OAuth 2中的访问令牌吊销实现 [英] Access token revocation implementation in OAuth 2
问题描述
我已经使用OWIN OAuth 2来实现我的授权服务器提供程序.现在,我想实现令牌吊销(当我的客户端应用程序要注销时).
谁能帮助我,告诉我如何在OWIN KATANA OAuth 2中实施令牌吊销.
I've used OWIN OAuth 2 to implement my Authorization Server Provider. Now, I want to implement token revocation (when my client application wants to logout).
Can anybody help me and tell how to implement token revocation in OWIN KATANA OAuth 2. Are there some good practices for it?
推荐答案
OAuth 2.0涉及两种令牌.一个是访问令牌,另一个是刷新令牌.
There are two kinds of token involved in OAuth 2.0. One is access token and the other is refresh token.
For refresh token, I really recommend Token Based Authentication using ASP.NET Web API 2, Owin, and Identity written by Taiseer Joudeh. He provides a step by step tutorial on setting up token based authentication, including revoking refresh token.
对于访问令牌,我使用黑名单存储已撤销的访问令牌.当用户注销时,我将用户的当前访问令牌添加到黑名单中.如果有新请求,我首先检查其访问令牌是否在黑名单中.如果是,则拒绝请求,否则,让OAuth组件进行验证.
For access token, I use a black list to store revoked access tokens. When a user logins out, I add the user's current access token into a black list. And if a new request comes, I first check whether its access token is in the black list. If yes, reject the request, other wise let OAuth component do the validation.
以下是一些实现细节:
我使用缓存作为黑名单,并将缓存项的到期时间设置为访问令牌的到期时间.缓存项(访问令牌)在过期后会自动从黑名单中删除. (我们不需要在访问令牌过期后将其保留在黑名单中.如果令牌过期,则无论它是否在黑名单中,都无法通过OAuth验证机制.)
I use cache to work as a black list and set cache item's expiration to the access token's expiration. The cache item (access token) will be removed from black list automatically after it expires. (We don't need to keep the access token in the black list after it expires. If the token expires, no matter whether it's in the black list or not, it can't pass OAuth validation mechanism).
以下代码显示了如果访问令牌在黑名单中,则如何拒绝请求.
The following code shows how to reject a request if its access token is in the black list.
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()
{
Provider = new OAuthBearerAuthenticationProvider()
{
OnRequestToken = context =>
{
if(blackList.contans(context.Token))
{
context.Token = string.Empty;
}
return Task.FromResult<object>(null);
}
}
}
我要做的是,如果我在黑名单中找到了访问令牌,则将访问令牌设置为空字符串.稍后,当OAuth组件尝试解析令牌时,它将发现令牌为空.绝对,空字符串不是有效的令牌,因此它将拒绝该请求,就像您发送带有无效访问令牌的请求一样.
What I do is if I find the access token in black list, I set the access token to empty string. Later, when the OAuth component tries to parse the token, it finds out that the token is empty. Definitely, an empty string isn't a valid token, so it will reject the request, just like you send a request with an invalid access token.
这篇关于OAuth 2中的访问令牌吊销实现的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
