新的访问令牌请求使 WSO2 IS 中的所有先前令牌无效 [英] New access token request invalidates all previous tokens in WSO2 IS
问题描述
我们需要我们应用程序的用户能够使用 WSO2 IS 同时从多个浏览器/设备登录.目前我们使用的是 OAuth2 隐式授权流程.
- 用户首次进行身份验证.他获得了访问令牌 #1.
- 同一用户在第二个浏览器或设备中进行身份验证(同一用户、同一客户端应用程序/服务提供商、同一范围=openid).他获得了 access_token #2.
一段时间后(大约五分钟)令牌 #1 变得无效,用户被重定向到登录页面.
这是 WSO IS 的预期行为吗?根据
这样,您的访问令牌将绑定到会话,并使您能够同时为不同的浏览器/设备拥有多个有效的访问令牌.
现在检查授权码授予类型(注意:在不同的浏览器中进行测试.如果您使用相同的浏览器,您将始终获得一个新令牌)
仅供参考,如果您真的想在单个令牌过期之前使用它,那么您必须切换到不透明的访问令牌.参考 https://is.docs.wso2.com/en/5.10.0/learn/issuing-new-tokens-per-request/#!了解有关不透明令牌行为的更多信息.
We need a user of our application to be able to login from multiple browsers/devices simultaneously with WSO2 IS. Currently we're using OAuth2 implicit grant flow.
- User authenticates first time. He gets access token #1.
- Same user authenticates in second browser or device (same user, same client application/service provider, same scope=openid). He gets access_token #2.
After some time (about five min.)token #1 becomes invalid and user's redirected to login page.
Is it expected behaviour of WSO IS? As per https://is.docs.wso2.com/en/5.10.0/learn/issuing-new-tokens-per-request/ Identity Server by default should return same token on every request, but it does not.
Is it possible to either return the same access token on every new request for the same user+client+scope or have multiple tokens valid simultaneously?
I've tried to issue several tokens with Authorization code grant. It's worse. After issuing new token previous one is revoked immediately.
EDIT
After more accurate testing it appeared that with both flows next issued access token exprires previous one.
API calls used:
https://idm.local/oauth2/authorize?response_type=token&scope=openid%20profile&redirect_uri=https://site/&client_id=xxx
Example tokens. As you can see expiration time is 10 days.
#1
{
"sub": "u@u.uu",
"aud": "xxx",
"nbf": 1610816073,
"azp": "xxx",
"scope": "openid profile",
"iss": "https://idm.passport.local:9443/oauth2/token",
"groups": [
"ROLE_DASHBOARD",
"Internal/everyone"
],
"exp": 1611680073,
"iat": 1610816073,
"jti": "46ec375e-cb51-4695-869a-07bb737e8de8",
"email": "u@u.uu"
}
#2
{
"sub": "u@u.uu",
"aud": "xxx",
"nbf": 1610816249,
"azp": "xxx",
"scope": "openid profile",
"iss": "https://idm.passport.local:9443/oauth2/token",
"groups": [
"ROLE_DASHBOARD",
"Internal/everyone"
],
"exp": 1611680249,
"iat": 1610816249,
"jti": "94eadf4e-8554-414b-9244-26418f78bf77",
"email": "u@u.uu"
}
At this time introspection call about #1 token returns {"active":false}
EDIT 2
Such situation's observed when "Token issuer" is set to JWT on Service Provider settings. If I change the settings to "Default" then IS starts returning same access_token on every request as expected.
This is the expected behavior for JWT access token. Whenever we request a new access token, old tokens will get revoked. But we can easily achieve your use case by selecting the sso-binding type for the access token.
With this, your access token will be bound to the session and enables you to have multiple valid access tokens simultaneously for different browsers/devices.
Now check the authorization code grant type (Note: test this is in different browsers. If you use the same browser you will always get a new token)
FYI, if you really want to use a single token until it expires then you have to switch to the opaque access token. Refer https://is.docs.wso2.com/en/5.10.0/learn/issuing-new-tokens-per-request/#! to know more about opaque token behavior.
这篇关于新的访问令牌请求使 WSO2 IS 中的所有先前令牌无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
