一、新建net9.0項目WebApplication1，安裝包

  <ItemGroup><PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.7" /><PackageReference Include="Swashbuckle.AspNetCore" Version="9.0.3" /></ItemGroup>

在線生成TOKEN：JWT在線解碼/編碼工具 - 解析、驗證、生成JSON Web Token?

Program.cs

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using Microsoft.OpenApi.Models;
using System.Text;
using System.Text.Json;var builder = WebApplication.CreateBuilder(args);// 配置 JWT 認證
var secretKey = "Tx7S/FjYAnh3LDpyOcysrZ0K6e2cWlIX4p8/X8xV2U0vqY4kbZ4EZFI8s0qc35T5Z80RbTkc0F/JE6UnQzwIcw==";
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>{ // 顯示詳細的 PII 錯誤（僅限開發環境！）options.IncludeErrorDetails = true;  // 👈 返回錯誤詳情options.TokenValidationParameters = new TokenValidationParameters{ValidateIssuerSigningKey = true,IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secretKey)),ValidateIssuer = false,ValidateAudience = false,ValidateLifetime = true,ClockSkew = TimeSpan.Zero};// 捕獲 JWT 驗證事件options.Events = new JwtBearerEvents{OnAuthenticationFailed = context =>{// 捕獲驗證失敗的原因Console.WriteLine($"JWT 驗證失敗: {context.Exception.Message}");// 可以在這里返回自定義錯誤信息（但生產環境不建議返回詳細錯誤）context.Response.StatusCode = 401;context.Response.ContentType = "application/json";var errorMessage = new{error = "Unauthorized",message = context.Exception.Message // 返回具體錯誤信息};return context.Response.WriteAsync(JsonSerializer.Serialize(errorMessage));},OnChallenge = context =>{// 當請求未提供 token 時觸發Console.WriteLine("請求未提供 JWT Token");return Task.CompletedTask;},OnTokenValidated = context =>{// Token 驗證成功時觸發Console.WriteLine("JWT 驗證成功");return Task.CompletedTask;}};});// 配置 Swagger
builder.Services.AddSwaggerGen(c =>
{c.SwaggerDoc("v1", new OpenApiInfo { Title = "JWT Auth API", Version = "v1" });// 添加 JWT 認證支持到 Swaggerc.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme{Description = "JWT Authorization header using the Bearer scheme. Example: \"Authorization: Bearer {token}\"",Name = "Authorization",In = ParameterLocation.Header,Type = SecuritySchemeType.ApiKey,Scheme = "Bearer"});c.AddSecurityRequirement(new OpenApiSecurityRequirement{{new OpenApiSecurityScheme{Reference = new OpenApiReference{Type = ReferenceType.SecurityScheme,Id = "Bearer"}},Array.Empty<string>()}});
}); builder.Services.AddCors(options =>
{options.AddPolicy("AllowAll", policy =>{policy.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader(); // 必須允許 Authorization 頭});
});// 添加服務到容器
builder.Services.AddControllers();var app = builder.Build();// 配置 HTTP 請求管道
if (app.Environment.IsDevelopment())
{app.UseSwagger();app.UseSwaggerUI(c =>{c.SwaggerEndpoint("/swagger/v1/swagger.json", "JWT Auth API v1");});
}app.UseCors("AllowAll");app.UseAuthentication(); // 必須在 UseAuthorization 之前
app.UseAuthorization();app.MapControllers();app.Run();

獲取token:

AuthController

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;namespace JwtAuthApi.Controllers;[ApiController]
[Route("api/[controller]")]
public class AuthController : ControllerBase
{private readonly IConfiguration _configuration;public AuthController(IConfiguration configuration){_configuration = configuration;}[HttpPost("login")][AllowAnonymous]public IActionResult Login([FromBody] LoginModel login){// 這里應該有實際的用戶驗證邏輯// 這里只是示例，直接接受任何用戶名/密碼if (string.IsNullOrEmpty(login.Username)){return BadRequest("Username is required");}// 創建 tokenvar tokenHandler = new JwtSecurityTokenHandler();var key = Encoding.UTF8.GetBytes("Tx7S/FjYAnh3LDpyOcysrZ0K6e2cWlIX4p8/X8xV2U0vqY4kbZ4EZFI8s0qc35T5Z80RbTkc0F/JE6UnQzwIcw==");var tokenDescriptor = new SecurityTokenDescriptor{Subject = new ClaimsIdentity(new[]{new Claim(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString()),new Claim(ClaimTypes.Name, login.Username)}),Expires = DateTime.UtcNow.AddHours(1),SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)};var token = tokenHandler.CreateToken(tokenDescriptor);var tokenString = tokenHandler.WriteToken(token);return Ok(new{Token = tokenString,ExpiresIn = (int)TimeSpan.FromHours(1).TotalSeconds});}
}public class LoginModel
{public string Username { get; set; }public string Password { get; set; }
}

WeatherForecastController.cs

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;namespace JwtAuthApi.Controllers;[ApiController]
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
{private static readonly string[] Summaries = new[]{"Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"};[HttpGet][Authorize] // 需要認證public IEnumerable<WeatherForecast> Get(){// 可以從 User 中獲取 JWT 中的聲明var userName = User.Identity?.Name;var userId = User.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value;Console.WriteLine($"User {userName} (ID: {userId}) accessed weather forecast");return Enumerable.Range(1, 5).Select(index => new WeatherForecast{Date = DateTime.Now.AddDays(index),TemperatureC = Random.Shared.Next(-20, 55),Summary = Summaries[Random.Shared.Next(Summaries.Length)]}).ToArray();}
}public class WeatherForecast
{public DateTime Date { get; set; }public int TemperatureC { get; set; }public int TemperatureF => 32 + (int)(TemperatureC / 0.5556);public string? Summary { get; set; }
}