前言：本文将会结合asp.net core 认证源码来分析起认证的原理与流程。asp.net core版本2.2

对于大部分使用asp.net core开发的人来说。

下面这几行代码应该很熟悉了。

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.RequireHttpsMetadata = false;
                    options.Audience = "sp_api";
                    options.Authority = "http://localhost:5001";
                    options.SaveToken = true;
                    
                })         

 app.UseAuthentication();

废话不多说。直接看 app.UseAuthentication()的源码

 public class AuthenticationMiddleware
    {
        private readonly RequestDelegate _next;

        public AuthenticationMiddleware(RequestDelegate next, IAuthenticationSchemeProvider schemes)
        {
            if (next == null)
            {
                throw new ArgumentNullException(nameof(next));
            }
            if (schemes == null)
            {
                throw new ArgumentNullException(nameof(schemes));
            }

            _next = next;
            Schemes = schemes;
        }

        public IAuthenticationSchemeProvider Schemes { get; set; }

        public async Task Invoke(HttpContext context)
        {
            context.Features.Set<IAuthenticationFeature>(new AuthenticationFeature
            {
                OriginalPath = context.Request.Path,
                OriginalPathBase = context.Request.PathBase
            });

            // Give any IAuthenticationRequestHandler schemes a chance to handle the request
            var handlers = context.RequestServices.GetRequiredService<IAuthenticationHandlerProvider>();
            foreach (var scheme in await Schemes.GetRequestHandlerSchemesAsync())
            {
                var handler = await handlers.GetHandlerAsync(context, scheme.Name) as IAuthenticationRequestHandler;
                if (handler != null && await handler.HandleRequestAsync())
                {
                    return;
                }
            }

            var defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync();
            if (defaultAuthenticate != null)
            {
                var result = await context.AuthenticateAsync(defaultAuthenticate.Name);
                if (result?.Principal != null)
                {
                    context.User = result.Principal;
                }
            }

            await _next(context);
        }

现在来看看var defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync(); 干了什么。

在这之前。我们更应该要知道上面代码中  public IAuthenticationSchemeProvider Schemes { get; set; } ，假如脑海中对这个IAuthenticationSchemeProvider类型的来源，有个清晰认识，对后面的理解会有很大的帮助

现在来揭秘IAuthenticationSchemeProvider 是从哪里来添加到ioc的。

  public static AuthenticationBuilder AddAuthentication(this IServiceCollection services)
        {
            if (services == null)
            {
                throw new ArgumentNullException(nameof(services));
            }

            services.AddAuthenticationCore();
            services.AddDataProtection();
            services.AddWebEncoders();
            services.TryAddSingleton<ISystemClock, SystemClock>();
            return new AuthenticationBuilder(services);
        }

红色代码内部逻辑中就把IAuthenticationSchemeProvider添加到了IOC中。先来看看services.AddAuthenticationCore()的源码，这个源码的所在的解决方案的仓库地址是https://github.com/aspnet/HttpAbstractions，这个仓库目前已不再维护，其代码都转移到了asp.net core 仓库 。

下面为services.AddAuthenticationCore()的源码

 public static class AuthenticationCoreServiceCollectionExtensions
    {
        /// <summary>
        /// Add core authentication services needed for <see cref="IAuthenticationService"/>.
        /// </summary>
        /// <param name="services">The <see cref="IServiceCollection"/>.</param>
        /// <returns>The service collection.</returns>
        public static IServiceCollec