使用owin中间件和IdentityServer v3刷新令牌

时间:2015-07-28 06:21:42

标签: c# oauth-2.0 openid-connect identityserver3

我最近设置了IdentityServer v3并且它像梦一样运行,但是我遇到了OWIN中间件的麻烦。

我想使用混合流程,因此我可以在后端刷新令牌,而无需用户重定向到IdentityServer每5分钟获取一个新的访问令牌(这也是奇怪的,因为它的设置有一个生命周期在服务器上1小时。)

我在启动时使用了以下配置,并且我的令牌很好,但它似乎永远不会尝试在访问令牌过期后刷新它。我需要一些自定义逻辑来刷新我的令牌吗?

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            ClientSecret = clientSecret, //Not sure what this does?

            Authority = "https://auth.example.com",

            RedirectUri = "http://website.example.com",
            PostLogoutRedirectUri = "http://website.example.com",

            ResponseType = "code id_token token",
            Scope = "openid profile email write read offline_access",

            SignInAsAuthenticationType = "Cookies",

            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthorizationCodeReceived = async n =>
                {
                    // filter "protocol" claims
                    var claims = new List<Claim>(from c in n.AuthenticationTicket.Identity.Claims
                                                 where c.Type != "iss" &&
                                                       c.Type != "aud" &&
                                                       c.Type != "nbf" &&
                                                       c.Type != "exp" &&
                                                       c.Type != "iat" &&
                                                       c.Type != "nonce" &&
                                                       c.Type != "c_hash" &&
                                                       c.Type != "at_hash"
                                                 select c);

                    // get userinfo data
                    var userInfoClient = new UserInfoClient(
                        new Uri(n.Options.Authority + "/connect/userinfo"),
                        n.ProtocolMessage.AccessToken);

                    var userInfo = await userInfoClient.GetAsync();
                    userInfo.Claims.ToList().ForEach(ui => claims.Add(new Claim(ui.Item1, ui.Item2)));

                    // get access and refresh token
                    var tokenClient = new OAuth2Client(
                        new Uri(n.Options.Authority + "/connect/token"),
                        clientId,
                        clientSecret);

                    var response = await tokenClient.RequestAuthorizationCodeAsync(n.Code, n.RedirectUri);

                    claims.Add(new Claim("access_token", response.AccessToken));
                    claims.Add(new Claim("expires_at", DateTime.UtcNow.AddSeconds(response.ExpiresIn).ToLocalTime().ToString(CultureInfo.InvariantCulture)));
                    claims.Add(new Claim("refresh_token", response.RefreshToken));
                    claims.Add(new Claim("id_token", n.ProtocolMessage.IdToken));

                    //Does this help?
                    n.AuthenticationTicket.Properties.AllowRefresh = true;

                    n.AuthenticationTicket = new AuthenticationTicket(
                        new ClaimsIdentity(
                            claims.Distinct(new ClaimComparer()),
                            n.AuthenticationTicket.Identity.AuthenticationType),
                        n.AuthenticationTicket.Properties);
                },

                RedirectToIdentityProvider = async n =>
                {
                    // if signing out, add the id_token_hint
                    if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
                    {
                        var id = n.OwinContext.Authentication.User.FindFirst("id_token");

                        if (id != null)
                        {
                            var idTokenHint = id.Value;
                            n.ProtocolMessage.IdTokenHint = idTokenHint;
                        }
                    }
                }
            }
        });

我也在我的ApiClient(RestSharp)中使用以下内容,它与我的资源api对话

public class MyTokenAuthenticator : IAuthenticator
{
    public void Authenticate(IRestClient client, IRestRequest request)
    {
        var tokenClaim = ClaimsPrincipal.Current.Claims.FirstOrDefault(c => c.Type.Equals("access_token"));

        if (tokenClaim != null && !String.IsNullOrWhiteSpace(tokenClaim.Value))
            request.AddHeader("Authorization", String.Format("Bearer {0}", tokenClaim.Value));
    }
}

1 个答案:

答案 0 :(得分:2)

我能够获得刷新令牌,然后使用它来获取新的访问令牌: 我遵循与你类似的逻辑来获得一个令牌。 我创建了以下方法,每次需要令牌时都会调用该方法:

private static async Task CheckAndPossiblyRefreshToken(ClaimsIdentity id)
    {
        var clientName = "Myhybridclient";
        // check if the access token hasn't expired.
        if (DateTime.Now.ToLocalTime() >=
             (DateTime.Parse(id.FindFirst("expires_at").Value)))
        {
            // expired.  Get a new one.
            var tokenEndpointClient = new OAuth2Client(
                new Uri(Constants.TokenEndpoint),
                clientName,
                "secret");

            var tokenEndpointResponse =
                await tokenEndpointClient
                .RequestRefreshTokenAsync(id.FindFirst("refresh_token").Value);

            if (!tokenEndpointResponse.IsError)
            {
                // replace the claims with the new values - this means creating a 
                // new identity!                              
                var result = from claim in id.Claims
                             where claim.Type != "access_token" && claim.Type != "refresh_token" &&
                                   claim.Type != "expires_at"
                             select claim;

                var claims = result.ToList();

                claims.Add(new Claim("access_token", tokenEndpointResponse.AccessToken));
                claims.Add(new Claim("expires_at",
                             DateTime.Now.AddSeconds(tokenEndpointResponse.ExpiresIn)
                             .ToLocalTime().ToString()));
                claims.Add(new Claim("refresh_token", tokenEndpointResponse.RefreshToken));

                var newIdentity = new ClaimsIdentity(claims, "Cookies");
                var wrapper = new HttpRequestWrapper(HttpContext.Current.Request);
                wrapper.GetOwinContext().Authentication.SignIn(newIdentity);
            }
            else
            {
                // log, ...
                throw new Exception("An error has occurred");
            }
        }
    }