Owin WS-Federation设置令牌滑动到期 [英] Owin WS-Federation setting up token sliding expiration
问题描述
有人可以解释如何使用新的 Owin WS-Federation 插件实现滑动到期吗?
Can somebody explain how to implement sliding expiration using the new Owin WS-Federation plugin?
在客户端,通过WS-Fedeartion配置 ,我看到有一些事件:
On the client side, at WS-Fedeartion configuration I see that there are some events like :
Notifications = new WsFederationAuthenticationNotifications
{
SecurityTokenReceived = ...,
AuthenticationFailed = ...,
RedirectToIdentityProvider = ...,
MessageReceived = ...,
SecurityTokenValidated = ....
},
但是由于缺乏文档,我无法真正弄清楚具体方法在何处?
But because the lack of documentation I can't really figure it out where an how?
此刻,我的 STS正在发行绝对到期的令牌:
protected override Lifetime GetTokenLifetime(Lifetime requestLifetime)
{
// 5 Minutes for token lifetime
var lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(5));
return lifetime;
}
我们非常感谢您的帮助.
Any help is higly appreciated.
推荐答案
TL; DR:将WsFederationAuthenticationOptions.UseTokenLifetime设置为false,以重新启用滑动到期时间.
TL;DR: set WsFederationAuthenticationOptions.UseTokenLifetime to false, to re-enable sliding expiration.
在OWIN/Katana中,滑动到期概念仅限于 cookie中间件,并且默认情况下启用(您可以通过将CookieAuthenticationOptions.SlidingExpiration设置为false: https://katanaproject.codeplex. com/SourceControl/latest#src/Microsoft.Owin.Security.Cookies/CookieAuthenticationOptions.cs ).
In OWIN/Katana, the sliding expiration concept is limited to the cookies middleware and is enabled by default (you can turn it off by setting CookieAuthenticationOptions.SlidingExpiration to false: https://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security.Cookies/CookieAuthenticationOptions.cs).
当您使用app.UseWsFederationAuthentication(或app.UseOpenIdConnectAuthentication)时,当您完成身份验证流程时,它实际上依赖于另一个中间件来持久保存ClaimsIdentity.可以通过SignInAsAuthenticationType或通过app.SetDefaultSignInAsAuthenticationType来配置此持久性委派".
When you use app.UseWsFederationAuthentication (or app.UseOpenIdConnectAuthentication), it actually relies on another middleware to persist the ClaimsIdentity when you complete the authentication flow. This "persistence delegation" can be configured through the SignInAsAuthenticationType or via app.SetDefaultSignInAsAuthenticationType.
通常,此SignInAsAuthenticationType属性对应于cookie中间件:这样,滑移到期不是在WS-Federation中间件级别上管理,而是由cookie中间件管理,当滑动到期条件满足时,它将自动更新身份验证cookie.遇见.在这种情况下,您的身份提供商提供的身份验证令牌不会被更新.为此,您需要将WsFederationAuthenticationOptions.UseTokenLifetime设置为false,因为当您使用默认值时,将禁用滑动到期,并且cookie生存期与令牌生存期匹配.
Typically, this SignInAsAuthenticationType property corresponds to a cookie middleware: this way, sliding expiration is not managed at the WS-Federation middleware level, but by the cookies middleware, that will automatically renew the authentication cookie when sliding expiration conditions are met. In this scenario, the authentication token issued by your identity provider won't be renewed. For this to work, you need to set WsFederationAuthenticationOptions.UseTokenLifetime to false, because when you use the default value, sliding expiration is disabled and the cookie lifetime matches the token lifetime.
如果您使用WS-Fed进行身份验证(即,您只想知道您的用户是谁),则使用滑动有效期可能是个好主意.但是,如果您需要在远程服务器上进行一些API调用,那么您的用户可能会在很长一段时间内都经过身份验证,而这要远远超过其安全性令牌到期之后.
If you use WS-Fed for authentication purposes (i.e you just want to know who your users are), using sliding expiration is probably a good idea. But if you need to make some API calls on a remote server, your users may end up being authenticated for a long time, far after the expiration of their security token.
这篇关于Owin WS-Federation设置令牌滑动到期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
