在HybridAndClientCredentials授予类型中,令牌刷新是否不需要refresh_token吗? 这个问题困扰我很长时间。 是我的设置错误还是OAuth2流修复了规则?
我的情况:
我的步骤:
这是我的客户设置:
new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
ClientUri = $"{clientsUrl["Mvc"]}", // public uri of the client
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
AllowAccessTokensViaBrowser = false,
RequireConsent = false,
AllowOfflineAccess = true,
AlwaysIncludeUserClaimsInIdToken = true,
RedirectUris = new List<string>
{
$"{clientsUrl["Mvc"]}/signin-oidc"
},
PostLogoutRedirectUris = new List<string>
{
$"{clientsUrl["Mvc"]}/signout-callback-oidc"
},
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.OfflineAccess,
"orders",
"basket",
"locations",
"marketing",
"webshoppingagg",
"orders.signalrhub"
},
Claims = new List<Claim>{ new Claim("abc","cba") },
AccessTokenLifetime = 60,
RefreshTokenExpiration = TokenExpiration.Sliding,
SlidingRefreshTokenLifetime = 300,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
AuthorizationCodeLifetime = 60,
IdentityTokenLifetime = 60,
}