IdentityServer Asp.net客户端强制注销超时

时间:2018-05-30 16:00:12

标签: asp.net-identity identityserver4 openid-connect identityserver3

我有关于超时和Identityserver的问题。目前,我有一个通过Identityserver授权的Web表单客户端,它发出cookie。在10分钟不活动之后,此cookie将过期,并且用户将被定向到auth端点并自动重新授权身份。是否可以绕过此重新验证步骤并自动将用户注销?如果失败了,那么用户可以被强制进入身份登录页面。理想情况下,我不希望通过同一身份服务器授权的其他客户端具有此十分钟超时规则。 我目前的设置如下,

客户端启动:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType("Cookies");

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies",
            ExpireTimeSpan = TimeSpan.FromMinutes(10),
            SlidingExpiration = true
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            AuthenticationType = "oidc",
            Authority = "IdentityUrl",
            ClientId = "ClientId",
            ClientSecret = "ClientSecret",
            RedirectUri = "RedirectUri",
            ResponseType = "code id_token",
            Scope = "scopes",
            PostLogoutRedirectUri = "PostLogoutRedirectUri",
            RequireHttpsMetadata = true,
            UseTokenLifetime = false,
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = context =>
                {
                    if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
                        context.ProtocolMessage.IdTokenHint = context.OwinContext.Authentication
                                                                                 .User.FindFirst(Constants.ResponseTypes.IdToken)?.Value;

                    return Task.FromResult(0);
                },
                SecurityTokenValidated = n =>
                {
                    var id = n.AuthenticationTicket.Identity;

                    id.AddClaim(new Claim(Constants.ResponseTypes.IdToken, n.ProtocolMessage.IdToken));
                    n.AuthenticationTicket = new AuthenticationTicket(id, n.AuthenticationTicket.Properties);

                    return Task.FromResult(0);
                }
            }
        });

        app.UseStageMarker(PipelineStage.Authenticate);

    }
}

Default.aspx的

public partial class _Default : HSTPage
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (Context.Request.IsAuthenticated) Response.Redirect("HomePageUrl");
        else
        {
            HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties
            {
                RedirectUri = "CallBackUrl"
            });
        }
    }
}

最后是身份服务器配置

var idpAssemblyName = GetAssemblyName<Startup>();
        services.AddIdentityServer()
                .AddSigningCredential(LoadCertificateFromStore(_configuration))
                .AddConfigurationStore(storeOptions => storeOptions.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, options => options.MigrationsAssembly(idpAssemblyName)))
                .AddOperationalStore(storeOptions => storeOptions.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, options => options.MigrationsAssembly(idpAssemblyName)))
                .AddAspNetIdentity<IdentityUser>();

1 个答案:

答案 0 :(得分:0)

Challenge()通知中添加RedirectToIdentityProvider

RedirectToIdentityProvider = context =>
{
    if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
        context.ProtocolMessage.IdTokenHint = context.OwinContext.Authentication
                                                                 .User.FindFirst(Constants.ResponseTypes.IdToken)?.Value;

    if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Token)
    {
        n.OwinContext.Authentication.Challenge();
    }

    return Task.FromResult(0);
},