Identity Server刷新令牌资源所有者密码凭证流 [英] Identity Server Refresh Token Resource Owner Password Credential Flow
问题描述
我正在使用IdentityServer来控制对API的访问.我有一个单独的身份验证API,该API发出令牌并验证对安全API的访问请求.
I'm using IdentityServer to control access to an API. I have a separate authentication API which issues the tokens and validates access requests to secure API's.
我使用户能够通过安全的Web应用程序生成访问令牌.我正在使用资源所有者密码凭证流.
I give users the ability to generate an access token through a secure web application. I am using the resource owner password credential flow.
有没有一种方法可以发出刷新令牌,而无需用户登录并请求刷新令牌?还是有办法设置初始访问令牌的到期时间?
Is there a way I can issue a refresh token without the user having to log in and request it? Or is there a way I can set the expiration of the initial access token?
代码
这是我用来生成令牌的代码.
This is the code i'm using to generate tokens.
DiscoveryResponse disco = await DiscoveryClient.GetAsync("http://localhost:27144");
TokenClient tokenClient = new TokenClient(disco.TokenEndpoint, "My Client", "MySecret");
TokenResponse tokenResponse = await tokenClient.RequestResourceOwnerPasswordAsync("testUser", "testPassword");
推荐答案
是的,这可以通过刷新令牌来实现.
Yes, this can be accomplished with Refresh Tokens.
- 在客户端配置上设置
AllowOfflineAccess = true
- 在初始令牌请求的范围内包括
offline_access
- Set
AllowOfflineAccess = true
on the client config - Include
offline_access
in the scope on the initial token request
令牌响应现在将在AccessToken之外还包括一个RefreshToken.将AccessToken返回给客户端,并保持RefreshToken.
The token response will now include a RefreshToken in addition to the AccessToken. Return the AccessToken to the client and hold on to the RefreshToken.
当需要新的AccessToken时,请使用TokenClient上的RequestRefreshTokenAsync方法请求一个.名称令人困惑-您实际上是从RefreshToken请求一个新的AccessToken.
When a new AccessToken is needed, request one using the RequestRefreshTokenAsync method on TokenClient. The name is confusing - you are actually requesting a new AccessToken FROM the RefreshToken.
TokenResponse refreshTokenResponse = await tokenClient.RequestRefreshTokenAsync("RefreshTokenGoesHere");
有两种方法来管理RefreshToken到期.这是由RefreshTokenExpiration
属性控制的:
There are two ways to manage the RefreshToken expiration. This is controlled by the RefreshTokenExpiration
property:
- 滑动到期
- 绝对到期
如果设置了滑动到期时间,则刷新令牌的生存期将在每次刷新后更新.
If sliding expiration is set, the refresh token lifetime will renew after each refresh.
还有一个RefreshTokenUsage
属性,该属性确定令牌是可以重用还是仅使用一次.如果将其设置为仅与滑动到期一起使用,则您将简单地获得一个新的RefreshToken来保留每个请求.
There's also a RefreshTokenUsage
property, which determines if a token's can be reused or are one-use only. If set to one-use only with sliding expiration, you'll simply get a new RefreshToken to hold on to on each request.
对于到期时间,有SlidingRefreshTokenLifetime
和AbsoluteRefreshTokenLifetime
.两者都可以模拟使用.例如,如果启用了滑动刷新令牌,则滑动到期可能为30天,而绝对到期可能为1年.这将使用户在闲置30天后无需再次登录,但是如果用户保持活动状态,则可以免费使用1年.
For expiration timing, there's SlidingRefreshTokenLifetime
and AbsoluteRefreshTokenLifetime
. Both can be used simulatenousely. For example, if sliding refresh tokens were enabled, the sliding expiration could be 30 days while the absolute expiration could be 1 year. This would allow the user 30 days of inactivity before needing to log in again, but if the user stays active, 1 year of login-free use.
请务必注意,在所有情况下,都不应将RefreshToken返回给用户-只有访问令牌应返回.您需要某种数据存储机制来保留刷新令牌及其到期日期.
It's important to note in all cases the RefreshToken should never be returned to the user - only the access token should. You'll need some data storage mechanism to hold on to the refresh tokens and their expiration dates.
这篇关于Identity Server刷新令牌资源所有者密码凭证流的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!