如何使用带有OpenId Connect的刷新令牌在asp.net核心中处理过期的访问令牌 [英] How to handle expired access token in asp.net core using refresh token with OpenId Connect
问题描述
我已经配置了一个ASOS OpenIdConnect服务器,并使用了一个asp.net核心mvc应用程序,该应用程序使用了"Microsoft.AspNetCore.Authentication.OpenIdConnect":"1.0.0和"Microsoft.AspNetCore.Authentication.Cookies":"1.0. 0".我已经测试了授权码"工作流程,并且一切正常.
I have configured an ASOS OpenIdConnect Server using and an asp.net core mvc app that uses the "Microsoft.AspNetCore.Authentication.OpenIdConnect": "1.0.0 and "Microsoft.AspNetCore.Authentication.Cookies": "1.0.0". I have tested the "Authorization Code" workflow and everything works.
客户端Web应用程序按预期处理身份验证,并创建一个cookie,其中存储了id_token,access_token和refresh_token.
The client web app processes the authentication as expected and creates a cookie storing the id_token, access_token, and refresh_token.
我如何强制Microsoft.AspNetCore.Authentication.OpenIdConnect在过期时请求新的access_token?
asp.net核心mvc应用程序将忽略过期的access_token.
The asp.net core mvc app ignores the expired access_token.
我想让openidconnect看到过期的access_token,然后使用刷新令牌进行调用以获取新的access_token.它还应更新cookie值.如果刷新令牌请求失败,我希望openidconnect可以注销" cookie(将其删除).
I would like to have openidconnect see the expired access_token then make a call using the refresh token to get a new access_token. It should also update the cookie values. If the refresh token request fails I would expect openidconnect to "sign out" the cookie (remove it or something).
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
AuthenticationScheme = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
ClientId = "myClient",
ClientSecret = "secret_secret_secret",
PostLogoutRedirectUri = "http://localhost:27933/",
RequireHttpsMetadata = false,
GetClaimsFromUserInfoEndpoint = true,
SaveTokens = true,
ResponseType = OpenIdConnectResponseType.Code,
AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet,
Authority = http://localhost:27933,
MetadataAddress = "http://localhost:27933/connect/config",
Scope = { "email", "roles", "offline_access" },
});
推荐答案
看来,openidconnect身份验证中没有用于asp.net核心的程序来管理接收到的服务器上的access_token.
It seems there is no programming in the openidconnect authentication for asp.net core to manage the access_token on the server after received.
我发现我可以拦截cookie验证事件并检查访问令牌是否已过期.如果是这样,请使用grant_type = refresh_token对令牌端点进行手动HTTP调用.
I found that I can intercept the cookie validation event and check if the access token has expired. If so, make a manual HTTP call to the token endpoint with the grant_type=refresh_token.
通过调用context.ShouldRenew = true;这将导致更新cookie,并在响应中将其发送回客户端.
By calling context.ShouldRenew = true; this will cause the cookie to be updated and sent back to the client in the response.
我提供了我所做的工作的基础,一旦所有工作都解决了,我将努力更新此答案.
I have provided the basis of what I have done and will work to update this answer once all work as been resolved.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
AuthenticationScheme = "Cookies",
ExpireTimeSpan = new TimeSpan(0, 0, 20),
SlidingExpiration = false,
CookieName = "WebAuth",
Events = new CookieAuthenticationEvents()
{
OnValidatePrincipal = context =>
{
if (context.Properties.Items.ContainsKey(".Token.expires_at"))
{
var expire = DateTime.Parse(context.Properties.Items[".Token.expires_at"]);
if (expire > DateTime.Now) //TODO:change to check expires in next 5 mintues.
{
logger.Warn($"Access token has expired, user: {context.HttpContext.User.Identity.Name}");
//TODO: send refresh token to ASOS. Update tokens in context.Properties.Items
//context.Properties.Items["Token.access_token"] = newToken;
context.ShouldRenew = true;
}
}
return Task.FromResult(0);
}
}
});
这篇关于如何使用带有OpenId Connect的刷新令牌在asp.net核心中处理过期的访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
