我已经为Amazon Alexa用例实现了IdentityServer4,并且似乎在refresh_tokens到期方面遇到了问题:
我的客户端设置如下:
new Client
{
ClientId = AlexaUsername,
ClientName = "Amazon Alexa",
ClientUri = "https://alexa.amazon.co.uk",
LogoUri = "/images/alexa.png",
// no interactive user, use the clientid/secret for authentication
AllowedGrantTypes = GrantTypes.Code,
// secret for authentication
ClientSecrets =
{
new Secret(...)
},
RedirectUris = Options.AlexaService.PermittedUris,
// scopes that client has access to
AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, AlexaApiScope },
AlwaysIncludeUserClaimsInIdToken = true,
AlwaysSendClientClaims = true,
AllowOfflineAccess = true,
RefreshTokenExpiration = TokenExpiration.Sliding,
AbsoluteRefreshTokenLifetime = 0,
AccessTokenLifetime = 3600,
AuthorizationCodeLifetime = 360,
AllowRememberConsent = true
}
我的服务定义如下(not cert不为null):
services.AddIdentity<ApplicationUser, ApplicationRole>(config =>
{
//config.SignIn.RequireConfirmedEmail = true;
//https://docs.microsoft.com/en-us/aspnet/core/security/authentication/accconfirm?tabs=aspnetcore2x%2Csql-server
config.Lockout.MaxFailedAccessAttempts = 7;
})
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddRoleManager<ApplicationRoleManager>()
.AddDefaultTokenProviders();
// Add application services.
services.AddTransient<IEmailSender, EmailSender>();
X509Certificate2 cert = GetCertificateIssuer(settings);
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
var nestedServices = services.BuildServiceProvider();
var DataSecurityService = nestedServices.GetService<IDataSecurityService>();
if (cert == null)
{
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients(DataSecurityService))
.AddAspNetIdentity<ApplicationUser>();
}
else
{
services.AddIdentityServer(options => { options.IssuerUri = settings.Authority;
options.PublicOrigin = settings.Authority;
})
.AddSigningCredential(cert)
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"),
sql => sql.MigrationsAssembly(migrationsAssembly));
})
//.AddInMemoryPersistedGrants()
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"),
sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30; // interval in seconds
})
.AddAspNetIdentity<ApplicationUser>();
}
我在日志中看到了这个
2018-08-04 09:24:40.091 +01:00 [DBG] Start token request validation
2018-08-04 09:24:40.098 +01:00 [DBG] Start validation of refresh token request
2018-08-04 09:24:40.119 +01:00 [DBG] eny2fizHyrW3t98T2oOqNN+wy8thQvUsNz3HDL8UhjU= found in database: false
2018-08-04 09:24:40.119 +01:00 [DBG] refresh_token grant with value: f9f345127502ac6b72598404ff9be5bba041224393f5332c7262acfa7f6157c5 not found in store.
2018-08-04 09:24:40.119 +01:00 [ERR] Invalid refresh token
2018-08-04 09:24:40.120 +01:00 [ERR] Refresh token validation failed. aborting.
2018-08-04 09:24:40.164 +01:00 [ERR] {
"ClientId": "xxx",
"ClientName": "Amazon Alexa",
"GrantType": "refresh_token",
"Raw": {
"grant_type": "refresh_token",
"refresh_token": "xxx",
"client_id": "xxxx"
}
}
我曾经想到过的是,随着IIS服务器重新启动,刷新令牌变得无效,并且无法持久保存。为了获得Alexa所需的永久有效的刷新令牌,我需要更改什么?
答案 0 :(得分:0)
添加RefreshTokenUsage = TokenUsage.ReUse似乎已经解决了问题,并且从上面的链接复制了代码(我尚未证明是否需要该代码)