使用IdentityServer4和Oidc客户端时的会话超时导致静默续订停止工作 [英] Session Timeout when using IdentityServer4 and Oidc client causing Silent Renew to stop working
本文介绍了使用IdentityServer4和Oidc客户端时的会话超时导致静默续订停止工作的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我目前正在开发使用IdentityServer4作为身份验证服务连接到.NET CORE 1.1 WebApi的Angular4 SPA应用程序的开发.
I am currently involved in development of an Angular4 SPA application connected to a .NET CORE 1.1 WebApi using IdentityServer4 as it's authentication service.
在Angular方面,我们使用的是Damien Bod 1.2.1的Oidc客户端- https://github.com/damienbod/angular-auth-oidc-client .
On the Angular side we are using the Oidc client from Damien Bod 1.2.1 - https://github.com/damienbod/angular-auth-oidc-client.
我们已经成功地通过IdentityServer进行了设置和登录.出现的问题恰恰是我们得到的 30min IdentityServer上的SessionTimeout,Oidc客户端从那里获取401,因此现在未被授权.
We have managed to successfully setup and login via IdentityServer. The problem arises that are exactly 30min we are getting a SessionTimeout on the IdentityServer and from there the Oidc client obtains a 401 and so is now not authorized.
Oidc客户端配置为使用静默更新,因此应该保持会话打开.但是,事实并非如此.评论 来自Oidc作者Damien Bod的评论似乎表明IdentityServer4会话已超时.
The Oidc client is configured to use Silent Renew so is supposed to keep the session open. However this does not appear to be the case. Comments from the Oidc author Damien Bod seem to indicate that the IdentityServer4 session has timedout.
问题: 使用Oidc软件包的静默续订时,如何确保IdentityServer4会话不会超时.
Question: How can we ensure the IdentityServer4 session does not time out when using the Silent Renew of the Oidc package.
在IdentityServer4端进行设置:
Setup on our IdentityServer4 side:
"ClientId": "MyId",
"ClientName": "MyName",
"AllowedGrantTypes": [ "implicit" ],
"RequireConsent": false,
"AllowedScopes": [ "openid", "profile", "email", "role", "api.write", "api.read", "offline_access" ],
"RedirectUris": [ "https://localhost:4200" ],
"PostLogoutRedirectUris": [ "https://localhost:4200" ],
"LogoutUri": "https://localhost:4200",
"AllowedCorsOrigins": [ "http://localhost:4200", "https://localhost:4200" ],
"AllowOfflineAccess": true,
"AllowAccessTokensViaBrowser": true,
"AccessTokenType": 0
在我们的客户端进行设置:
Setup on our client side:
let openIDImplicitFlowConfiguration = new OpenIDImplicitFlowConfiguration();
openIDImplicitFlowConfiguration.stsServer = environment.stsServer;
openIDImplicitFlowConfiguration.redirect_url = environment.redirect_url;
openIDImplicitFlowConfiguration.client_id = 'MyName';
openIDImplicitFlowConfiguration.response_type = 'id_token token';
openIDImplicitFlowConfiguration.scope = 'openid email profile role api.write api.read offline_access';
openIDImplicitFlowConfiguration.post_logout_redirect_uri = environment.post_logout_redirect_uri;
openIDImplicitFlowConfiguration.start_checksession = false;
openIDImplicitFlowConfiguration.silent_renew = true;
openIDImplicitFlowConfiguration.startup_route = '/home';
openIDImplicitFlowConfiguration.forbidden_route = '/forbidden';
openIDImplicitFlowConfiguration.unauthorized_route = '/unauthorized';
openIDImplicitFlowConfiguration.log_console_warning_active = true;
openIDImplicitFlowConfiguration.log_console_debug_active = true;
openIDImplicitFlowConfiguration.max_id_token_iat_offset_allowed_in_seconds = 10;
openIDImplicitFlowConfiguration.override_well_known_configuration = false;
openIDImplicitFlowConfiguration.override_well_known_configuration_url = environment.well_known_config_url;
openIDImplicitFlowConfiguration.storage = localStorage;
this.oidcSecurityService.setupModule(openIDImplicitFlowConfiguration);
IdentityServer的日志文件显示超时:
Log files from IdentityServer which shows the timeout:
2017-08-21 11:06:46.910 +12:00 [Information] Request starting HTTP/1.1 GET http://localhost:44345/connect/authorize?response_type=id_token%20token&client_id=AuctionX.Web.Ui.Client.Ng&redirect_uri=http://localhost:4200&scope=openid%20email%20profile%20role%20api.write%20api.read%20offline_access&nonce=N0.008974817642323441503270406807&state=15032704068070.2664008961443083
2017-08-21 11:06:46.929 +12:00 [Information] Executed DbCommand (1ms) [Parameters=[@__get_Item_0='?' (Size = 450)], CommandType='Text', CommandTimeout='30']
SELECT TOP(1) [e].[Id], [e].[AccessFailedCount], [e].[ConcurrencyStamp], [e].[Email], [e].[EmailConfirmed], [e].[LockoutEnabled], [e].[LockoutEnd], [e].[NormalizedEmail], [e].[NormalizedUserName], [e].[PasswordHash], [e].[PhoneNumber], [e].[PhoneNumberConfirmed], [e].[SecurityStamp], [e].[TwoFactorEnabled], [e].[UserName]
FROM [AspNetUsers] AS [e]
WHERE [e].[Id] = @__get_Item_0
2017-08-21 11:06:46.938 +12:00 [Information] AuthenticationScheme: "Identity.Application" signed out.
2017-08-21 11:06:46.944 +12:00 [Information] AuthenticationScheme: "Identity.External" signed out.
2017-08-21 11:06:46.950 +12:00 [Information] AuthenticationScheme: "Identity.TwoFactorUserId" signed out.
2017-08-21 11:06:46.953 +12:00 [Information] "Identity.Application" was not authenticated. Failure message: "No principal."
Log files from the Oidc Client
VM543 vendor.bundle.js:441 onWellKnownEndpointsLoaded
VM543 vendor.bundle.js:441 IsAuthorized: id_token isTokenExpired, start silent renew if active
VM543 vendor.bundle.js:441 BEGIN refresh session Authorize
VM543 vendor.bundle.js:441 RefreshSession created. adding myautostate: 15032774526950.18444551521534458
VM543 vendor.bundle.js:441 startRenew for URL:https://localhost:44345/connect/authorize?response_type=id_token%20token&client_id=AuctionX.Web.Ui.Client.Ng&redirect_uri=http://localhost:4200&scope=openid%20email%20profile%20role%20api.write%20api.read%20offline_access&nonce=N0.055432655304242351503277452695&state=15032774526950.18444551521534458
VM543 vendor.bundle.js:441 STS server: https://localhost:44345
VM543 vendor.bundle.js:441 {issuer: "https://localhost:44345", jwks_uri: "https://localhost:44345/.well-known/openid-configuration/jwks", authorization_endpoint: "https://localhost:44345/connect/authorize", token_endpoint: "https://localhost:44345/connect/token", userinfo_endpoint: "https://localhost:44345/connect/userinfo", …}
VM543 vendor.bundle.js:441 AuthWellKnownEndpoints already defined
VM543 vendor.bundle.js:441 BEGIN authorizedCallback, no auth data
VM543 vendor.bundle.js:441 {id_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOT…5P2zqgYNYQOuq36tWm37eLOnZ7PE_TiQoHpX9iEbyaZQQmlPg", access_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOT…pU0eoTqFx9sUbjRw__r8z_-FjaTQH0acMb9K8uKzqOn5dgxnw", token_type: "Bearer", expires_in: "120", scope: "openid%20email%20profile%20role%20api.write%20api.read%20offline_access", …}
VM543 vendor.bundle.js:441 authorizedCallback created, begin token validation
VM543 vendor.bundle.js:441 jwks_uri: https://localhost:44345/.well-known/openid-configuration/jwks
VM543 vendor.bundle.js:126701 Angular is running in the development mode. Call enableProdMode() to enable the production mode.
VM543 vendor.bundle.js:441 validate_id_token_iat_max_offset: 2328 < 10000
VM543 vendor.bundle.js:441 From the server:DsQ3fMYhzDrjDQJPMfqRzg
VM543 vendor.bundle.js:441 client validation not decoded:DsQ3fMYhzDrjDQJPMfqRzg
VM543 vendor.bundle.js:441 AuthorizedCallback token(s) validated, continue
VM543 vendor.bundle.js:441 eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOTFhMjFiYTA3NjVkM2QzNDhjIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1MDMyNzc0NTMsImV4cCI6MTUwMzI3NzU3MywiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNDUiLCJhdWQiOlsiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNDUvcmVzb3VyY2VzIiwiYXVjdGlvblguYXBpIl0sImNsaWVudF9pZCI6IkF1Y3Rpb25YLldlYi5VaS5DbGllbnQuTmciLCJzdWIiOiI1QkU4NjM1OS0wNzNDLTQzNEItQUQyRC1BMzkzMjIyMkRBQkUiLCJhdXRoX3RpbWUiOjE1MDMyNzU5NzQsImlkcCI6ImxvY2FsIiwicm9sZSI6ImFkbWluIiwic2NvcGUiOlsib3BlbmlkIiwiZW1haWwiLCJwcm9maWxlIiwicm9sZSIsImFwaS53cml0ZSIsImFwaS5yZWFkIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.ZvIho_FnuW_27b_sgLL_nJj_45tqlO4oMSkgFKj8cDObR--4OC1wESgo9jH6vjPR4Gx42DK5iiryaW8X91Yr_X8l-rcwECMacsXR_aZYCVKOC5kORLNHEzSg1ha0vI7EQCn2wuLn_z-ljJGVhxMbc2tI_kCt4abuChA0AryKt0EFCQ_11rvZry_yW49nlUBO_WgkgSB4R5x9MHQiWKlW6UOW-1t790QoARQjyp9WJ0AsHc4xtBjOmLJzOb7kTjp7ND5zrM7QVBK5HOewaV4fL7cVjWGXEZmH9m9D3pU0eoTqFx9sUbjRw__r8z_-FjaTQH0acMb9K8uKzqOn5dgxnw
VM543 vendor.bundle.js:441 eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOTFhMjFiYTA3NjVkM2QzNDhjIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1MDMyNzc0NTMsImV4cCI6MTUwMzI3NzU0MywiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNDUiLCJhdWQiOiJBdWN0aW9uWC5XZWIuVWkuQ2xpZW50Lk5nIiwibm9uY2UiOiJOMC4wNTU0MzI2NTUzMDQyNDIzNTE1MDMyNzc0NTI2OTUiLCJpYXQiOjE1MDMyNzc0NTMsImF0X2hhc2giOiJEc1EzZk1ZaHpEcmpEUUpQTWZxUnpnIiwic2lkIjoiMWJkNjQ0YmVhMjQwZjM1MDc2YzQ5NzVjOTg0ZjI1N2IiLCJzdWIiOiI1QkU4NjM1OS0wNzNDLTQzNEItQUQyRC1BMzkzMjIyMkRBQkUiLCJhdXRoX3RpbWUiOjE1MDMyNzU5NzQsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.pExwBcxTQiT2nY38l5f6ZGNs4gzLTYZlUEO6sDl_Q2fPmzjppKn-7yU8bhjCy6xZKKuOT3pRO3JmZFEln1CDBfJqTsOg4UH8tu0MIIeMkiIBwjMooqb-ocN6JPwkrr-CuSk90xsQmGPqdaSRLC7IHFQ2VPq5Ic7b9Jd4CXIDZQbBKdR2PEC8n2Rfl-ayDOEXzOni8ylQ5ksu28eRicv7-HYimnF3Xc63xiBIC1NH4OofxQoqQRdBL2j8OJDKXQY6oDZxUNBLsIf1-jnM_MUTnr4tHoiX-XIhbZuTa5P2zqgYNYQOuq36tWm37eLOnZ7PE_TiQoHpX9iEbyaZQQmlPg
VM543 vendor.bundle.js:441 storing to storage, getting the roles
VM543 vendor.bundle.js:441 onWellKnownEndpointsLoaded
VM543 vendor.bundle.js:441 IsAuthorized: id_token isTokenExpired, start silent renew if active
VM543 vendor.bundle.js:441 BEGIN refresh session Authorize
VM543 vendor.bundle.js:441 RefreshSession created. adding myautostate: 15032775466960.9369647619628338
VM543 vendor.bundle.js:441 startRenew for URL:https://localhost:44345/connect/authorize?response_type=id_token%20token&client_id=AuctionX.Web.Ui.Client.Ng&redirect_uri=http://localhost:4200&scope=openid%20email%20profile%20role%20api.write%20api.read%20offline_access&nonce=N0.223876239755147031503277546696&state=15032775466960.9369647619628338
VM543 vendor.bundle.js:441 STS server: https://localhost:44345
VM543 vendor.bundle.js:441 {issuer: "https://localhost:44345", jwks_uri: "https://localhost:44345/.well-known/openid-configuration/jwks", authorization_endpoint: "https://localhost:44345/connect/authorize", token_endpoint: "https://localhost:44345/connect/token", userinfo_endpoint: "https://localhost:44345/connect/userinfo", …}
VM543 vendor.bundle.js:441 AuthWellKnownEndpoints already defined
VM543 vendor.bundle.js:441 BEGIN authorizedCallback, no auth data
VM543 vendor.bundle.js:441 {id_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOT…y0UvzWAIigtnoy8ho-RvIHCVLfFNdrS_YockJLRhwZZHtOgVg", access_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOT…Q4CSsXVqa58bI7tROqruKxn9bb3q7zPIV-KSTOhXGAFo7ZN7Q", token_type: "Bearer", expires_in: "120", scope: "openid%20email%20profile%20role%20api.write%20api.read%20offline_access", …}
VM543 vendor.bundle.js:441 authorizedCallback created, begin token validation
VM543 vendor.bundle.js:441 jwks_uri: https://localhost:44345/.well-known/openid-configuration/jwks
VM543 vendor.bundle.js:126701 Angular is running in the development mode. Call enableProdMode() to enable the production mode.
VM543 vendor.bundle.js:441 validate_id_token_iat_max_offset: 2334 < 10000
VM543 vendor.bundle.js:441 From the server:VBff-XldgCju7j-ghbcK3g
VM543 vendor.bundle.js:441 client validation not decoded:VBff-XldgCju7j-ghbcK3g
VM543 vendor.bundle.js:441 AuthorizedCallback token(s) validated, continue
VM543 vendor.bundle.js:441 eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOTFhMjFiYTA3NjVkM2QzNDhjIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1MDMyNzc1NDcsImV4cCI6MTUwMzI3NzY2NywiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNDUiLCJhdWQiOlsiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNDUvcmVzb3VyY2VzIiwiYXVjdGlvblguYXBpIl0sImNsaWVudF9pZCI6IkF1Y3Rpb25YLldlYi5VaS5DbGllbnQuTmciLCJzdWIiOiI1QkU4NjM1OS0wNzNDLTQzNEItQUQyRC1BMzkzMjIyMkRBQkUiLCJhdXRoX3RpbWUiOjE1MDMyNzU5NzQsImlkcCI6ImxvY2FsIiwicm9sZSI6ImFkbWluIiwic2NvcGUiOlsib3BlbmlkIiwiZW1haWwiLCJwcm9maWxlIiwicm9sZSIsImFwaS53cml0ZSIsImFwaS5yZWFkIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.Xy1X3CeEaTYAWNKkYrIKKhZiEYkRnGJve1pP2kDO5qRg5-Qe-g9h-0BB-j5TeXE1VIrBOJ-1vr6Vkr28jfyAz7t02rHnK9Vs94xFc2H8UNcF98YBT-7GKqRd-FB1L3lQqtZWMku4b01qmIPSjUThzShcdgrbOsIpwdxC3UB-Ziram6EfUme10Wpb2J1vto7rEKcurQ6LZI3645x0rTlGS2fXU7x0UQxfxhAX9VNYwAreT8T2-O4mLzr9Ejbd-kMEfXNALIUUJ3KKRmGOGCHM5fwHzsuX67gIqJXueQ4CSsXVqa58bI7tROqruKxn9bb3q7zPIV-KSTOhXGAFo7ZN7Q
VM543 vendor.bundle.js:441 eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOTFhMjFiYTA3NjVkM2QzNDhjIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1MDMyNzc1NDcsImV4cCI6MTUwMzI3NzYzNywiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNDUiLCJhdWQiOiJBdWN0aW9uWC5XZWIuVWkuQ2xpZW50Lk5nIiwibm9uY2UiOiJOMC4yMjM4NzYyMzk3NTUxNDcwMzE1MDMyNzc1NDY2OTYiLCJpYXQiOjE1MDMyNzc1NDcsImF0X2hhc2giOiJWQmZmLVhsZGdDanU3ai1naGJjSzNnIiwic2lkIjoiMWJkNjQ0YmVhMjQwZjM1MDc2YzQ5NzVjOTg0ZjI1N2IiLCJzdWIiOiI1QkU4NjM1OS0wNzNDLTQzNEItQUQyRC1BMzkzMjIyMkRBQkUiLCJhdXRoX3RpbWUiOjE1MDMyNzU5NzQsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.f-PzKxDafEIRPIz_qL_xtbI4QlDybyyRWMhnxUaNzOS1SJGVLVY1zpx89Y0MHlSe8NSZgtBOieB_Wr52nKZLm85ItMOCSpr5I5uZBi_mdufBEJWzOfbcnPT53pvpETwBVxSAOJvJXq-XxC-rxCeoHs7xd57M57RWa_Wla_rgh2-dVdscHHxA7fKDToEM_SpLgmFlI4QWV3DnMtkNWVzXkSNq1Iv5AOvtfI_j5Dz5XgsJAoyI1vWQHZqRuNO8_TK0g2oudvfv-xji1Uc_oFA_0rEdfoacNoyAwe4vky0UvzWAIigtnoy8ho-RvIHCVLfFNdrS_YockJLRhwZZHtOgVg
VM543 vendor.bundle.js:441 storing to storage, getting the roles
VM543 vendor.bundle.js:441 onWellKnownEndpointsLoaded
home:1 Refused to display 'https://localhost:44345/account/login?returnUrl=%2Fconnect%2Fauthorize%2Flogin%3Fresponse_type%3Did_token%2520token%26client_id%3DAuctionX.Web.Ui.Client.Ng%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A4200%26scope%3Dopenid%2520email%2520profile%2520role%2520api.write%2520api.read%2520offline_access%26nonce%3DN0.481244061017480631503277824820%26state%3D15032778248200.2571680787467199' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
推荐答案
这可能完全不是UI客户端的问题,而是cookie在IdentityServer端无效,从而有效地注销了用户.
It's possible this is not a problem with the UI client at all but rather that the cookie is being invalidated on the IdentityServer side and so effectively signing the user out.
似乎可以扩展此设置的设置是SecurityStampValidationInterval,例如(至1hr):
The setting which seems to extend this is the SecurityStampValidationInterval such as (to 1hr):
services.AddIdentity<IdentityUser, IdentityRole>(
options =>
{
options.Cookies.ApplicationCookie.AuthenticationScheme = cookieAuth.AuthenticationScheme;
options.SecurityStampValidationInterval = TimeSpan.FromHours(1);
options.Password.RequiredLength = 8;
options.Password.RequireUppercase = true;
options.Password.RequireLowercase = true;
options.Password.RequireNonAlphanumeric = true;
options.Password.RequireDigit = true;
})
但是,这并不理想,因为即使没有任何更改,用户仍然在1小时后注销.为什么会这样呢?
However this is not ideal as the user is still logged out after 1 hour even though nothing has changed. Why this is the case is yet to be determined.
这篇关于使用IdentityServer4和Oidc客户端时的会话超时导致静默续订停止工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
