OWIN SignOut不会删除Cookie [英] OWIN SignOut doesn't remove cookie

问题描述

我在外部身份验证服务器中使用OWIN中间件，我的应用程序通过OAuth授权代码授予流程对其进行身份验证.

I am using the OWIN middleware in an external Authentication Server that my applications authenticate to using OAuth Authorisation Code Grant flow.

我可以重定向到身份验证服务器，通过外部提供程序(Google)进行身份验证，并使用登录用户和应用程序Cookie重定向到我的客户端应用程序，但设置很好，但是当我尝试注销Cookie后，调用 AuthenticationManager.SignOut 方法.

I can redirect to the Authentication Server, authenticate against an external provider (Google) and redirect back to my client application with a logged in user and Application Cookie set just fine, however when I try to sign out the cookie remains after I call the AuthenticationManager.SignOut method.

我在 Startup.Auth.cs 中的cookie选项是:

My cookie options in Startup.Auth.cs are:

var cookieOptions = new CookieAuthenticationOptions
                    {
                        Provider = cookieProvider,
                        AuthenticationType = "Application",
                        AuthenticationMode = AuthenticationMode.Passive,
                        LoginPath = new PathString("/Account/Index"),
                        LogoutPath = new PathString("/Account/Logout"),
                        SlidingExpiration = true,
                        ExpireTimeSpan = TimeSpan.FromMinutes(30),
                    };
app.UseCookieAuthentication(cookieOptions);
app.SetDefaultSignInAsAuthenticationType(DefaultAuthenticationTypes.ExternalCookie);
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

我的登录方法:

var loginInfo = await AuthManager.GetExternalLoginInfoAsync();
SignInManager.ExternalSignInAsync(loginInfo, true);
var identity = AuthManager.AuthenticateAsync(DefaultAuthenticationTypes.ExternalCookie).Result.Identity;

if (identity != null)
{
    AuthManager.SignIn(
                  new AuthenticationProperties {IsPersistent = true},
                  new ClaimsIdentity(identity.Claims, "Application", identity.NameClaimType, identity.RoleClaimType));

        var ticket = AuthManager.AuthenticateAsync("Application").Result;
        var identity = ticket != null ? ticket.Identity : null;
        if (identity == null)
        {
            AuthManager.Challenge("Application");
            return new HttpUnauthorizedResult();
        }

        identity = new ClaimsIdentity(identity.Claims, "Bearer", identity.NameClaimType, identity.RoleClaimType);
        AuthManager.SignIn(identity);
}

return Redirect(Request.QueryString["ReturnUrl"]);

退出方法:

var authTypeNames = new List<string>();
authTypeNames.Add("Google");
authTypeNames.Add("Application");
authTypeNames.Add("Bearer");
authTypeNames.Add(DefaultAuthenticationTypes.ExternalCookie);

Request.GetOwinContext().Authentication.SignOut(authTypeNames.ToArray());

我看过其他问题，例如: OWIN身份验证，使当前令牌过期并删除Cookie 和 OWIN-Authentication.SignOut()不会删除Cookie

I have looked at other questions like: OWIN authentication, expire current token and remove cookie and OWIN - Authentication.SignOut() doesn't remove cookies

没有运气.我知道我可以通过设置一个负的到期日期来手动删除cookie，但是如果可能的话，我宁愿使用内置方法.

with no luck. I'm aware I could manually delete the cookie by setting a negative expiry date, but I'd prefer to use in built method if possible.

注销后如何删除应用程序Cookie?

How do I get the Application Cookie to be removed when I Sign Out?

推荐答案

为了让SignOut方法标记要从客户端删除的身份验证票证(cookie)，请将AuthenticationType参数传递到SignOut方法中，并将其值Cookie必须完全匹配.如果要从客户端删除多个身份验证票证，则必须匹配所有这些AuthenticationType，然后将它们作为字符串[]传递给SignOut方法.

In order for the SignOut method to flag the authentication ticket (cookie) for removal from the client, the AuthenticationType parameter you pass into the SignOut method and value on the cookie must match exactly. If you want to remove more than one authentication ticket from the client then you'll have to match ALL of those AuthenticationTypes and pass those as a string[] to the SignOut method.

身份验证票证的AuthenticationType通常以主机Web容器的名称为前缀(例如，.AspNet."之类的名称)，后跟您使用OWIN CookieAuthentication设置引导的任何内容.

The AuthenticationType of an authentication ticket usually prefixed with the name of the host web container (i.e. something like ".AspNet.") followed by whatever you bootstrapped your OWIN CookieAuthentication settings with.

您似乎在 Startup.Auth.cs 中将AuthenticationType字符串值设置为"Application".尝试简单地调用:

It looks like you set your AuthenticationType string value to "Application" in Startup.Auth.cs. Try simply calling:

Request.GetOwinContext().Authentication.SignOut("Application");

如果这对您不起作用，我将调试您的应用程序，并查看您的应用程序允许的每种经过身份验证的用户的身份上的特定AuthenticationType，记下每个应用程序的AuthenticationType的值并尝试将它们全部包含在内在您的SignOut调用中以字符串[]开头.

If that's not working for you, I would debug your application and take a look at the specific AuthenticationType on the identity for each type of authenticated user your application allows, note the value of the AuthenticationType for each one and try including them all in a string[] in your SignOut call.

这篇关于OWIN SignOut不会删除Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！