Thinktecture IdentityServer v3 LogOut for Implicit flow

时间:2015-07-13 23:16:19

标签: thinktecture-ident-server

如何获取隐式令牌的id_token以传递id_token提示以注销隐式流,还是有其他方式?我有终点/连接/结束?   id_token_hint =

我不确定如何从implict流程中获取id_token,我得到的是access_token和expiration。 IdSvr中有设置吗?

3 个答案:

答案 0 :(得分:1)

这有三个组成部分。

首先确保在Startup.cs中配置OIDC身份验证时从Identity Server请求id_token(如上面的@leastprivilege所述):

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
     Authority = "https://localhost:44301/",
     ...
     ResponseType = "id_token token", //(Here's where we request id_token!)

其次,使用OIDC通知&验证安全令牌后,将id_token添加到用户的声明中:

Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    SecurityTokenValidated = async n =>
                    {

                        var nid = new ClaimsIdentity(
                            n.AuthenticationTicket.Identity.AuthenticationType,
                            Constants.ClaimTypes.GivenName,
                            Constants.ClaimTypes.Role);

                        // get userinfo data
                        var userInfoClient = new UserInfoClient(
                            new Uri(n.Options.Authority + "/" + Constants.RoutePaths.Oidc.UserInfo),
                            n.ProtocolMessage.AccessToken);

                        var userInfo = await userInfoClient.GetAsync();
                        userInfo.Claims.ToList().ForEach(ui => nid.AddClaim(new Claim(ui.Item1, ui.Item2)));

                        // keep the id_token for logout (**This bit**)
                        nid.AddClaim(new Claim(Constants.TokenTypes.IdentityToken, n.ProtocolMessage.IdToken));

                        n.AuthenticationTicket = new AuthenticationTicket(
                            nid,
                            n.AuthenticationTicket.Properties);
                },

最后,在重定向注销(也是通知事件)上,将id_token添加到协议消息中:

            RedirectToIdentityProvider = n =>
            {
                if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
                {
                    var idTokenHint = n.OwinContext.Authentication.User.FindFirst(Constants.TokenTypes.IdentityToken);

                    if (idTokenHint != null)
                    {
                        n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
                    }
                }

                return Task.FromResult(0);
            }

您还需要确保在Identity Server中的客户端上设置PostLogoutRedirectUris:

    new Client
    {
        Enabled = true,
        ClientName = "(MVC) Web App",
        ClientId = "mvc",
        Flow = Flows.Implicit,
        PostLogoutRedirectUris = new List<string>
        {
            "https://localhost:44300/" //(** The client's Url**)
        }
     }

这将确保您在注销时为用户提供返回授权客户端的选项:)

所有这些都与https://identityserver.github.io/Documentation/docsv2/overview/mvcGettingStarted.html

处的MVC示例非常相似

比你要求的要多,但希望这有助于其他任何试图解决问题的人:)

答案 1 :(得分:0)

要获得id_token,您必须要求它。使用response_type=id_token token

答案 2 :(得分:0)

你试过这个吗?

ASP.Net Identity Logout

它应该自动创建id令牌提示