IdentityServer和Asp.net MVC [英] IdentityServer and Asp.net MVC

问题描述

我正在构建一个应用程序，它是一个在后端具有Asp.net mvc控制器的Javascript SPA.我正在尝试使用IdentityServer进行身份验证.我在控制器上拥有了authorize属性.我的要求之一是用户会话应在一定时间内过期(如果没有活动，则应提示用户登录).由于安全限制，隐式流程对我不起作用.我抓住了Identity4示例 https://github.com/IdentityServer/IdentityServer4.Samples 并尝试使用cookie身份验证中间件，设置ExpireTimeSpan以查看cookie是否过期.即使在指定的时间期限到期后，我仍然可以调用控制器.如何使用Identity Server和Asp.net mvc完成类似于asp.net会话超时的操作?

I am building an app, which is a Javascript SPA with Asp.net mvc controllers in the backend. I am trying to use IdentityServer for authentication. I have authorize attribute on my controllers. One of the requirements I have is that the user's session should be expired in a certain amount of time(if no activity, user should be prompted to login). The implicit flow does not work for me because of security restrictions. I grabbed the Identity4 samples https://github.com/IdentityServer/IdentityServer4.Samples and tried using the cookieauthentication middleware, setting the ExpireTimeSpan to see if that expires the cookie. Somehow even after the expiration of the timespan specified, I am still able to make a call into the controllers. How can I accomplish something similar to a asp.net session timeout with Identity Server and Asp.net mvc?

推荐答案

已知问题，请参见 https ://github.com/aspnet/Security/pull/893 ，已针对1.1.0进行了修复.

It is known issue see https://github.com/aspnet/Security/pull/893, fixed for 1.1.0.

等待1.1.0版本或使用OnTokenValidated设置过期属性:

Wait 1.1.0 version or use OnTokenValidated to set expire property:

OnTokenValidated = async (context) =>
{
     context.Properties.ExpiresUtc = <expire>;
     await Task.FromResult(0);
}

另请参阅其他解决方案: https://github.com/aspnet/安全性/问题/855#issuecomment-229495399

Also see for another solution: https://github.com/aspnet/Security/issues/855#issuecomment-229495399

这篇关于IdentityServer和Asp.net MVC的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！