private async Task<(string AccessToken, IEnumerable<Claim> Claims)> createAccessTokenAsync(User user)
{
var claims = new List<Claim>
{
// Unique Id for all Jwt tokes
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString(), ClaimValueTypes.String, _configuration.Value.Issuer),
// Issuer
new Claim(JwtRegisteredClaimNames.Iss, _configuration.Value.Issuer, ClaimValueTypes.String, _configuration.Value.Issuer),
// Issued at
new Claim(JwtRegisteredClaimNames.Iat, DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64, _configuration.Value.Issuer),
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString(), ClaimValueTypes.String, _configuration.Value.Issuer),
new Claim(ClaimTypes.Name, user.Username, ClaimValueTypes.String, _configuration.Value.Issuer),
new Claim("DisplayName", user.DisplayName, ClaimValueTypes.String, _configuration.Value.Issuer),
// to invalidate the cookie
new Claim(ClaimTypes.SerialNumber, user.SerialNumber, ClaimValueTypes.String, _configuration.Value.Issuer),
// custom data
new Claim(ClaimTypes.UserData, user.Id.ToString(), ClaimValueTypes.String, _configuration.Value.Issuer)
};
// add userclaims for permission
var clmsuser= await _rolesService.FindUserClaimesAsync(user.Id);
foreach (var cls in clmsuser)
{
claims.Add(new Claim(cls.ClaimType,cls.ClaimValue,ClaimValueTypes.String,_configuration.Value.Issuer));
}
// add roles
var roles = await _rolesService.FindUserRolesAsync(user.Id);
foreach (var role in roles)
{
claims.Add(new Claim(ClaimTypes.Role, role.Name, ClaimValueTypes.String, _configuration.Value.Issuer));
}
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration.Value.Key));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var now = DateTime.UtcNow;
var token = new JwtSecurityToken(
issuer: _configuration.Value.Issuer,
audience: _configuration.Value.Audience,
claims: claims,
notBefore: now,
expires: now.AddMinutes(_configuration.Value.AccessTokenExpirationMinutes),
signingCredentials: creds);
return (new JwtSecurityTokenHandler().WriteToken(token), claims);
}
و هر تغییر در claimها در سمت کاربر برابر میشود با برگشت توکن دستکاری شده از سمت سرور و مسدود شدن دسترسی؟