使用 oauth provider 在不同机器上同时登录 [英] Simultaneous login on different machines using oauth provider

问题描述

正如我在此处所述:

我正在构建一个服务，其中我从 SocialBootstrapApi 借用了代码.不过，我特别使用 Linkedin oauth2 提供程序.

I am building a service where I have code borrowed from the SocialBootstrapApi. I am specfically using the Linkedin oauth2 provider though.

我对单个用户没有任何抱怨 - 代码运行良好，但如果同一用户同时从两台不同的机器登录(使用相同的linkedin 帐户)，则原始登录访问令牌将失效.当用户保持登录状态时(因为会话 cookie 已经存在)，如果用户执行使用过期访问令牌的操作来执行需要linkedin api 调用的任务，则调用将失败并显示无效访问令牌错误.显然我明白这背后的原因，但我不知道如何纠正它.在这个移动优先的世界中，我们拥有如此多的设备，而且一台设备无法从另一台设备上注销用户.

I have no complaints for a single user - the code works nicely, but if the same user logs in simultaneously from two differen machines (using the same linkedin account) the original logins access token is invalidated. While the user stays logged in (because session cookies are already in place) if the user performs an action that uses the expired access token to perform a task that requires a linkedin api call, the call fails with an invalid access token error. Obviously I understand the reason behinds this, but I am not sure how to rectify it. In this mobile first world, we have so many devices and one device can't logoff a user from another device.

那么，我是否应该每次在执行 api 调用之前从 UserAuthDetails 表中重新获取访问令牌，以防它已失效?或者，这不应该在缓存中更新，下次访问访问令牌时，因为缓存已更新，所以提供刷新的令牌吗?

So, should I re-get the access token from the UserAuthDetails table everytime before I perform an api call just in case it has been invalidated? Or, shouldn't this be updated in the cache and next time the access token is accessed, the refreshed one is served because the cache has been updated?

谢谢

推荐答案

最简单的选项(也是我首选的解决方案)是在进行 API 调用之前从 IAuthRepository 获取访问令牌.IAuthRepository.GetUserAuthDetails() 将返回包含访问令牌的 UserAuthDetails.

The easiest option (and my preferred solution) is to just fetch the access tokens from the IAuthRepository before making the API call. IAuthRepository.GetUserAuthDetails() will return the UserAuthDetails that contains the access tokens.

这可以通过在访问 UserAuth 后端数据存储之前首先尝试在会话上使用访问令牌来稍微优化，尽管因为所需的对内部数据存储的简单数据库调用的成本可能会比调用远程服务(即 LinkedIn API) - 优化可能不值得.但是，如果您采用这种方法，我会使用新的访问令牌更新用户会话，以便下次可以使用缓存中的新令牌.

This can be slightly optimized by first attempting to use the access tokens on the session before hitting the UserAuth backend datastore, although as it's likely the cost of the required simple db call to a internal datastore is going to be a lot less than the call to a remote service (i.e. LinkedIn API's) - the optimization may not be worth it. But if you're going with this approach I'd update the Users Session with the fresh access tokens so next time the fresh tokens from the cache can be used.

从不同浏览器、个人电脑、设备等进行身份验证的用户每个都有自己的会话，这只是 AuthUserSession POCO 存储在 ServiceStack 的会话 Cookie，即它们不共享相同的缓存，因此对用户会话之一的更改不会影响任何其他用户会话.

Users authenticating from different browsers, pc's, devices, etc are each given their own session which is just the AuthUserSession POCO's stored in the registered ICacheClient referenced by ServiceStack's Session Cookies, i.e. they don't share the same Cache so changes to one of the users session doesn't affect any other Users Sessions.

这篇关于使用 oauth provider 在不同机器上同时登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！