我有一个ASP.NET Web API,在登录时返回OAuth2承载令牌。我计划通过JavaScript将刷新令牌存储在cookie中。在我的JS中,我应该检查访问令牌是否已过期以获取新的...在每个需要身份验证的后续API调用之前或某种定时器循环之前?这将是一个异步的Web应用程序,所以我不认为定时器循环是理想的。有什么想法吗?
答案 0 :(得分:0)
我不这样做,如果你可以在javascript中访问你的cookie,这意味着任何XSS脚本都可以劫持它。 Localstorage也不是一个安全的地方。
我建议在服务器上生成令牌后立即将令牌存储在安全的仅限http的cookie中,并将该cookie附加到响应中。
如果您将webAPI 2与oAuth一起使用,则在您的authorizationServer提供程序中,您可以覆盖TokenEndPointReponse
/// <summary>
/// Called when a request to the Token endpoint is finished and gonna be sent back to the client
/// We intercept the token and force the client to write a cookie containing the token value.
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public override System.Threading.Tasks.Task TokenEndpointResponse(OAuthTokenEndpointResponseContext context)
{
// We set our auth cookie configuration
var cookieOptions = new CookieOptions
{
HttpOnly = true, // immune to JS manipulation
Secure = insertMagicLogicHere(), // we set the cookie to secure in production environment
Path = "/",
Domain = ".mycooldomain.com",
Expires = DateTime.Now.AddMinutes(GlobalAuthSettings.AuthServerOptions.AccessTokenExpireTimeSpan.TotalMinutes)
};
var refreshTokenId = context.OwinContext.Get<string>("as:refreshTokenId");
// We build the authentication object to store in our cookie
var ourTokenObject = new AuthCookie
{
username = context.Properties.Dictionary["userName"],
token = context.AccessToken,
useRefreshTokens = true,
refreshtoken = refreshTokenId
};
// We send it back
context.Response.Cookies.Append("mySecureCookie", JsonConvert.SerializeObject(ourTokenObject), cookieOptions);
return base.TokenEndpointResponse(context);
}
然后在javascript中,您需要确保随每个请求发送cookie。 您可以设置一些Owin Middleware来拦截请求,从cookie解析令牌并将令牌设置为Authorization Header。
要刷新令牌,您可以配置一个Http Interceptor,如果您收到401,它会自动刷新令牌,如果refreshtoken成功,则重试请求。
以下是Angular中的一些代码
//#region Private members
var _retryHttpRequest = function (config, deferred) {
$rootScope.httpRetries++;
console.log('autorefresh');
$http = $http || $injector.get('$http') || $injector.post('$http');
$http(config).then(
function (success) {
$rootScope.httpRetries--;
deferred.resolve(success);
},
function (error) {
console.log("Error in response", rejection);
deferred.reject(error);
});
};
var _refreshToken = function () {
var deferred = $q.defer();
// refresh_token=refreshToken because the refresh_token is serialized in the http cookie and not accessible in javascript, the refreshToken is however stored in the cookie so we can resolve that server side
var data = "grant_type=refresh_token&refresh_token=refreshToken&client_id=" + appState.clientId;
$http = $http || $injector.get('$http');
$http.post(authUrl + '/token', data, {
headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
}).success(function (response) {
deferred.resolve(response);
}).error(function (err, status) {
deferred.reject(err);
});
return deferred.promise;
};
//#endregion Private members
//#region Public members
function _request(config) {
config.withCredentials = true; // forces angular to send cookies in each request
return config;
}
// intercept response errors and refresh token if need be
function _responseError(rejection) {
var deferred = $q.defer();
if (rejection.status === 401 || rejection.status === 403) {
if ($rootScope.httpRetries < 2) {
console.log("calling refreshToken()");
_refreshToken().then(function (response) {
console.log("token refreshed, retrying to connect");
// retry the request if the token was successfully refreshed
_retryHttpRequest(rejection.config, deferred);
}, function (error) {
console.log("_refreshToken error", error);
deferred.reject(rejection);
window.location.reload(true);
});
}
else {
console.log("_refreshToken error", error);
deferred.reject(rejection);
window.location.reload(true);
}
} else {
console.log("Error in response", rejection);
deferred.reject(rejection);
}
return deferred.promise;
};
//#endregion Public members
希望这有帮助。