如何关闭激活的会话并强制用户在身份服务器4中重新输入其凭据? [英] how to close activated sessions and force user to re-enter his credentials in identity server 4?

问题描述

一个用户可以通过具有不同IP地址的多个系统登录，那么有什么方法可以停用其会话之一?(或除当前登录的会话外的所有其他会话)，如果是，怎么办?我想做的事情就像电报一样，您可以关闭任何已激活的会话.

One user can log in through multiple systems with various IP addresses, so is there any way to deactivate one of his sessions? (or all other sessions except the current logged in one) if yes, how? The thing I want to do is exactly like Telegram which you are able to close any of your activated sessions.

推荐答案

问题在这里并不新鲜，每个月以不同的解释出现几次，答案仍然是:开箱即用时没有这样的功能，但是有几种方法:

The question is not new here, it appears a couple times a month in different interpretations, and the answer is still: there is no such feature out of the box, but there are a couple approaches:

第一个是使用引用令牌(默认情况下不使用jwt)，然后浏览持久授权数据库并注销目标userId的所有会话.

The first one is to use Reference Token (instead of jwt by default), then look through the persisted grants database and logout all the sessions for the target userId.

另一种方法是基于数据库(而不是默认情况下基于cookie)实现自定义会话存储.然后，您可以再次访问使用给定用户ID登录的所有客户端.这里是我的老(但仍然有效)针对 DefaultUserSession 的混合(cookie + IDistributedCache 例如REDIS)扩展的示例.在这里，您必须注意访问令牌的生命周期(应将其合理地缩短)，因为一旦发出的jwt不能在其正常到期之前失效.

The other approach is to implement your custom session store based on a database (instead of the cookie based by default). Then you again have access to all the clients logged in with the given user id. Here is my old (but still valid) example of a hybrid (cookie + IDistributedCache such as REDIS) extension for the DefaultUserSession. Here you have to be careful with access token lifetime (make it reasonably short), as a jwt once issued can not be invalidated before its normal expiration.

这篇关于如何关闭激活的会话并强制用户在身份服务器4中重新输入其凭据?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！