为什么基于IdentityServer4的服务器在30分钟内超时，而在前30分钟内仅支持SSO？ [英] Why does my IdentityServer4 based server timeout in 30 minutes and only support SSO in the first 30 minutes?

问题描述

我有一个基于IdentityServer4和.NET Core 2.0开发的应用程序系统。最近，我注意到无论用户活动如何，登录服务器都会在30分钟后超时。 30分钟边界后，客户端应用程序将无法启动其他启用SSO的应用程序。 30分钟后，启动任何新应用都会强制用户登录。我查看了可能会影响SSO功能的cookie，其中有三个：AspNetCore.Identity.Application，Identity.External和idsrv.session。但是它们都是浏览器会话cookie。我看不出他们会如何超时。有人知道发生了什么事吗？

I have an application system that developed based on IdentityServer4 and .NET Core 2.0. Just recently I noticed that log into the server will timeout in 30 minutes regardless of user activity. Client applications cannot launch other SSO enabled applications after the 30 minutes boundary. After 30 minutes, launching any new app will force user login. I looked at the cookies that might affect the SSO functionality, there are three: AspNetCore.Identity.Application, Identity.External and idsrv.session. But they are all browser session cookies. I don’t see how they would timeout. Anyone knows what’s going on?

我的相关设置：

• 绝对刷新令牌生存期：2592000


• 访问令牌生存期：3600


• 授权生存期300


• 身份令牌生存期：300

• Absolute Refresh Token Lifetime: 2592000
• Access Token Lifetime: 3600
• Authorization lifetime 300
• Identity Token Lifetime: 300

推荐答案

mode777是正确的。此问题与IdentityServer4或OpenID Connect均无关。与AspNetCore.Identity有关。我发现此链接非常有用，并通过添加如下代码行解决了我的超时问题：

mode777 is right. This issue is not related to IdentityServer4 nor OpenID Connect. It's related to the AspNetCore.Identity. I find this link very helpful and solved my timeout issue by adding a line like this:

services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromHours(24));

因此，发生了什么事情：默认间隔30分钟后，将向服务器发送请求通过用户安全戳检查。由于某种未知的原因，检查我的用户安全标记的逻辑认为该标记无效，因此调用SignInManager的SignOutAsync，这会杀死所有内容。我仍然不明白，我的用户安全标记从未更改！它不应该导致无效。现在，我将让我的应用程序具有更长的检查间隔，并密切注意安全标记。

So, what happened is this: After the 30 mins default interval, a request to the server will go through the user security stamp check. For some unknown reason, the logic that checks my user security stamp think the stamp is invalid and hence calls SignInManager's SignOutAsync, which kills everything. What I still don't understand is that my user security stamp is never changed! It shouldn't cause the invalidation. For now, I will let my application works with a much longer check interval, and will keep an eye on the security stamp.

这篇关于为什么基于IdentityServer4的服务器在30分钟内超时，而在前30分钟内仅支持SSO？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！