Identity Server刷新令牌资源所有者密码凭证流 [英] Identity Server Refresh Token Resource Owner Password Credential Flow

问题描述

我正在使用IdentityServer来控制对API的访问.我有一个单独的身份验证API，该API发出令牌并验证对安全API的访问请求.

I'm using IdentityServer to control access to an API. I have a separate authentication API which issues the tokens and validates access requests to secure API's.

我使用户能够通过安全的Web应用程序生成访问令牌.我正在使用资源所有者密码凭证流.

I give users the ability to generate an access token through a secure web application. I am using the resource owner password credential flow.

有没有一种方法可以发出刷新令牌，而无需用户登录并请求刷新令牌?还是有办法设置初始访问令牌的到期时间?

Is there a way I can issue a refresh token without the user having to log in and request it? Or is there a way I can set the expiration of the initial access token?

代码

这是我用来生成令牌的代码.

This is the code i'm using to generate tokens.

DiscoveryResponse disco = await DiscoveryClient.GetAsync("http://localhost:27144");
  TokenClient tokenClient = new TokenClient(disco.TokenEndpoint, "My Client", "MySecret");
  TokenResponse tokenResponse = await tokenClient.RequestResourceOwnerPasswordAsync("testUser", "testPassword");

推荐答案

是的，这可以通过刷新令牌来实现.

Yes, this can be accomplished with Refresh Tokens.

• 在客户端配置上设置AllowOfflineAccess = true
• 在初始令牌请求的范围内包括offline_access

• Set AllowOfflineAccess = true on the client config
• Include offline_access in the scope on the initial token request

令牌响应现在将在AccessToken之外还包括一个RefreshToken.将AccessToken返回给客户端，并保持RefreshToken.

The token response will now include a RefreshToken in addition to the AccessToken. Return the AccessToken to the client and hold on to the RefreshToken.

当需要新的AccessToken时，请使用TokenClient上的RequestRefreshTokenAsync方法请求一个.名称令人困惑-您实际上是从RefreshToken请求一个新的AccessToken.

When a new AccessToken is needed, request one using the RequestRefreshTokenAsync method on TokenClient. The name is confusing - you are actually requesting a new AccessToken FROM the RefreshToken.

TokenResponse refreshTokenResponse = await tokenClient.RequestRefreshTokenAsync("RefreshTokenGoesHere");

有两种方法来管理RefreshToken到期.这是由RefreshTokenExpiration属性控制的:

There are two ways to manage the RefreshToken expiration. This is controlled by the RefreshTokenExpiration property:

• 滑动到期
• 绝对到期

如果设置了滑动到期时间，则刷新令牌的生存期将在每次刷新后更新.

If sliding expiration is set, the refresh token lifetime will renew after each refresh.

还有一个RefreshTokenUsage属性，该属性确定令牌是可以重用还是仅使用一次.如果将其设置为仅与滑动到期一起使用，则您将简单地获得一个新的RefreshToken来保留每个请求.

There's also a RefreshTokenUsage property, which determines if a token's can be reused or are one-use only. If set to one-use only with sliding expiration, you'll simply get a new RefreshToken to hold on to on each request.

对于到期时间，有SlidingRefreshTokenLifetime和AbsoluteRefreshTokenLifetime.两者都可以模拟使用.例如，如果启用了滑动刷新令牌，则滑动到期可能为30天，而绝对到期可能为1年.这将使用户在闲置30天后无需再次登录，但是如果用户保持活动状态，则可以免费使用1年.

For expiration timing, there's SlidingRefreshTokenLifetime and AbsoluteRefreshTokenLifetime. Both can be used simulatenousely. For example, if sliding refresh tokens were enabled, the sliding expiration could be 30 days while the absolute expiration could be 1 year. This would allow the user 30 days of inactivity before needing to log in again, but if the user stays active, 1 year of login-free use.

请务必注意，在所有情况下，都不应将RefreshToken返回给用户-只有访问令牌应返回.您需要某种数据存储机制来保留刷新令牌及其到期日期.

It's important to note in all cases the RefreshToken should never be returned to the user - only the access token should. You'll need some data storage mechanism to hold on to the refresh tokens and their expiration dates.

这篇关于Identity Server刷新令牌资源所有者密码凭证流的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！