有关授权令牌的信息存储在ASP.NET WEB API服务器上？ [英] Where is the information about the authorization token stored on the ASP.NET WEB API server?

问题描述

在用户注册后，在我的Web Api 2 Identity 2应用程序中，我在单个表中有一条记录：AspNetUsers。我使用以下http请求获取令牌：

In my Web Api 2 Identity 2 application after user registration I have a single record in single table: AspNetUsers. I use the following http request to get token:

POST https://localhost:44304/Token HTTP/1.1
Accept: application/json
Content-type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Content-Length: 68
Host: localhost:44304
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

grant_type=password&username=somemail@gmail.com&password=123456

我得到了带有access_token的响应：

and I get the response with access_token:

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 695
Content-Type: application/json;charset=UTF-8
Expires: -1
Server: Microsoft-IIS/8.0
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcU2VyZ2V5XERvY3VtZW50c1xWaXN1YWwgU3R1ZGlvIDIwMTNcUHJvamVjdHNcbXZjX3dlYmFwaVxXZWJBcHBsaWNhdGlvblxXZWJBcHBsaWNhdGlvblxUb2tlbg==?=
X-Powered-By: ASP.NET
Date: Tue, 25 Nov 2014 17:40:07 GMT

{"access_token":"gsvW23e1...}

获得令牌后，没有人添加任何记录数据库。在表AspNetUsers中仍然只有一条记录。数据库中的任何表中都没有存储有关已发行令牌的信息。

After I have got the token no one record is added to the database. Still there is just single record in the table AspNetUsers. No information about the issued token is stored in any table in the database.

我在Web api控制器中使用以下代码来验证用户身份：

I use the following code in web api controller to authenticate user:

var currentUser = manager.FindById(User.Identity.GetUserId());
if (currentUser == null)
{
    HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
    return ResponseMessage(response);
}

之后，我执行密码更改并尝试使用以下方法调用某些Web api控制器方法旧的access_token（我在更改密码之前得到的）和access_token仍然有效！ currentUser不为null！
我已经阅读了stackoverflow上的另一个线程
ASP.Net身份注销所有会话
ASP.Net身份注销
和博客文章
https://timmlotter.com/blog/asp-net-identity-invalidate-all-sessions-on-securitystamp-update/
，但我仍然不了解有关已发行令牌的信息在哪里被储存了。
所以我的问题是：
1）服务器上存储的关于access_token的信息在哪里？
2）为什么在更改密码后我仍然可以使用更改密码之前服务器发出的access_token？
3）如何使所有在更改密码之前发出的access_token无效？

After that I perform password change and trying to call some web api controller method using the old access_token (which I got before password change) and the access_token is still valid! The currentUser is not null! I have read another threads on stackoverflow ASP.Net Identity sign-out all sessions ASP.Net Identity Logout and blogpost https://timmlotter.com/blog/asp-net-identity-invalidate-all-sessions-on-securitystamp-update/ but I still don't understand where the information about the issued tokens is stored. So my questions are: 1) Where is the information about the access_token stored on the server? 2) Why after password change I can still use the access_token which is issued by the server before the password change? 3) How to invalidate all the access_token issued before password change?

推荐答案

1）令牌未存储在数据库或本地存储。这意味着令牌没有存储在服务器中的任何位置。

1) Tokens are not stored anywhere in the database or local storage. That means tokens are not storing anywhere in the server.

2）实际上，密码重置令牌是使用SecurityStamp生成的，并针对用户的SecurityStamp进行验证。除非您没有设置该用户的过期时间或更新其SecurityStamp，否则令牌不会过期。

2) Actually, password reset tokens are generated using the SecurityStamp and validating against the SecurityStamp of the user. Tokens are not expire unless you haven't set up expire time or updated SecurityStamp of that user.

可以在身份配置类的userManager属性上设置过期时间。以下示例显示令牌寿命为1小时。检查此文章。

Expire time can be set on userManager properties on your identity configuration class. Following example shows token lifetime with 1 hour. Check this article.

 if (dataProtectionProvider != null)
 {
    manager.UserTokenProvider =
       new DataProtectorTokenProvider<ApplicationUser>
          (dataProtectionProvider.Create("ASP.NET Identity"))
          {                    
             TokenLifespan = TimeSpan.FromHours(1)
          };
 }

您可以使用自己的机制来检查以前使用过的令牌。

You can use your own mechanism to check token's have previously used.

3）更新SecurityStamp。这将使为该用户发行的所有令牌（包括cookie）也无效。最好使用您自己的想法来制作过期的密码重置令牌。

3) Update the SecurityStamp. This will invalidate all tokens issued for that user, including cookies as well. It would be better to use your own idea to make expire password reset tokens.

作为示例，您可以使用另一列在数据库中存储任何生成的密码重置令牌并进行验证（可能有更好的方法）。

As a example you could use another column to store any generated password reset tokens in database and validate it (There may be better way to do it).

请记住，登录access_token生成的方式不同，并且它具有您在Owin启动承载令牌中设置的过期时间。

Keep in mind that the login access_token generated differently and it has expire time which you have set in Owin startup bearer token expire time.

希望这会有所帮助。

这篇关于有关授权令牌的信息存储在ASP.NET WEB API服务器上？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！