更改密码后如何使OAuth令牌无效? [英] How to invalidate OAuth token when password is changed?
问题描述
我们在带有SimpleAuthorizationServerProvider的Web Api项目中使用ASP.NET Identity,我们使用OAuth令牌来授权来自客户端的每个请求. (令牌具有过期时间,我们不使用刷新令牌.)
We use ASP.NET Identity in a Web Api project with SimpleAuthorizationServerProvider, we use OAuth-tokens to authorize each request coming from the client. (Tokens have and expire timespan, we don't use refresh tokens.)
当用户更改密码时,我想使他们可能拥有的令牌(可能在其他设备上)失效.有什么方法可以明确地做到这一点?我进行了实验,发现更改密码后,现有令牌可以正常工作,应该避免这种情况.
When users change their password, I would like to invalidate the tokens they may have, possibly on other devices. Is there any way to explicitly do that? I experimented and saw that the existing tokens work without any problem after a password change, which should be prevented.
我考虑过将密码哈希或哈希的一部分放入OAuth令牌中作为声明,并在派生的AuthorizeAttribute过滤器的OnAuthorization方法中进行验证.
这是解决问题的正确方法吗?
I thought about putting the password hash, or part of the hash in the OAuth token as a claim, and validating that in the OnAuthorization method of our derived AuthorizeAttribute filter.
Would this be a correct way to solve the problem?
推荐答案
我不建议将密码的哈希值作为声明,并且我相信在更改密码后,没有直接的方法可以使令牌无效.
I do not recommend putting the hash of the password as claim, and I believe there is no direct way to invalidate token when password is changed.
但是,如果您可以从客户端应用程序发送到受保护的API端点的每个请求都可以访问数据库,那么您需要为授予资源所有者请求的每个令牌存储令牌标识符(可能是Guid).然后,您将令牌标识符分配为对此令牌的自定义声明,之后,您需要通过查找令牌标识符和资源所有者的用户名来检查每个请求的此表.
But if you are Ok with hitting the DB with each request send from the client app to a protected API end point, then you need to store Token Identifier (Guid maybe) for each token granted to the resource owner requested it. Then you assign the token Identifier as a custom claim for this token, after this you need to check this table with each request by looking for the token identifier and the user name for the resource owner.
更改密码后,您将删除该资源所有者(用户)的令牌标识符记录,并且下次从客户端发送的令牌将被拒绝,因为该令牌标识符和资源所有者的记录已被删除.
Once the password is changed you delete this token identifier record for this resource owner (user) and the next time the token sent from the client it will get rejected because the record for this token identifier and resource owner has been deleted.
这篇关于更改密码后如何使OAuth令牌无效?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
