I am making an authentication server which will provide JWT tokens to the client for the client to communicate with another server.
- Server one (Authentication - responsible for delivering JWT)
- Server 开发者_运维问答two (Main API)
- Client
What is the best and safest approach for server two to validate the JWT token provided by server one. Should server one have some middleware to send an api request to server two? in Which server two has the functions to verify the token? Or shall Server two have the same secret key as server one to verify the token itself?.
There is a package Microsoft.AspNetCore.Authentication.JwtBearer that allows you to sign JWT tokens.
You create a login end point that does the credentials validation and returns the token with the users roles.
On the client you store that token in a cookie or local storage and send it back to each api request either as a cookie or in the header.
The middleware you create is where you turn the token into a user then you can use validation attributes on you api controllers and actions.
Use the app UseJwtBearerAuthentication helper method
.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration["AppSettings:AuthConfig:SecretKey"])),
ValidateIssuer = true,
ValidIssuer = Configuration["AppSettings:AuthConfig:Issuer"],
ValidateAudience = true,
ValidAudience = Configuration["AppSettings:AuthConfig:Audience"],
ValidateLifetime = true,
}
})
As long as both server have the same AuthConfig:SecretKey in app settings it will work between servers.
精彩评论