Doc/分布式令牌TokenProvider.md at dev · X - GitCandy - 糖果代码库 - 新生命X组件，数据中间件XCode、日志、网络、RPC、序列化、缓存、Windows服务

X
# åˆ†å¸ƒå¼ä»¤ç‰ŒTokenProvider ## æ¦‚è¿° `TokenProvider` æ˜¯ NewLife.Core æä¾›çš„è½»é‡çº§åˆ†å¸ƒå¼èº«ä»½ä»¤ç‰Œæ–¹æ¡ˆï¼Œé‡‡ç”¨ DSA éžå¯¹ç§°ç¾åï¼ˆç”± `DSAHelper` å°è£…ï¼‰ï¼Œæ— éœ€å…±äº«å¯†é’¥å³å¯åœ¨å¤šèŠ‚ç‚¹é—´éªŒè¯ä»¤ç‰Œã€‚ç¾åèŠ‚ç‚¹æŒæœ‰ç§é’¥ï¼ˆ`.prvkey`ï¼‰ï¼ŒéªŒè¯èŠ‚ç‚¹åªéœ€æŒæœ‰å¯¹åº”å…¬é’¥ï¼ˆ`.pubkey`ï¼‰ï¼Œé€‚åˆå¾®æœåŠ¡å†…éƒ¨ API é‰´æƒå’Œè®¾å¤‡æ³¨å†Œä»¤ç‰Œåœºæ™¯ã€‚ å‘½åç©ºé—´ï¼š`NewLife.Security` æ–‡æ¡£åœ°å€ï¼š/core/token_provider ## æ ¸å¿ƒç‰¹æ€§ - DSA éžå¯¹ç§°ç¾åï¼šç¾å‘æ–¹æŒæœ‰ç§é’¥ï¼ŒéªŒè¯æ–¹ä»…éœ€å…¬é’¥ï¼Œé™ä½Žå¯†é’¥æ³„éœ²é£Žé™© - è‡ªåŠ¨ç”Ÿæˆå¯†é’¥å¯¹ï¼šé¦–æ¬¡è°ƒç”¨ `ReadKey()` æ—¶è‡ªåŠ¨ç”Ÿæˆå¹¶ä¿å˜ `.prvkey` / `.pubkey` æ–‡ä»¶ - é›¶å¤–éƒ¨ä¾èµ–ï¼šåŸºäºŽ `DSAHelper`ï¼ˆNewLife å†…ç½®ï¼‰ï¼Œæ— éœ€ç¬¬ä¸‰æ–¹ JWT åº“ - è½»é‡è½½è·ï¼šä»¤ç‰Œå†…å«ç”¨æˆ·æ ‡è¯†å’Œè¿‡æœŸæ—¶é—´ï¼Œæ— é¢å¤– claimsï¼Œä½“ç§¯æžå° - å¤šèŠ‚ç‚¹å…±äº«å…¬é’¥ï¼šä»…éœ€åˆ†å‘å…¬é’¥æ–‡ä»¶åˆ°å„éªŒè¯èŠ‚ç‚¹ï¼Œå³å¯å®Œæˆåˆ†å¸ƒå¼éªŒè¯ ## å¿«é€Ÿå¼€å§‹ ### ç¾å‘ä»¤ç‰Œï¼ˆæœåŠ¡ç«¯ï¼‰ ```csharp using NewLife.Security; // æœåŠ¡ç«¯ä½¿ç”¨ç§é’¥ç¾å‘ var provider = new TokenProvider(); provider.ReadKey("token.prvkey", true); // true = ç§é’¥æ¨¡å¼ // ç¾å‘æœ‰æ•ˆæœŸ 24 å°æ—¶çš„ä»¤ç‰Œ var token = provider.Encode("user001", TimeSpan.FromHours(24)); Console.WriteLine($"ä»¤ç‰Œ: {token}"); ``` ### éªŒè¯ä»¤ç‰Œï¼ˆéªŒè¯èŠ‚ç‚¹ï¼‰ ```csharp // éªŒè¯èŠ‚ç‚¹åªéœ€å…¬é’¥ var verifier = new TokenProvider(); verifier.ReadKey("token.pubkey", false); // false = å…¬é’¥æ¨¡å¼ if (verifier.TryDecode(token, out var user, out var expire)) { Console.WriteLine($"ç”¨æˆ·: {user}ï¼Œè¿‡æœŸ: {expire:yyyy-MM-dd HH:mm:ss}"); } else { Console.WriteLine("ä»¤ç‰Œæ— æ•ˆæˆ–å·²è¿‡æœŸ"); } ``` ## API å‚è€ƒ ### å±žæ€§ ```csharp /// <summary>å¯†é’¥å†…å®¹ï¼ˆDERæ ¼å¼Base64ç¼–ç ï¼‰ã€‚ç§é’¥æˆ–å…¬é’¥ï¼Œå–å†³äºŽè¯»å–æ–¹å¼</summary> public String? Key { get; set; } ``` ### æ–¹æ³• #### ReadKey - è¯»å–æˆ–ç”Ÿæˆå¯†é’¥ ```csharp /// <summary>è¯»å–å¯†é’¥æ–‡ä»¶ï¼Œæ–‡ä»¶ä¸å˜åœ¨æ—¶è‡ªåŠ¨ç”Ÿæˆå¯†é’¥å¯¹</summary> /// <param name="keyFile">å¯†é’¥æ–‡ä»¶è·¯å¾„ï¼ˆ.prvkey æˆ– .pubkeyï¼‰</param> /// <param name="isPrivate">true=ç§é’¥æ¨¡å¼ï¼ˆç¾å‘ï¼‰ï¼Œfalse=å…¬é’¥æ¨¡å¼ï¼ˆéªŒè¯ï¼‰</param> public void ReadKey(String keyFile, Boolean isPrivate) ``` è¡Œä¸ºï¼š 1. è‹¥ `keyFile` å˜åœ¨ï¼Œç›´æŽ¥è¯»å–å†™å…¥ `Key` 2. è‹¥ä¸å˜åœ¨ä¸” `isPrivate=true`ï¼Œè°ƒç”¨ `DSAHelper.GenerateKey()` ç”Ÿæˆå¯†é’¥å¯¹ï¼Œå°†ç§é’¥å†™å…¥ `keyFile`ï¼Œå°†å¯¹åº”å…¬é’¥å†™å…¥ `keyFile` è¿½åŠ `.pubkey` ï¼ˆå³åŒç›®å½•ä¸‹ç”Ÿæˆ `xxx.pubkey`ï¼‰ 3. è‹¥ä¸å˜åœ¨ä¸” `isPrivate=false`ï¼Œå°è¯•ä»Ž `keyFile.Replace(".pubkey","").prvkey` ä¸æå–å…¬é’¥ï¼›ä»ä¸å˜åœ¨åˆ™æ£å¸¸æŠ¥é”™ #### Encode - ç¾å‘ä»¤ç‰Œ ```csharp /// <summary>ç¾å‘ä»¤ç‰Œ</summary> /// <param name="user">ç”¨æˆ·æ ‡è¯†ï¼ˆä¸šåŠ¡ ID æˆ–ç”¨æˆ·åï¼‰</param> /// <param name="expire">æœ‰æ•ˆæœŸ</param> /// <returns>ä»¤ç‰Œå—ç¬¦ä¸²ï¼ˆæ ¼å¼ï¼šbase64url(data).base64url(signature)ï¼‰</returns> public String Encode(String user, TimeSpan expire) ``` ä»¤ç‰Œæ ¼å¼ï¼š ``` base64url(user + "," + unixTimestamp) . base64url(DSAç¾å) ``` å…¶ä¸ `unixTimestamp` æ˜¯è¿‡æœŸç»å¯¹æ—¶é—´ï¼ˆç§’çº§ Unix æ—¶é—´æˆ³ï¼‰ã€‚ #### TryDecode - éªŒè¯ä»¤ç‰Œ ```csharp /// <summary>éªŒè¯ä»¤ç‰Œå¹¶æå–è´Ÿè½½</summary> /// <param name="token">ä»¤ç‰Œå—ç¬¦ä¸²</param> /// <param name="user">è¾“å‡ºï¼šç”¨æˆ·æ ‡è¯†</param> /// <param name="expire">è¾“å‡ºï¼šè¿‡æœŸæ—¶é—´</param> /// <returns>true=ä»¤ç‰Œæœ‰æ•ˆä¸”æœªè¿‡æœŸ</returns> public Boolean TryDecode(String token, out String? user, out DateTime expire) ``` éªŒè¯æ¥éª¤ï¼š 1. æŒ‰ `.` åˆ†å‰²ä»¤ç‰Œï¼Œå–æ•°æ®æ®µå’Œç¾åæ®µ 2. Base64url è§£ç æ•°æ®æ®µå’Œç¾åæ®µ 3. ä½¿ç”¨å…¬é’¥éªŒè¯ DSA ç¾å 4. è§£æž `user,unixTimestamp`ï¼Œæ£€æŸ¥è¿‡æœŸæ—¶é—´ ## éƒ¨ç½²æ¨¡å¼ ### å•æœºæ¨¡å¼ï¼ˆç§é’¥æœ¬åœ°ç¾å‘ + éªŒè¯ï¼‰ ``` åº”ç”¨è¿›ç¨‹ Tokenç¾å‘ï¼ˆprivate keyï¼‰ TokenéªŒè¯ï¼ˆpublic keyï¼‰ æ–‡ä»¶ï¼štoken.prvkey + token.pubkeyï¼ˆåŒä¸€ç›®å½•ï¼‰ ``` ### ç½‘å…³é›†ä¸é‰´æƒæ¨¡å¼ ``` [ç¾å‘æœåŠ¡] æŒæœ‰ token.prvkey ç¾å‘ä»¤ç‰Œ [å®¢æˆ·ç«¯App] æºå¸¦ä»¤ç‰Œ [å¾®æœåŠ¡A, B, C, D] å‡æŒæœ‰ token.pubkey æœ¬åœ°éªŒè¯ï¼Œæ— éœ€å›žè°ƒç¾å‘æœåŠ¡ ``` ### å¤šçŽ¯å¢ƒå¯†é’¥éš”ç¦» ```csharp // æŒ‰çŽ¯å¢ƒä½¿ç”¨ä¸åŒå¯†é’¥æ–‡ä»¶ var env = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") ?? "production"; var provider = new TokenProvider(); provider.ReadKey($"token-{env}.prvkey", true); ``` ## ä½¿ç”¨åœºæ™¯ ### åœºæ™¯ä¸€ï¼šå¾®æœåŠ¡å†…éƒ¨è°ƒç”¨é‰´æƒ ```csharp // gateway å¯åŠ¨æ—¶åˆå§‹åŒ–ç¾å‘è€… var issuer = new TokenProvider(); issuer.ReadKey("gateway.prvkey", true); // ç™»å½•æ—¶ç¾å‘ app.MapPost("/login", (LoginRequest req) => { if (!AuthUser(req)) return Results.Unauthorized(); var token = issuer.Encode(req.Username, TimeSpan.FromHours(8)); return Results.Ok(new { token }); }); // ä¸‹æ¸¸æœåŠ¡éªŒè¯ï¼ˆåªéœ€å…¬é’¥ï¼‰ var verifier = new TokenProvider(); verifier.ReadKey("gateway.pubkey", false); app.Use(async (ctx, next) => { var token = ctx.Request.Headers["X-Token"]; if (!verifier.TryDecode(token, out var user, out _)) { ctx.Response.StatusCode = 401; return; } ctx.Items["user"] = user; await next(); }); ``` ### åœºæ™¯äºŒï¼šIoT è®¾å¤‡æ¿€æ´»ç ```csharp // æŽ§åˆ¶å°å·¥å…·ç”Ÿæˆè®¾å¤‡æ¿€æ´»ç ï¼ˆç§é’¥åœ¨å†…éƒ¨ï¼‰ var provider = new TokenProvider(); provider.ReadKey("activation.prvkey", true); var deviceId = "DEV-20250701-001"; var code = provider.Encode(deviceId, TimeSpan.FromDays(365)); // è®¾å¤‡ç«¯éªŒè¯ï¼ˆå…¬é’¥å†…åµŒåœ¨å›ºä»¶ä¸ï¼‰ var verifier = new TokenProvider { Key = EMBEDDED_PUBLIC_KEY }; if (verifier.TryDecode(code, out var id, out var expire) && id == deviceId) Console.WriteLine("æ¿€æ´»æˆåŠŸ"); ``` ## æ³¨æ„äº‹é¡¹ - ç§é’¥ä¸¥æ ¼ä¿æŠ¤ï¼š`.prvkey` æ–‡ä»¶ä¸è¦æäº¤åˆ°ç‰ˆæœ¬æŽ§åˆ¶ï¼Œåº”é€šè¿‡å¯†é’¥ç®¡ç†ç³»ç»Ÿï¼ˆVault/KMSï¼‰åˆ†å‘ã€‚ - ä»¤ç‰Œä¸å¯æ’¤é”€ï¼šä»¤ç‰Œå†…æ— ä¼šè¯ IDï¼Œæ— æ³•åœ¨è¿‡æœŸå‰ä¸»åŠ¨åŠé”€ï¼Œéœ€é€šè¿‡çŸæœ‰æ•ˆæœŸ + åˆ·æ–°ä»¤ç‰Œç¼“è§£ã€‚ - ä¸å«è§’è‰²ä¿¡æ¯ï¼šè½½è·ä»…å« `user` å’Œè¿‡æœŸæ—¶é—´ï¼Œæƒé™æ£€æŸ¥éœ€åœ¨ä¸šåŠ¡å±‚è‡ªè¡Œå®žçŽ°ã€‚ - ä»…é€‚åˆå†…éƒ¨æœåŠ¡ï¼šå¯¹å¤– API å»ºè®®ä½¿ç”¨æ ‡å‡† JWTï¼ˆOIDCï¼‰ï¼Œ`TokenProvider` é¢å‘å†…éƒ¨é«˜æ€§èƒ½åœºæ™¯ã€‚ - æ—¶é’Ÿåå·®ï¼šç¾å‘å’ŒéªŒè¯æ–¹æœåŠ¡å™¨æ—¶é’Ÿåº”ä¿æŒåœ¨ 30 ç§’å†…ï¼Œå¯åœ¨æœ‰æ•ˆæœŸå†…é¢„ç•™ç¼“å†²ã€‚