Identity Server 4 - 如何解决客户端注销后访问令牌仍然有效? [英] Identity Server 4 - how to solve Access Token still valid after client Logout?

问题描述

我们正在尝试将 Identity Server 4 (IDSV4) 与我们的 Mvc 客户端和 WebApi2 客户端集成.

我们发现，访问令牌仍然有效，即使在用户从客户端和 IDSV4 注销后，仍可用于使用来自 WebApi2 的服务.

我不知道如何在用户注销后立即使其无效.

以下是重现此行为的步骤:

1. 打开 Mvc 客户端并登录到 IDSV4
2. 使用await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken)
获取访问令牌

3. 复制 AccessToken 并使用该令牌访问 WebApi2(它有效，我们可以看到 Api 和 IDSV4 之间的验证步骤)

4. 我使用以下命令从 IDSV4 和客户端注销:

   <前>等待 HttpContext.SignOutAsync("Cookies");等待 HttpContext.SignOutAsync("oidc");

   如果我们在 Mvc Client 上刷新网页，我们可以看到用户已经退出.

5. 重复步骤3，使用相同的AccessToken再次向WebApi2发送请求.它仍然有效，因为它不再进行令牌验证.

IMO，这是一个安全问题，因为我们在 AJAX 调用中使用该访问令牌，如果用户使用浏览器工具并在注销后重复相同的请求，他们可以看到该令牌.

这是将我的 WebApi2 与 IDSV4 集成的代码:

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme).AddIdentityServerAuthentication(options =>{options.Authority = "http://idsv.url";options.ApiName = "api1";});

我尝试将 options.CacheDuration 设置为零，但行为仍然相同.

您能否建议我如何在用户注销时阻止它或强制我的 Api 重新验证?有没有办法通知 Api，特定的令牌不再有效?

解决方案

没有任何方法可以撤销访问令牌.您可以使用具有不同流程的 Reference-Token 代替，您可以撤销它.这也是您应该生成生命周期短的访问令牌的原因.使用https连接时，中途没有办法盗取Access-Token.

We are trying to integrate Identity Server 4 (IDSV4) with our Mvc Client and WebApi2 clients.

We found out that, the access token is still valid and can be used to consume services from WebApi2 even after the user has logged out from both client and IDSV4.

I don't know how I can force it to become invalid as soon as the user has logged out.

Here are the steps to reproduce this behaviour:

1. Open Mvc Client and Login to IDSV4
2. Get the Access token by using await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken)

3. Copy the AccessToken and access the WebApi2 by using that token (it works and we can see the validation step between Api and IDSV4)

4. I Logout from IDSV4 and Client by using the following:

   await HttpContext.SignOutAsync("Cookies");
   await HttpContext.SignOutAsync("oidc");
   

   If we refresh the web page on Mvc Client, we can see that the user has logged out.

5. Repeat the Step3 and send request to WebApi2 again by using the same AccessToken. It still works because it doesn't do the token validation again.

IMO, this is a security issue because we use that access token in AJAX call and users can see that token if they use the Browser tool and repeat the same requests even after logging out.

Here is the code to integrate my WebApi2 with IDSV4:

services.AddAuthentication(

            IdentityServerAuthenticationDefaults.AuthenticationScheme)
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = "http://idsv.url";
                options.ApiName = "api1";
            });

I tried to set options.CacheDuration to ZERO, but still the same behaviour.

Could you suggest how I could prevent it or force my Api to re-validate when the user has logged out? Is there anyway to notify the Api that, the specific token is no longer valid?

解决方案

There is no any way to revoke an Access-Token. You can use Reference-Token instead which has different flow and you can revoke it. Also this is the reason of you should generate Access-Token with short lifetime. When you are using https connection, there is no any way to stole Access-Token in middle of way.

这篇关于Identity Server 4 - 如何解决客户端注销后访问令牌仍然有效?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！