这是我的基本设计: 使用OIDC Javascript库实现安全性的Angular 7前端 适用于所有数据层工作的.NET Core v2 API 用于OAuth的.NET Core Identity 4服务器(与API分开的服务器)
我收到许多意外的401错误。这些不应该发生,用户已授权,我可以在日志中看到该用户已授权。因此,我只能认为这一定是时序问题或设置问题。安全在大多数情况下都有效,可以说有90%到95%的时间可以正常工作,因此我的基本设置很好。除了计时问题外,我不知道该怎么办。
这是我的OIDC配置:
const config = {
clockSkew: 60*60*24*365*100, // Effectively disable clock skew
authority: Endpoint.STSAuthority,
client_id: Constants.clientKey,
redirect_uri: `${location.protocol}//${location.host}/assets/loginRedirect.html`,
scope: `openid profile ${Constants.apiKey} `,
response_type: 'id_token token',
post_logout_redirect_uri: `${location.protocol}//${location.host}/assets/logoutRedirect.html`,
userStore: new WebStorageStateStore({ store: window.localStorage }),
automaticSilentRenew: true,
staleStateAge: 60 * 60, // 60 minutes
accessTokenExpiringNotificationTime: 60 * 2, // 2 minutes
silent_redirect_uri: `${location.protocol}//${location.host}/assets/silentRedirect.html`
};
这是我的STS配置:
new Client
{
ClientId = $"Example-STS-{this._programSettings.Site}",
ClientName = $"Example {this._programSettings.Site} STS",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RequireConsent = false,
RedirectUris = this._securitySection.RedirectUris,
PostLogoutRedirectUris = this._securitySection.PostLogoutRedirectUris,
AllowedCorsOrigins = new List<string> { this._securitySection.AllowFrom },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
$"Example-API-{this._programSettings.Site}"
},
IdentityTokenLifetime=60*30, // 30 minutes
AccessTokenLifetime=60*60*2, // 2 hours
}
这是我的OIDC对象在401未经授权时的转储(个人信息已删除):
User: {
"_settings": {
"_response_type": "id_token",
"_scope": "openid",
"_filterProtocolClaims": true,
"_loadUserInfo": true,
"_staleStateAge": 900,
"_clockSkew": 3153600000,
"_userInfoJwtIssuer": "OP",
"_stateStore": {
"_store": {
"authContext": {
"loginKey": "68F7AD86DE3B427C98B02DF1BE7D9959",
"id": "5d77965b-e874-45e1-bb1f-08a6eaf2e773"
},
"oidc.b0add291aa304938b8246800c7729912": {
"id": "b0add291aa304938b8246800c7729912",
"created": 1555734037,
"nonce": "5476718e1373406bab9e452b8f9dbf31",
"redirect_uri": "https://www.example.com/assets/silentRedirect.html",
"authority": "https://prodsts.example.com:4252/",
"client_id": "example-STS-Prod"
},
"oidc.user:https://prodsts.example.com:4252/:example-STS-Prod": {
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhhZjhkODA0ZGNlNWI3NjZjODZlZTJmZjRhYzY4YWMwIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NTU3MjUwNzIsImV4cCI6MTU1NTcyNjg3MiwiaXNzIjoiaHR0cHM6Ly9wcm9kc3RzLmJvb21lcmFuZ2RtLmNvbTo0MjUyIiwiYXVkIjoiQm9vbWVyYW5nRE0tU1RTLVByb2QiLCJub25jZSI6IjdjMDE2ZWJiZWJlYzRiNjg5Y2U5NTMwOTkyYmQxMGI3IiwiaWF0IjoxNTU1NzI1MDcyLCJhdF9oYXNoIjoid3p4LTQtRlhFNnJOSkQ1ZjI3M1BTUSIsInNpZCI6ImM2ZWVjZTg4NmQ1NGFhZTY2YmYxOWYwNDk4NTljMjhiIiwic3ViIjoiNWQ3Nzk2NWItZTg3NC00NWUxLWJiMWYtMDhhNmVhZjJlNzczIiwiYXV0aF90aW1lIjoxNTU1NjkxNTQ0LCJpZHAiOiJsb2NhbCIsImFtciI6WyJwd2QiXX0.fBdgtLfWwnlLoi-T21c2VP2Wqt2fHo6l3eV_FKiXpyqrpdzAxqxOintXec-SJK1LwChMdy966xCFlVYp6jm5XwTfTPBPshNYeBPx9O0QOA0JYL33LvMGmgl4igV_wTscIPq6qnBpd75nagSvWT-IZgByxSygmh-JIuBQVqJPOpneoZCtLaeaVIyNzxLbCozc_pEc-kVqHGRbYEmDxU5mGdCdaKjAi0dCfJ3D3mDN8joQfwtK8PEuCKa5CPMgymkRAEJpfTY39DklLurUNyBKA9fJ6J95ys1dF3McgqEwdOZv37s2IialwpeYXOsFPlwpOh9_cvV5dS2wDav9H56pqA",
"session_state": "UCh5OQis7ikprYhHbUpjeS0GVMQ4S8XD2OrzA0Am4wU.0bd43c3337b6dc18bc7e7020f1f6ecb8",
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhhZjhkODA0ZGNlNWI3NjZjODZlZTJmZjRhYzY4YWMwIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NTU3MjUwNzIsImV4cCI6MTU1NTcyODY3MiwiaXNzIjoiaHR0cHM6Ly9wcm9kc3RzLmJvb21lcmFuZ2RtLmNvbTo0MjUyIiwiYXVkIjpbImh0dHBzOi8vcHJvZHN0cy5ib29tZXJhbmdkbS5jb206NDI1Mi9yZXNvdXJjZXMiLCJCb29tZXJhbmdETS1BUEktUHJvZCJdLCJjbGllbnRfaWQiOiJCb29tZXJhbmdETS1TVFMtUHJvZCIsInN1YiI6IjVkNzc5NjViLWU4NzQtNDVlMS1iYjFmLTA4YTZlYWYyZTc3MyIsImF1dGhfdGltZSI6MTU1NTY5MTU0NCwiaWRwIjoibG9jYWwiLCJBc3BOZXQuSWRlbnRpdHkuU2VjdXJpdHlTdGFtcCI6IkgyR1BFV0tBSFZZVlFNNkhHT1dYQVVITVVaUFJNTjVHIiwiQm9vbWVyYW5nSWQiOiIxMjY3OSIsInJvbGUiOiJTdWJzY3JpYmVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiRXJpY1NlbGxzVmVnYXNMaXN0aW5ncy5Db20iLCJuYW1lIjoiRXJpY1NlbGxzVmVnYXNMaXN0aW5ncy5Db20iLCJlbWFpbCI6IkVyaWNTZWxsc1ZlZ2FzTGlzdGluZ3NAR21haWwuQ29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJzY29wZSI6WyJvcGVuaWQiLCJwcm9maWxlIiwiQm9vbWVyYW5nRE0tQVBJLVByb2QiXSwiYW1yIjpbInB3ZCJdfQ.sA0ST_9pka0jqlG7P1gAguGUm2mQ--swVP7cRJ9vC6eFYhW1bkQXEkdF0NkA9Ks0olOkERlwqN6etLfO7rB01RtugDOLzcr9OJgw7ScgaGDlS7oVH0R_ElEXLoE9iPqUfH2fQpV-CtIyGBC3Ceapvv0OqZUZgGkpZR_bRTUfOKCGdfSa1syESeoW5-JhL_8-AhLBRjH8jILMk5iUAkGgPkMtvRp3qudvhpLmp1Ya_l9-QO192P3bMifrqj7ABCzjucffiuNrApalWTCv_K7HbdMXWMwuF6mGjLO75GwsGMMHl7vAl6sGu7N1HaWRRTVViQb_YiwxgqJhlJ1zRxvQnQ",
"token_type": "Bearer",
"scope": "openid profile example-API-Prod",
"profile": {
"sid": "c6eece886d54aae66bf19f049859c28b",
"sub": "5d77965b-e874-45e1-bb1f-08a6eaf2e773",
"auth_time": 1555691544,
"idp": "local",
"amr": [
"pwd"
],
"AspNet.Identity.SecurityStamp": "H2GPEWKAHVYVQM6HGOWXAUHMUZPRMN5G",
"ExampleId": "12679",
},
"expires_at": 1555728667
}
},
"_prefix": "oidc."
},
答案 0 :(得分:2)
我认为您一定会在ClockSkew上遇到问题:
clockSkew: 60*60*24*365*100, // Effectively disable clock skew
时钟偏斜的值应在令牌到期后的几分钟内,因为它仅用于说明异步时钟。
当您拥有一个具有两个小时的生命周期和100年的时滞的访问令牌时,您会期望什么?用户应该经过多长时间的认证?
我可以想象在令牌到期后的某个时候令牌会被拒绝。
您应该将时钟偏移设置为五分钟(默认)或更短时间,并且可能使用refresh tokens。