the ConfigureServices method in Startup, that is, our own authorization code class.

After adding the filter, we will give priority to the execution of the filter code for each request. Here we can determine whether the user has logged in to intercept unauthorized requests.

2. Log in and obtain Token

Each request is intercepted due to the addition of a filter of type IAuthorizationFilter. So we need to allow anonymous access to the login interface.

3. Encrypt and decrypt Token

Encryption: a Token will be generated after a successful login, and it is also easy to generate. Encrypt the user's unique information, such as uid or guid, symmetrically. Of course, if you need to distinguish between login devices or multi-device login squeeze offline function, it is best to encrypt the login devices together.

We all know that in encryption, as long as the encrypted data and encrypted key remain the same, then the encrypted content will remain the same. If the Token generated by each login does not change as long as the Token is leaked, it will be dangerous. Unexpectedly, we want the Token generated by each login to change. You have to change the encrypted data or encrypt the key. Encrypted data is the user's only information, which is obviously not going to change. So the only thing we can change is to encrypt key; we use fixed key+ random key.

Because encrypting key also needs one-to-one correspondence when we decrypt it. So we have to find a way to tell us our random key in the decrypted code. The way to do this is to add random key to the encrypted content (usually base64 encoded). (random key must be of a fixed length or it cannot be parsed later)

For example, the encrypted content is guid=73e01eab-210d-4d19-a72a-d0d64e053ec0+client=ios, fixed key=123654+, random key=FEZaaWbyimaWiJHah.

That is, encryption process:

Encryption (73e01eabmur210dMur4d19Mua72aMud0d64e053ec0 encrypted iosMagi 123654FEZaaWbyimaWiJHah) = M0EzM0ZGRjk2QzgwRDY2RDJDMTdFOEJGRUE0NDI3NEE1RDlFNkU4NDQ0MERFNEIyMkQ5QjM4MjAxODcwj plus random keyFEZaaWbyimaWiJHah

So the Token we return to the user actually contains a random key. Of course, only we know about this random key. Because only we know the length and location of the random key. In this way, even if our fixed key is leaked, it won't help as long as others don't know our random key processing method.

Decryption: once you know the encryption process, you can decrypt it. After getting the Token submitted by the user, it is first intercepted according to the fixed position of the random key. Detach the encrypted content from the random key. Then the fixed key and random key are combined to decrypt the encrypted content to get the user guid and the client type of the login.

Complete encryption and decryption code

The ticket in the code represents the Token in this article. DES encryption and decryption are used in the code.

The above is how to write the AspNetCore authentication and authorization code. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.