更改密码时如何使 OAuth 令牌无效? [英] How to invalidate OAuth token when password is changed?
问题描述
我们在带有 SimpleAuthorizationServerProvider 的 Web Api 项目中使用 ASP.NET Identity,我们使用 OAuth 令牌来授权来自客户端的每个请求.(令牌有和过期的时间跨度,我们不使用刷新令牌.)
We use ASP.NET Identity in a Web Api project with SimpleAuthorizationServerProvider, we use OAuth-tokens to authorize each request coming from the client. (Tokens have and expire timespan, we don't use refresh tokens.)
当用户更改他们的密码时,我想让他们可能在其他设备上拥有的令牌无效.有没有办法明确地做到这一点?我进行了试验,发现在更改密码后,现有令牌可以正常工作,应该防止这种情况发生.
When users change their password, I would like to invalidate the tokens they may have, possibly on other devices. Is there any way to explicitly do that? I experimented and saw that the existing tokens work without any problem after a password change, which should be prevented.
我考虑将密码哈希值或哈希值的一部分放在 OAuth 令牌中作为声明,并在我们派生的 AuthorizeAttribute 过滤器的 OnAuthorization 方法中验证它.
这是解决问题的正确方法吗?
I thought about putting the password hash, or part of the hash in the OAuth token as a claim, and validating that in the OnAuthorization method of our derived AuthorizeAttribute filter.
Would this be a correct way to solve the problem?
推荐答案
我不建议将密码的哈希值作为声明,并且我相信没有直接的方法可以在更改密码时使令牌无效.
I do not recommend putting the hash of the password as claim, and I believe there is no direct way to invalidate token when password is changed.
但是,如果您可以通过从客户端应用程序发送到受保护 API 端点的每个请求访问数据库,那么您需要为授予资源所有者请求的每个令牌存储令牌标识符(Guid 可能).然后您分配令牌标识符作为此令牌的自定义声明,此后您需要通过查找令牌标识符和资源所有者的用户名来检查每个请求的此表.
But if you are Ok with hitting the DB with each request send from the client app to a protected API end point, then you need to store Token Identifier (Guid maybe) for each token granted to the resource owner requested it. Then you assign the token Identifier as a custom claim for this token, after this you need to check this table with each request by looking for the token identifier and the user name for the resource owner.
更改密码后,您将删除此资源所有者(用户)的此令牌标识符记录,下次从客户端发送的令牌将被拒绝,因为此令牌标识符和资源所有者的记录已被删除.
Once the password is changed you delete this token identifier record for this resource owner (user) and the next time the token sent from the client it will get rejected because the record for this token identifier and resource owner has been deleted.
这篇关于更改密码时如何使 OAuth 令牌无效?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
