ASP.NET WEB API服务器上存储的授权令牌信息在哪里? [英] Where is the information about the authorization token stored on the ASP.NET WEB API server?
问题描述
在用户注册后的 Web Api 2 Identity 2 应用程序中,我在单个表中有一条记录:AspNetUsers.我使用以下 http 请求来获取令牌:
In my Web Api 2 Identity 2 application after user registration I have a single record in single table: AspNetUsers. I use the following http request to get token:
POST https://localhost:44304/Token HTTP/1.1
Accept: application/json
Content-type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Content-Length: 68
Host: localhost:44304
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
grant_type=password&username=somemail@gmail.com&password=123456
我得到了 access_token 的响应:
and I get the response with access_token:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 695
Content-Type: application/json;charset=UTF-8
Expires: -1
Server: Microsoft-IIS/8.0
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcU2VyZ2V5XERvY3VtZW50c1xWaXN1YWwgU3R1ZGlvIDIwMTNcUHJvamVjdHNcbXZjX3dlYmFwaVxXZWJBcHBsaWNhdGlvblxXZWJBcHBsaWNhdGlvblxUb2tlbg==?=
X-Powered-By: ASP.NET
Date: Tue, 25 Nov 2014 17:40:07 GMT
{"access_token":"gsvW23e1...}
在我获得令牌后,没有任何记录添加到数据库中.表 AspNetUsers 中仍然只有一条记录.没有关于已发行令牌的信息存储在数据库的任何表中.
After I have got the token no one record is added to the database. Still there is just single record in the table AspNetUsers. No information about the issued token is stored in any table in the database.
我在 web api 控制器中使用以下代码来验证用户:
I use the following code in web api controller to authenticate user:
var currentUser = manager.FindById(User.Identity.GetUserId());
if (currentUser == null)
{
HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
return ResponseMessage(response);
}
之后我执行密码更改并尝试使用旧的 access_token(我在更改密码之前获得)调用一些 web api 控制器方法,并且 access_token 仍然有效!currentUser 不为空!我已经阅读了关于 stackoverflow 的另一个线程ASP.Net Identity 注销所有会话ASP.Net 身份注销和博文https://timmlotter.com/blog/asp-net-identity-invalidate-all-sessions-on-securitystamp-update/但我仍然不明白有关已发行令牌的信息存储在哪里.所以我的问题是:1)服务器上存储的access_token的信息在哪里?2)为什么修改密码后,我仍然可以使用修改密码前服务器下发的access_token?3) 如何使修改密码前发出的所有access_token失效?
After that I perform password change and trying to call some web api controller method using the old access_token (which I got before password change) and the access_token is still valid! The currentUser is not null! I have read another threads on stackoverflow ASP.Net Identity sign-out all sessions ASP.Net Identity Logout and blogpost https://timmlotter.com/blog/asp-net-identity-invalidate-all-sessions-on-securitystamp-update/ but I still don't understand where the information about the issued tokens is stored. So my questions are: 1) Where is the information about the access_token stored on the server? 2) Why after password change I can still use the access_token which is issued by the server before the password change? 3) How to invalidate all the access_token issued before password change?
推荐答案
1) 令牌不存储在数据库或本地存储中的任何位置.这意味着令牌不会存储在服务器中的任何地方.
1) Tokens are not stored anywhere in the database or local storage. That means tokens are not storing anywhere in the server.
2) 实际上,密码重置令牌是使用 SecurityStamp 生成的,并根据用户的 SecurityStamp 进行验证.除非您尚未设置过期时间或更新该用户的 SecurityStamp,否则令牌不会过期.
2) Actually, password reset tokens are generated using the SecurityStamp and validating against the SecurityStamp of the user. Tokens are not expire unless you haven't set up expire time or updated SecurityStamp of that user.
可以在身份配置类的 userManager 属性上设置过期时间.以下示例显示了 1 小时的令牌生命周期.检查这个 文章.
Expire time can be set on userManager properties on your identity configuration class. Following example shows token lifetime with 1 hour. Check this article.
if (dataProtectionProvider != null)
{
manager.UserTokenProvider =
new DataProtectorTokenProvider<ApplicationUser>
(dataProtectionProvider.Create("ASP.NET Identity"))
{
TokenLifespan = TimeSpan.FromHours(1)
};
}
您可以使用自己的机制来检查以前使用过的令牌.
You can use your own mechanism to check token's have previously used.
3) 更新 SecurityStamp.这将使为该用户颁发的所有令牌无效,包括 cookie.最好使用您自己的想法来制作过期密码重置令牌.
3) Update the SecurityStamp. This will invalidate all tokens issued for that user, including cookies as well. It would be better to use your own idea to make expire password reset tokens.
例如,您可以使用另一列将任何生成的密码重置令牌存储在数据库中并对其进行验证(可能有更好的方法).
As a example you could use another column to store any generated password reset tokens in database and validate it (There may be better way to do it).
请记住,登录 access_token 的生成方式不同,并且具有您在 Owin 启动不记名令牌过期时间中设置的过期时间.
Keep in mind that the login access_token generated differently and it has expire time which you have set in Owin startup bearer token expire time.
希望这会有所帮助.
这篇关于ASP.NET WEB API服务器上存储的授权令牌信息在哪里?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
