网页API 2,OWIN认证,SignOut不注销 [英] Web API 2, OWIN Authentication, SignOut doesn't logout
问题描述
我正在做一些研究工作,以期用不记名令牌作为身份验证机制(即AngularJS UI,通过OWIN验证在Web API [2]的项目)。
I'm doing some research for work with a view to using Bearer tokens as an authentication mechanism (i.e. AngularJS UI, authenticates via OWIN in a Web API [2] project).
我登录做工精细,角色信息和所有是好的,但我不能得到令牌注销。
I have the login working fine, role information and all that is fine, but I cannot get the token to logout.
我的启动配置是这样的:
My startup configuration is this:
OAuthOptions = new OAuthAuthorizationServerOptions() {
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AccessTokenExpireTimeSpan = SESSION_TIMEOUT,
AllowInsecureHttp = true
};
和我注销操作很简单:
public HttpResponseMessage Logout() {
var authentication = HttpContext.Current.GetOwinContext().Authentication;
authentication.SignOut(DefaultAuthenticationTypes.ExternalBearer);
return new HttpResponseMessage(HttpStatusCode.OK);
}
我已经离开所有验证的东西出来为简洁,但要确认我使用的 ExternalBearer 设置当令牌。
在我的UI我存储在本地存储令牌(没有饼干这里涉及到,这是一个经过深思熟虑的设计决定)。所以,我有我的UI中的注销按钮,在注销行动打击和code运行正常。
In my UI I'm storing the token in local storage (no cookies are involved here, which is a deliberate design decision). So I have a logout button on my UI, the Logout action is hit and the code runs fine.
但是,如果我随后打在需要授权API的一个动作,请求仍能通过(即用户通过身份认证,即使它们的应的已经退出。
However if I subsequently hit the an action on the API which requires authorisation, the request still goes through (i.e. the user is still authenticated even though they should have been signed out.
要么我失去了一些东西真的很明显(不会是第一次;-)或有更多的东西基本会在这里 - 终于我侦测@leastprivilege,因为我知道这是他们的区域
Either I'm missing something really obvious (wouldn't be the first time ;-) or there's something more fundamental going on here - finally I'm pinging @leastprivilege as I know this is their area.
任何帮助或洞察力将受到欢迎。
Any help or insight would be gratefully received.
我唯一能想到的事情是,该令牌是在服务器/ API端无状态的,因此不能过期或注销。
Only thing I can think of is that the token is stateless on the server/API side and hence can't be expired or signed out.
如果这是我想我可以的情况下,或者:
If that is the case I guess I could either:
a)增加它创建了一个新的令牌,在过去的到期刷新令牌 - 这会甚至工作? - 实际上取消,这将发出一个新的令牌......旧的仍然是有效的。
a) Add a refresh token which creates a new token that expires in the past - would this even work? - actually cancel that, it would issue a new token ... the old one would still be valid
B)存储在数据库中承载的令牌,并检查各一次,取消对注销令牌(自然盐腌,散列等)。然而,这仅仅是把我们带回到有一个状态服务器。
b) Store the bearer token in the database and check each time, removing the token on logout (naturally salted, hashed, etc). However this is just bringing us back to having a stateful server.
三)我可以(会)可以去除本地存储的令牌当有人明确注销,但令牌仍然是技术上有效的,如果的一baddy 的可以拦截令牌。当然,所有上述将超过 SSL 无论如何,这应该抑制的坏人/女童的
c) I can (and will) be removing the token from local storage when someone explicitly logs out, however the token is still technically valid if a baddy can intercept the token. Naturally all the above will be over SSL anyway, which should inhibit the bad guys/girls.
D)也许这就是为什么很多人都存储在cookie中承载的令牌(作为存储机制),所以一旦你注销为至少cookie将在下次更新中移除。
d) Perhaps this is why lots of people are storing the Bearer token in a cookie (as a storage mechanism) so once you logout as least the cookie will be removed on the next refresh.
的不好意思上面是一个有点脑转储,只是想pre-抢先任何疑问的
推荐答案
由于OAuth是不是一个身份验证协议,也没有signout的概念。删除客户端上的访问令牌 - 这是你可以做的。
Since OAuth is not an authentication protocol, there is no notion of signout. Delete the access token on the client - that's all you can do.
如果你想无效在服务器端的令牌,添加一个唯一的ID,并跟踪您的服务 - 你需要手动建立类似的东西。
If you want to invalidate the token on the server side, add a unique id to it and keep track in your service - you would need to manually build something like that.
这篇关于网页API 2,OWIN认证,SignOut不注销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
