SaveTokens = OpenIdConnect中间件中的真正愚蠢? [英] SaveTokens = true stupid in OpenIdConnect Middleware?

问题描述

在获得具有混合或授权代码流的访问令牌以将其保留在浏览器中之后，在(ASP.NET Core)OpenIdConnect中间件中使用SaveTokens = true看起来很愚蠢，以便它们再次出现在浏览器中.

After getting the access token with hybrid or authorization code flow to keep them from the browser it seems stupid to use SaveTokens = true in the (ASP.NET Core) OpenIdConnect middleware so that they end up in the browser again.

使用中间件存储访问令牌的更好方法是什么?

What is a better way to store the access token using the middleware?

推荐答案

使用SaveTokens中间件将令牌与用户声明一起存储在cookie中.尽管此cookie可能存储在浏览器中，但它受到保护，因此只有应用程序才能读取它.浏览器或客户端代码无法读取Cookie.因此，它们并没有真正出现在浏览器中(就像使用隐式授予类型一样).

Using SaveTokens the middleware stores the tokens in the cookie along with a users claims. Whilst this cookie might be stored in a browser it's protected so only that application can read it. The browser or client side code cannot read the cookie. So they're not really ending up in the browser (like they would using the implicit grant type).

否则，您需要做的是创建一个令牌存储，按身份验证的用户或会话查找令牌.

Otherwise what you would need to do is create a token store, looking up tokens either by authenticated user or by session.

ASP.NET Core Identity有一个表，用于存储您可能希望使用的用户的令牌，但这意味着您的所有应用程序都必须与ASP.NET Identity库集成，并且任何人都可以访问令牌应用程序.

ASP.NET Core Identity has a table for storing tokens for a user you could look into using, but then this would mean all of your applications have to integrate with the ASP.NET Identity library and a token could be accessed by any app.

这篇关于SaveTokens = OpenIdConnect中间件中的真正愚蠢?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！