Oauth2 Implicit Flow使用单页面应用程序刷新访问令牌 [英] Oauth2 Implicit Flow with single-page-app refreshing access tokens
问题描述
我正在使用Thinktecture AuthorizationServer(AS)并且它运行良好。
I am using Thinktecture AuthorizationServer (AS) and it is working great.
我想编写一个原生的javascript单页应用程序,它可以直接调用WebAPI,但是隐式流程不提供刷新令牌。
I would like to write a native javascript single page app which can call a WebAPI directly, however implicit flow does not provide a refresh token.
如果进行了AJAX调用,如果令牌已过期,API将向登录页面发送重定向,因为数据正在使用动态弹出窗口,这会打断用户。
If an AJAX call is made, if the token has expired the API will send a redirect to the login page, since the data is using dynamic popups it will this will interrupt the user.
Facebook或Stackoverflow如何做到这一点并仍允许页面上运行的javascript调用API?
How does Facebook or Stackoverflow do this and still allow the javascript running on the page to call the APIs?
建议的解决方案
以下情况听起来是否明智(假设可以这样做) iframes):
Does the below scenario sound sensible (assuming this can be done with iframes):
我的SPA将我引导到AS,我通过Implicit Flow获取一个令牌。在AS中,我单击允许读取数据范围,然后单击记住决定,然后允许按钮。
My SPA directs me to the AS and I obtain a token by Implicit Flow. Within AS I click allow Read data scope, and click Remember decision, then Allow button.
因为我点击了AS,因为我点击了记住决定按钮,一个新的令牌自动传回,我无需登录(我可以看到FedAuth cookie,它记住了我的决定,并相信这使得它能够正常工作)。
Since I have clicked Remember decision button, whenever I hit AS for a token, a new token is passed back automatically without me needing to sign in ( I can see FedAuth cookie which is remembering my decision and believe this is enabling this to just work).
使用我的SPA(不受信任的应用程序),我没有刷新令牌只有一个访问令牌。所以相反我:
With my SPA (untrusted app), I don't have a refresh-token only an access token. So instead I:
- 确保用户已登录并点击记住决定(否则iframe无效)
- 调用WebAPI,如果401响应尝试通过以下步骤获取新令牌...
- 在页面上有一个隐藏的iframe,我将设置URL以获取新的来自授权服务器的访问令牌。
- 从iframe的哈希片段中获取新令牌,然后将其存储在SPA中,并用于所有未来的WebAPI请求。
- Ensure user has logged in and clicked remember decision (otherwise iframe wont work)
- Call WebAPI, if 401 response try and get a new token by the below steps...
- Have a hidden iframe on the page, which I will set the URL to get a new access-token from the Authorisation Server.
- Get the new token from the iframe's hash-fragment, then store this in the SPA and use for all future WebAPI requests.
如果FedAuth cookie被盗,我想我仍然会遇到麻烦。
I guess I would still be in trouble if the FedAuth cookie is stolen.
任何标准或针对上述情况的推荐方法?
Any standard or recommended way for the above scenario?
推荐答案
在Google o-Auth中,访问令牌仅在1小时内有效,因此你需要在每个小时以编程方式更新你的访问令牌,简单的你可以创建web api这样做,你需要有一个刷新令牌,而且刷新令牌也不会过期,使用c#代码,我已经完成了是。
In Google o-Auth , the access token will only be valid for 1 hour, so you need to programmatically update your access token in each one hour, simple you can create web api to do so,you need to have a refresh token, and also that refresh token will not be expired , using c# code, I have done this.
if (dateTimeDiff > 55)
{
var request = (HttpWebRequest)WebRequest.Create("https://www.googleapis.com/oauth2/v3/token");
var postData = "refresh_token=your refresh token";
postData += "&client_id=your client id";
postData += "&client_secret=your client secrent";
postData += "&grant_type=refresh_token";
var data = Encoding.ASCII.GetBytes(postData);
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = data.Length;
request.UseDefaultCredentials = true;
using (var stream = request.GetRequestStream())
{
stream.Write(data, 0, data.Length);
}
var response = (HttpWebResponse)request.GetResponse();
string responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();
}
您需要保存访问的上次更新日期时间某处(例如在数据库中)令牌,这样,无论何时你必须发出请求,所以你可以用当前日期时间减去它,如果它超过60分钟,你需要调用webapi来获取新令牌。
you need to save the last updated date time of the access token somewhere(say in database), so that , whenever you have to make a request , so you can subtract that with current date time , if it is more than 60 minutes , you need to call the webapi to get new token .
这篇关于Oauth2 Implicit Flow使用单页面应用程序刷新访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
