当存储在cookie中的声明中时,如何刷新过期的访问令牌?

时间:2017-11-06 16:33:05

标签: identityserver4 owin-middleware

使用Identity Server 4服务器。

在客户端的Startup.Auth.cs中:

private static void ConfigureAuth(IAppBuilder app)
    {
        ISettingsReader settingsReader = Services.Resolve<ISettingsReader>();

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            ExpireTimeSpan = new TimeSpan(1, 0, 0),
            CookieSecure = CookieSecureOption.Always,
            CookieHttpOnly = true,
            SlidingExpiration = true
        });

        var platformUri = settingsReader.GetSetting("PlatformUri")?.TrimEnd('/');
        var platformApiKey = settingsReader.GetSetting("PlatformApiKey");
        var deploymentURL = settingsReader.GetSetting("deploymentURL")?.TrimEnd('/');

        var authority = $"{platformUri}/identity";

        string clientSecret;
        string clientId = SplitApiKey(platformApiKey, out clientSecret);

        var options = new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            ClientSecret = clientSecret,
            Authority = authority,
            RedirectUri = $"{deploymentURL}/signin/callback",
            ResponseType = "id_token token",
            Scope = "platform openid",
            UseTokenLifetime = false,
            SignInAsAuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                SecurityTokenValidated = SecurityTokenValidatedHandler,
                RedirectToIdentityProvider = RedirectToIdentityProviderHandler,
            }
        };

        app.UseOpenIdConnectAuthentication(options);

        AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
    }

注意 - cookie的过期时间跨度已设置为5分钟进行调试,通常设置为一小时。

然后将access_token存储在经过验证的处理程序中(根据几篇文章),以便我们稍后可以将其用于api调用:

        private static async Task SecurityTokenValidatedHandler(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
    {
        var jwtDetails = JsonWebToken.Parse(notification.ProtocolMessage.AccessToken);

        notification.AuthenticationTicket.Identity.AddClaims(
            jwtDetails.Claims.Where(c => DesiredAccessTokenClaims.Contains(c.Type)));

        notification.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", notification.ProtocolMessage.AccessToken));
        notification.AuthenticationTicket.Identity.AddClaim(new Claim("id_token", notification.ProtocolMessage.IdToken));
    }

这很好用。但是,尽管cookie会自动刷新,滑动到期(通常在2-3分钟后,而不是完整的5分钟),似乎没有办法刷新索赔中保存的访问令牌,所以虽然用户将保持登录状态,但访问令牌在到期后将无用。

这是正确的方法吗?如果是这样,有没有办法在后台更新声明中的访问令牌而不会打扰用户?似乎理想的解决方案是让cookie刷新也触发SecurityTokenValidatedHandler,以便可以将新的声明添加到新的cookie中,尽管尽管查看了CookieManager等,但它似乎并不是一个事件。当cookie滑动刷新时触发。有谁知道这样做的方法?

非常感谢你的时间!

1 个答案:

答案 0 :(得分:0)

如果有人遇到这个问题,答案就是从隐含变为混合。混合允许刷新令牌,而隐含,不是那么多。在我们的案例中,我们需要混合和客户信用

相关问题
最新问题