IdentityServer4-刷新令牌混合流-Cookie和存储 [英] IdentityServer4 - Refresh Tokens Hybrid Flow - Cookies and storage
问题描述
我遵循了Quickstart Hybrid Flow 此处,但我需要一些有关使用刷新令牌后保存令牌的帮助和建议。
如果我说的是true,则选项 SaveTokens 允许将令牌保存在cookie中。 / p>
首先,将访问权限和刷新令牌存储在cookie中(对安全性的担忧)是一个好主意吗?
其他问题,我通过代码
var refreshToken = await HttpContext.GetTokenAsync( refresh_token);正确检索了刷新令牌。 / code>,但是现在,当我获得新的访问令牌时,如何存储它(没有 SetTokenAsync 方法)?...因为没有这些,我会检索当我调用 var refreshToken = await HttpContext.GetTokenAsync( access_token); 时,旧的acces令牌;而我想获得新的。
谢谢
来自文档:
交互式客户端应使用授权基于代码的流程。为了保护
防止代码替换,应使用混合流或PKCE。
因此,
如果有PKCE,这是解决问题的更简单方法。
p>
PKCE已经是本机应用程序
和SPA的官方推荐-随着ASP.NET Core 3的发布,默认情况下OpenID也支持
因此,不要使用混合流,而是将其配置为交互式ASP.NET Core MVC客户端。
新客户端
{
ClientId = mvc,
ClientSecrets = {新的Secret(秘密)。 Sha256())},
Allo wedGrantTypes = GrantTypes.Code,
RequireConsent =否,
RequirePkce = true,
//登录后重定向到的位置
RedirectUris = { http:// localhost:5002 / signin-oidc},
//注销后重定向到的位置
PostLogoutRedirectUris = { http:// localhost:5002 / signout-callback-oidc},
AllowedScopes = new List< string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
}
}
其中mvc客户端具有预期的配置:
.AddOpenIdConnect( oidc,选项=>
{
options.Authority = http:// localhost:5000;
选项。RequireHttpsMetadata= false;
选项。 ClientId = mvc;
选项。ClientSecret=秘密;
选项。ResponseType=代码;
选项。SaveTokens= true;
}) ;
我也可以推荐此帖子,来自Brock Allen。这可能会回答您有关cookie的问题。您还可以检查 Dominick Baier的帖子。
有关如何使用刷新令牌的信息,请在在这里我的答案中阅读
I've followed Quickstart Hybrid Flow here but I need some help and advices about saving tokens after using refresh token.
If I say true, the option SaveTokens allows to save tokens in cookies.
Firstly, is it a good idea to store access and refresh tokens in a cookie (concerns about security) ?
Other question, I retrieve correctly refresh token via the code
var refreshToken = await HttpContext.GetTokenAsync("refresh_token"); but now, when I get the new access token, how can I store it (no SetTokenAsync method) ?... because without that, I retrieve the old acces token when I call var refreshToken = await HttpContext.GetTokenAsync("access_token"); whereas I would like get the new.
Thanks
From the documentation:
Interactive clients should use an authorization code-based flow. To protect against code substitution, either hybrid flow or PKCE should be used.
Thus the combination of PKCE and hybrid flow is not necessary and probably not useful.
If PKCE is available, this is the simpler solution to the problem.
PKCE is already the official recommendation for native applications and SPAs - and with the release of ASP.NET Core 3 also by default supported in the OpenID Connect handler as well.
So instead of using the hybrid flow, configure it as interactive ASP.NET Core MVC client.
new Client
{
ClientId = "mvc",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Code,
RequireConsent = false,
RequirePkce = true,
// where to redirect to after login
RedirectUris = { "http://localhost:5002/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
}
}
Where the mvc client has the expected configuration:
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.ClientSecret = "secret";
options.ResponseType = "code";
options.SaveTokens = true;
});
I can also recommend this post from Brock Allen. This may answer your question about cookies. You can also check the post of Dominick Baier.
For information on how to use the refresh token please read my answer here.
这篇关于IdentityServer4-刷新令牌混合流-Cookie和存储的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
