我正在开发一个处理Firebase身份验证的简单API - 稍后将用于Android客户端。
所以在Firebase控制台中,我启用了Facebook和Google登录方法,并创建了一个示例html页面,我可以使用它来测试登录方法 - 下一个函数由按钮调用:
function loginFacebook() {
var provider = new firebase.auth.FacebookAuthProvider();
var token = "";
firebase.auth().signInWithPopup(provider).then(function (result) {
var token = result.credential.accessToken;
var user = result.user;
alert("login OK");
user.getToken().then(function (t) {
token = t;
loginAPI();
});
}).catch(function (error) {
var errorCode = error.code;
var errorMessage = error.message;
alert(errorCode + " - " + errorMessage);
});
}
接下来我使用令牌并通过jQuery中的简单ajax调用将其发送到我的API:
function loginAPI()
{
$.ajax({
url: "http://localhost:58041/v1/Users/",
dataType: 'json',
type: 'GET',
beforeSend: function (xhr) {
xhr.setRequestHeader("Accept", "application/json");
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("Authorization", "Bearer " + token);
},
error: function (ex) {
console.log(ex.status + " - " + ex.statusText);
},
success: function (data) {
console.log(data);
return data;
}
});
}
下一站:API后端 - 用.NET Core编写。
在Startup下我配置了JwtBearer Auth(包Microsoft.AspNetCore.Authentication.JwtBearer
):
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
IncludeErrorDetails = true,
Authority = "https://securetoken.google.com/PROJECT-ID",
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = "https://securetoken.google.com/PROJECT-ID",
ValidateAudience = true,
ValidAudience = "PROJECT-ID",
ValidateLifetime = true,
},
});
这是Controller代码 - 具有以下[Authorize]
属性:
[Authorize]
[Route("v1/[controller]")]
public class UsersController : Controller
{
private readonly ILogger _logger;
private readonly UserService _userService;
public UsersController(ILogger<UsersController> logger, UserService userService)
{
_logger = logger;
_userService = userService;
}
[HttpGet]
public async Task<IList<User>> Get()
{
return await _userService.GetAll();
}
}
该API响应是200 OK(HttpContext.User.Identity.IsAuthenticated
是true
控制器内),但我认为它不应该。我的问题是我不完全确定这是安全的。
这是如何检查JWT令牌的签名部分的?我看到很多代码样本提到x509或RS256算法,它们在哪里适合?不应该与班级IssuerSigningKey
或TokenDecryptionKey
来自TokenValidationParameters
班级的某种证书或私钥进行核对?我错过了什么?
有关该问题的相关知识来源:
发布于 2018-08-28 16:32:51
对于后端方面,有一个Nuget包可以帮到你:
安装包AspNetCore.Firebase.Authentication
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
app.UseFirebaseAuthentication("https://securetoken.google.com/MYPROJECTNAME", "MYPROJECTNAME");
}
它执行受众,发行者,签名和有效性验证
发布于 2018-08-28 17:41:24
NuGet数据包使用旧的ASP NET Core 1.x身份验证机制
身份验证已更改:https://docs.microsoft.com/en-us/aspnet/core/migration/1x-to-2x/identity-2x
https://stackoverflow.com/questions/-100002464
复制相似问题