ASP.NET Core Authentication认证实现方法

追本溯源，从使用开始

首先看一下我们通常是如何使用微软自带的认证，一般在Startup里面配置我们所需的依赖认证服务，这里通过JWT的认证方式讲解

public void ConfigureServices(IServiceCollection services)
{
 services.AddAuthentication(authOpt =>
 {
   authOpt.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
   authOpt.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
 })
 .AddJwtBearer(o =>
 {
   o.TokenValidationParameters = new TokenValidationParameters
   {
     //配置自己所要验证的参数

};
 });
}

我们来看一下源码AddAuthentication主要做了什么

public static class AuthenticationServiceCollectionExtensions
{
 public static AuthenticationBuilder AddAuthentication( this IServiceCollection services, Action<AuthenticationOptions> configureOptions)
 {
  if (services == null)
   throw new ArgumentNullException(nameof (services));
  if (configureOptions == null)
   throw new ArgumentNullException(nameof (configureOptions));
  AuthenticationBuilder authenticationBuilder = services.AddAuthentication();
  services.Configure<AuthenticationOptions>(configureOptions);
  return authenticationBuilder;
 }

public static AuthenticationBuilder AddAuthentication( this IServiceCollection services)
 {
  if (services == null)
   throw new ArgumentNullException(nameof (services));
  services.AddAuthenticationCore();
  services.AddDataProtection();
  services.AddWebEncoders();
  services.TryAddSingleton<ISystemClock, SystemClock>();
  return new AuthenticationBuilder(services);
 }

public static AuthenticationBuilder AddAuthentication(
  this IServiceCollection services,
  string defaultScheme)
 {
  return services.AddAuthentication((Action<AuthenticationOptions>) (o => o.DefaultScheme = defaultScheme));
 }

.....
}

ConfigureServices方法基本都是服务的注册，基于微软的风格，这里的AddAuthenticationCore肯定是我们的认证服务注册方法，来看一下

public static class AuthenticationCoreServiceCollectionExtensions
{
 /// <summary>
 /// Add core authentication services needed for <see cref="T:Microsoft.AspNetCore.Authentication.IAuthenticationService" />.
 /// </summary>  
 public static IServiceCollection AddAuthenticationCore(
  this IServiceCollection services)
 {
  if (services == null)
   throw new ArgumentNullException(nameof (services));
  services.TryAddScoped<IAuthenticationService, AuthenticationService>();
  services.TryAddSingleton<IClaimsTransformation, NoopClaimsTransformation>();
  services.TryAddScoped<IAuthenticationHandlerProvider, AuthenticationHandlerProvider>();
  services.TryAddSingleton<IAuthenticationSchemeProvider, AuthenticationSchemeProvider>();
  return services;
 }

/// <summary>
 /// Add core authentication services needed for <see cref="T:Microsoft.AspNetCore.Authentication.IAuthenticationService" />.
 /// </summary>  
 public static IServiceCollection AddAuthenticationCore(
  this IServiceCollection services,
  Action<AuthenticationOptions> configureOptions)
 {
  if (services == null)
   throw new ArgumentNullException(nameof (services));
  if (configureOptions == null)
   throw new ArgumentNullException(nameof (configureOptions));
  services.AddAuthenticationCore();
  services.Configure<AuthenticationOptions>(configureOptions);
  return services;
 }
}

我们看到这里主要注册了AuthenticationService, AuthenticationHandlerProvider, AuthenticationSchemeProvider这三个对象，如文章开头所说，追本溯源，从使用开始，我们先看一下这三个对象是如何在认证体系中使用的，且是如何发挥作用的。

从使用开始

看一下我们的认证管道构建

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
 {
   ...
   app.UseAuthentication();
   ...
 }

public static class AuthAppBuilderExtensions
{
 public static IApplicationBuilder UseAuthentication( this IApplicationBuilder app)
 {
  if (app == null)
   throw new ArgumentNullException(nameof (app));
  return app.UseMiddleware<AuthenticationMiddleware>();
 }
}

这里使用了约定的注册方式UseMiddleware，并且指定使用中间件AuthenticationMiddleware

public class AuthenticationMiddleware
{
 private readonly RequestDelegate _next;

public AuthenticationMiddleware(RequestDelegate next, IAuthenticationSchemeProvider schemes)
 {
  if (next == null)
   throw new ArgumentNullException(nameof (next));
  if (schemes == null)
   throw new ArgumentNullException(nameof (schemes));
  this._next = next;
  this.Schemes = schemes;
 }

public IAuthenticationSchemeProvider Schemes { get; set; }

public async Task Invoke(HttpContext context)
 {
  context.Features.Set<IAuthenticationFeature>((IAuthenticationFeature) new AuthenticationFeature()
  {
   OriginalPath = context.Request.Path,
   OriginalPathBase = context.Request.PathBase
  });
  IAuthenticationHandlerProvider handlers = context.RequestServices.GetRequiredService<IAuthenticationHandlerProvider>();
  foreach (AuthenticationScheme authenticationScheme in await this.Schemes.GetRequestHandlerSchemesAsync())
  {
   IAuthenticationRequestHandler handlerAsync = await handlers.GetHandlerAsync(context, authenticationScheme.Name) as IAuthenticationRequestHandler;
   bool flag = handlerAsync != null;
   if (flag)
    flag = await handlerAsync.HandleRequestAsync();
   if (flag)
    return;
  }
  AuthenticationScheme authenticateSchemeAsync = await this.Schemes.GetDefaultAuthenticateSchemeAsync();
  if (authenticateSchemeAsync != null)
  {
   AuthenticateResult authenticateResult = await context.AuthenticateAsync(authenticateSchemeAsync.Name);//实际的认证业务
   if (authenticateResult?.Principal != null)
    context.User = authenticateResult.Principal;
  }
  await this._next(context);
 }
}

在继续往下之前，我们先看一下这个认证中间件的作用结果，当认证通过时，在HttpContext的User属性（ClaimPrincipal）赋予身份标识，所以在后续的请求管道中都是基于认证结果中的身份标识做鉴权，这个我们会在后面的实际操作中会提到。

言归正传，在这里引出了我们的两个对象AuthenticationHandlerProvider,AuthenticationSchemeProvider。

重要对象讲解

IAuthenticationSchemeProvider

从名字来看，IAuthenticationSchemeProvider的作用应该是提供Scheme的，这也是Provider在微软的风格里面起的作用（类似于工厂模式）。

这个Scheme是什么呢？很明显，在Framework时代，也是有基于不同Scheme验证的，比如Bearer，Cookie，在Aspnet Core中定义不同的Scheme代表着不同的认证处理方式，具体体现是在每个Scheme中包含对应的IAuthenticationHandler类型的Handler，由它来完成跟自身Scheme相关的认证处理。如果没有定义会怎么样？仔细看上面这块源码，只有当AuthenticationScheme不为空时才会做认证，否则一旦在Controller打上鉴权标签[Authorize]，将会直接返回401，所以我们必须指定自己的Scheme。

那么我们在哪里指定我们的Scheme类似呢？我们先返回到ConfigureService的AddJwtBearer，使用过的朋友们肯定知道，这里获取的Scheme是我们在ConfigureService通过Addxxx scheme指定的Scheme类型。这里我们是使用JWT的

在这里指定了TOptions 为JwtBearerOptions，而THandler为JwtBearerHandler。

public virtual AuthenticationBuilder AddScheme<TOptions, THandler>(
  string authenticationScheme,
  string displayName,
  Action<TOptions> configureOptions)
  where TOptions : AuthenticationSchemeOptions, new()
  where THandler : AuthenticationHandler<TOptions>
 {
  return this.AddSchemeHelper<TOptions, THandler>(authenticationScheme, displayName, configureOptions);
 }

private AuthenticationBuilder AddSchemeHelper<TOptions, THandler>(
  string authenticationScheme,
  string displayName,
  Action<TOptions> configureOptions)
  where TOptions : class, new()
  where THandler : class, IAuthenticationHandler
 {
  this.Services.Configure<AuthenticationOptions>((Action<AuthenticationOptions>) (o => o.AddScheme(authenticationScheme, (Action<AuthenticationSchemeBuilder>) (scheme =>
  {
   scheme.HandlerType = typeof (THandler);
   scheme.DisplayName = displayName;
  }))));
  if (configureOptions != null)
   this.Services.Configure<TOptions>(authenticationScheme, configureOptions);
  this.Services.AddTransient<THandler>();
  return this;
 }

注意这里TOptions 是需要继承AuthenticationSchemeOptions的，在这里是JwtBearerOptions，而THandler是AuthenticationHandler<TOptions>类型的Handler，在这里是JwtBearerHandler。

我们回到Scheme的分析继续往下，首先看一下AuthenticationScheme的定义

public class AuthenticationScheme
{
 /// <summary>Constructor.</summary>  
 public AuthenticationScheme(string name, string displayName, Type handlerType)
 {
  if (name == null)
   throw new ArgumentNullException(nameof (name));
  if (handlerType == (Type) null)
   throw new ArgumentNullException(nameof (handlerType));
  if (!typeof (IAuthenticationHandler).IsAssignableFrom(handlerType))
   throw new ArgumentException("handlerType must implement IAuthenticationHandler.");
  this.Name = name;
  this.HandlerType = handlerType;
  this.DisplayName = displayName;
 }

/// <summary>The name of the authentication scheme.</summary>
 public string Name { get; }

/// <summary>
 /// The display name for the scheme. Null is valid and used for non user facing schemes.
 /// </summary>
 public string DisplayName { get; }

/// <summary>
 /// The <see cref="T:Microsoft.AspNetCore.Authentication.IAuthenticationHandler" /> type that handles this scheme.
 /// </summary>
 public Type HandlerType { get; }
}

在这里可以看到，如果要使用Aspnet Core自身的认证体系，需先注册Scheme，并且该Scheme必须指定一个类型为IAuthenticationHandler的Handler，否则会抛出异常。（这个其实在AddxxxScheme的时候已经指定了AuthenticationHandler）

我们再看一下IAuthenticationSchemeProvider的GetRequestHandlerSchemesAsync方法做了什么

public virtual Task<IEnumerable<AuthenticationScheme>> GetRequestHandlerSchemesAsync()
 {
  return Task.FromResult<IEnumerable<AuthenticationScheme>>((IEnumerable<AuthenticationScheme>) this._requestHandlers);
 }

这东西返回了_requestHandlers，这是什么？看代码

public class AuthenticationSchemeProvider : IAuthenticationSchemeProvider
{
 private readonly object _lock = new object();
 private readonly AuthenticationOptions _options;
 private readonly IDictionary<string, AuthenticationScheme> _schemes;
 private readonly List<AuthenticationScheme> _requestHandlers;

/// <summary>
 /// Creates an instance of <see cref="T:Microsoft.AspNetCore.Authentication.AuthenticationSchemeProvider" />
 /// using the specified <paramref name="options" />,
 /// </summary>  
 public AuthenticationSchemeProvider(IOptions<AuthenticationOptions> options)
  : this(options, (IDictionary<string, AuthenticationScheme>) new Dictionary<string, AuthenticationScheme>((IEqualityComparer<string>) StringComparer.Ordinal))
 {
 }

/// <summary>
 /// Creates an instance of <see cref="T:Microsoft.AspNetCore.Authentication.AuthenticationSchemeProvider" />
 /// using the specified <paramref name="options" /> and <paramref name="schemes" />.
 /// </summary>  
 protected AuthenticationSchemeProvider(
  IOptions<AuthenticationOptions> options,
  IDictionary<string, AuthenticationScheme> schemes)
 {
  this._options = options.Value;
  IDictionary<string, AuthenticationScheme> dictionary = schemes;
  if (dictionary == null)
   throw new ArgumentNullException(nameof (schemes));
  this._schemes = dictionary;
  this._requestHandlers = new List<AuthenticationScheme>();
  foreach (AuthenticationSchemeBuilder scheme in this._options.Schemes)
   this.AddScheme(scheme.Build());
 }

public virtual void AddScheme(AuthenticationScheme scheme)
 {
  if (this._schemes.ContainsKey(scheme.Name))
   throw new InvalidOperationException("Scheme already exists: " + scheme.Name);
  lock (this._lock)
  {
   if (this._schemes.ContainsKey(scheme.Name))
    throw new InvalidOperationException("Scheme already exists: " + scheme.Name);
   if (typeof (IAuthenticationRequestHandler).IsAssignableFrom(scheme.HandlerType))
    this._requestHandlers.Add(scheme);
   this._schemes[scheme.Name] = scheme;
  }
 }
.....
}

这东西就是把我们在认证注册服务中指定的scheme，通过解析出的AuthenticationSchemeProvider 的构造函数加载来的，进而返回一系列的List<AuthenticationScheme>，OK拿到这些scheme之后有什么用呢？这里引出了我们的第二个对象AuthenticationHandlerProvider，下面我们来了解一下。

IAuthenticationHandlerProvider

我们看到，AuthenticationMiddleware中用到了IAuthenticationHandlerProvider的GetHandlerAsync方法，那我们先看一下这个方法的作用

public class AuthenticationHandlerProvider : IAuthenticationHandlerProvider
{
 private Dictionary<string, IAuthenticationHandler> _handlerMap = new Dictionary<string, IAuthenticationHandler>((IEqualityComparer<string>) StringComparer.Ordinal);

/// <summary>Constructor.</summary>
 public AuthenticationHandlerProvider(IAuthenticationSchemeProvider schemes)
 {
  this.Schemes = schemes;
 }

/// <summary>
 /// The <see cref="T:Microsoft.AspNetCore.Authentication.IAuthenticationHandlerProvider" />.
 /// </summary>
 public IAuthenticationSchemeProvider Schemes { get; }

/// <summary>Returns the handler instance that will be used.</summary>  
 public async Task<IAuthenticationHandler> GetHandlerAsync( HttpContext context, string authenticationScheme)
 {
  if (this._handlerMap.ContainsKey(authenticationScheme))
   return this._handlerMap[authenticationScheme];
  AuthenticationScheme schemeAsync = await this.Schemes.GetSchemeAsync(authenticationScheme);
  if (schemeAsync == null)
   return (IAuthenticationHandler) null;
  IAuthenticationHandler handler = (context.RequestServices.GetService(schemeAsync.HandlerType) ?? ActivatorUtilities.CreateInstance(context.RequestServices, schemeAsync.HandlerType)) as IAuthenticationHandler;
  if (handler != null)
  {
   await handler.InitializeAsync(schemeAsync, context);
   this._handlerMap[authenticationScheme] = handler;
  }
  return handler;
 }
}

在创建Handler的时候，是先从AuthenticationScheme中获取，如果不存在则通过ActivatorUtilities创建。 获取到Handle后，将会放在_handlerMap字典里面，当下次获取Handler的时候，将直接从缓存中获取。

IAuthenticationService

这个对象是在AuthenticationMiddleware中最后才用到的，而且是基于HttpContext的扩展被调用

public static class AuthenticationHttpContextExtensions
{
 public static Task<AuthenticateResult> AuthenticateAsync(this HttpContext context, string scheme) =>
   context.RequestServices.GetRequiredService<IAuthenticationService>().AuthenticateAsync(context, scheme);

....    
}

这里主要调用了IAuthenticationService的AuthenticateAsync方法，看一下这个方法做了什么

public class AuthenticationService : IAuthenticationService
{
 public IAuthenticationSchemeProvider Schemes { get; }
 public IAuthenticationHandlerProvider Handlers { get; }
 public IClaimsTransformation Transform { get; }

public virtual async Task<AuthenticateResult> AuthenticateAsync(HttpContext context, string scheme)
 {
   if (scheme == null)
   {
     var scheme = (await this.Schemes.GetDefaultAuthenticateSchemeAsync())?.Name;
     if (scheme == null)
       throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultAuthenticateScheme found.");
   }

var handler = await Handlers.GetHandlerAsync(context, scheme);
   if(handler == null)
     throw await this.CreateMissingHandlerException(scheme);
   AuthenticateResult result = await handler.AuthenticateAsync();
   if (result != null && result.Succeeded)      
     return AuthenticateResult.Success(new AuthenticationTicket(await Transform.TransformAsync(result.Principal), result.Properties, result.Ticket.AuthenticationScheme));

return result;
 }
}

这里其实就是我们在前面讲的根据Scheme获取对应的AuthenticationHandler，然后调用AuthenticateAsync()方法，这个方法调用了核心方法HandleAuthenticateOnceAsync，然后再调用HandleAuthenticateAsync()这个核心的认证方法。

从上图看到这个HandleAuthenticateAsync是个抽象方法，我们的子类都需要实现这个方法的动作，基于本文的例子，我们看一下JwtBearerHandler的一个实际认证。

public class JwtBearerHandler : AuthenticationHandler<JwtBearerOptions>
{
 protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
 {
  JwtBearerHandler jwtBearerHandler = this;
  string token = (string) null;
  object obj;
  AuthenticationFailedContext authenticationFailedContext;
  int num;
  try
  {
   MessageReceivedContext messageReceivedContext = new MessageReceivedContext(jwtBearerHandler.Context, jwtBearerHandler.Scheme, jwtBearerHandler.Options);
   await jwtBearerHandler.Events.MessageReceived(messageReceivedContext);
   if (messageReceivedContext.Result != null)
    return messageReceivedContext.Result;
   token = messageReceivedContext.Token;
   if (string.IsNullOrEmpty(token))
   {
    string header = (string) jwtBearerHandler.Request.Headers["Authorization"];
    if (string.IsNullOrEmpty(header))
     return AuthenticateResult.NoResult();
    if (header.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
     token = header.Substring("Bearer ".Length).Trim();
    if (string.IsNullOrEmpty(token))
     return AuthenticateResult.NoResult();
   }
   if (jwtBearerHandler._configuration == null && jwtBearerHandler.Options.ConfigurationManager != null)
   {
    OpenIdConnectConfiguration configurationAsync = await jwtBearerHandler.Options.ConfigurationManager.GetConfigurationAsync(jwtBearerHandler.Context.RequestAborted);
    jwtBearerHandler._configuration = configurationAsync;
   }
   TokenValidationParameters validationParameters1 = jwtBearerHandler.Options.TokenValidationParameters.Clone();
   if (jwtBearerHandler._configuration != null)
   {
    string[] strArray = new string[1]
    {
     jwtBearerHandler._configuration.Issuer
    };
    TokenValidationParameters validationParameters2 = validationParameters1;
    IEnumerable<string> validIssuers = validationParameters1.get_ValidIssuers();
    object obj1 = (validIssuers != null ? (object) validIssuers.Concat<string>((IEnumerable<string>) strArray) : (object) null) ?? (object) strArray;
    validationParameters2.set_ValidIssuers((IEnumerable<string>) obj1);
    TokenValidationParameters validationParameters3 = validationParameters1;
    IEnumerable<SecurityKey> issuerSigningKeys = validationParameters1.get_IssuerSigningKeys();
    IEnumerable<SecurityKey> securityKeys = (issuerSigningKeys != null ? issuerSigningKeys.Concat<SecurityKey>((IEnumerable<SecurityKey>) jwtBearerHandler._configuration.get_SigningKeys()) : (IEnumerable<SecurityKey>) null) ?? (IEnumerable<SecurityKey>) jwtBearerHandler._configuration.get_SigningKeys();
    validationParameters3.set_IssuerSigningKeys(securityKeys);
   }
   List<Exception> exceptionList = (List<Exception>) null;
   foreach (ISecurityTokenValidator securityTokenValidator in (IEnumerable<ISecurityTokenValidator>) jwtBearerHandler.Options.SecurityTokenValidators)
   {
    if (securityTokenValidator.CanReadToken(token))
    {
     SecurityToken securityToken;
     ClaimsPrincipal claimsPrincipal;
     try
     {
      claimsPrincipal = securityTokenValidator.ValidateToken(token, validationParameters1, ref securityToken);
     }
     catch (Exception ex)
     {
      jwtBearerHandler.Logger.TokenValidationFailed(ex);
      if (jwtBearerHandler.Options.RefreshOnIssuerKeyNotFound && jwtBearerHandler.Options.ConfigurationManager != null && ex is SecurityTokenSignatureKeyNotFoundException)
       jwtBearerHandler.Options.ConfigurationManager.RequestRefresh();
      if (exceptionList == null)
       exceptionList = new List<Exception>(1);
      exceptionList.Add(ex);
      continue;
     }
     jwtBearerHandler.Logger.TokenValidationSucceeded();
     TokenValidatedContext validatedContext = new TokenValidatedContext(jwtBearerHandler.Context, jwtBearerHandler.Scheme, jwtBearerHandler.Options);
     validatedContext.Principal = claimsPrincipal;
     validatedContext.SecurityToken = securityToken;
     TokenValidatedContext tokenValidatedContext = validatedContext;
     await jwtBearerHandler.Events.TokenValidated(tokenValidatedContext);
     if (tokenValidatedContext.Result != null)
      return tokenValidatedContext.Result;
     if (jwtBearerHandler.Options.SaveToken)
      tokenValidatedContext.Properties.StoreTokens((IEnumerable<AuthenticationToken>) new AuthenticationToken[1]
      {
       new AuthenticationToken()
       {
        Name = "access_token",
        Value = token
       }
      });
     tokenValidatedContext.Success();
     return tokenValidatedContext.Result;
    }
   }
   if (exceptionList == null)
    return AuthenticateResult.Fail("No SecurityTokenValidator available for token: " + token ?? "[null]");
   authenticationFailedContext = new AuthenticationFailedContext(jwtBearerHandler.Context, jwtBearerHandler.Scheme, jwtBearerHandler.Options)
   {
    Exception = exceptionList.Count == 1 ? exceptionList[0] : (Exception) new AggregateException((IEnumerable<Exception>) exceptionList)
   };
   await jwtBearerHandler.Events.AuthenticationFailed(authenticationFailedContext);
   return authenticationFailedContext.Result == null ? AuthenticateResult.Fail(authenticationFailedContext.Exception) : authenticationFailedContext.Result;
  }
  catch (Exception ex)
  {
   obj = (object) ex;
   num = 1;
  }
  if (num == 1)
  {
   Exception ex = (Exception) obj;
   jwtBearerHandler.Logger.ErrorProcessingMessage(ex);
   authenticationFailedContext = new AuthenticationFailedContext(jwtBearerHandler.Context, jwtBearerHandler.Scheme, jwtBearerHandler.Options)
   {
    Exception = ex
   };
   await jwtBearerHandler.Events.AuthenticationFailed(authenticationFailedContext);
   if (authenticationFailedContext.Result != null)
    return authenticationFailedContext.Result;
   Exception source = obj as Exception;
   if (source == null)
    throw obj;
   ExceptionDispatchInfo.Capture(source).Throw();
   authenticationFailedContext = (AuthenticationFailedContext) null;
  }
  obj = (object) null;
  token = (string) null;
  AuthenticateResult authenticateResult;
  return authenticateResult;
 }
}

这个方法有点长，主要是从Request.Headers里面获取Authorization的Bearer出来解析，再在AddJwtBearer中传入的委托参数JwtBearerOptions的TokenValidationParameters属性作为依据进行对比来进行认证是否通过与否。

总结

本文对 ASP.NET Core 的认证流程做了一个源码分析流程介绍，由于是源码分析篇，所以可能会比较枯燥和苦涩难懂。在后面的真正使用过程中，然后再结合本篇的一个总结流程，相信大家会逐渐开朗。

• 在Startup类中的ConfigureServices方法通过添加AddAuthentication注册我们最主要的三个对象AuthenticationService, AuthenticationHandlerProvider, AuthenticationSchemeProvider

• 通过AddAuthentication返回的AuthenticationBuilder 通过AddJwtBearer（或者AddCookie）来指定Scheme类型和需要验证的参数

• 在Startup类中的Configure方法通过添加UseAuthentication注册认证中间件

• 在认证过程中，通过AuthenticationSchemeProvider获取正确的Scheme，在AuthenticationService中通过Scheme和AuthenticationHandlerProvider获取正确的AuthenticationHandler，最后通过对应的AuthenticationHandler的AuthenticateAsync方法进行认证流程

来源：https://www.cnblogs.com/lex-wu/p/10512424.html