承载的OAuth访问令牌滑动过期 [英] OAuth Bearer Access Token sliding expiration

问题描述

让我们假设我们使用OAuth承载令牌，以确保我们的API。还有的NuGet包OWIN中间件会为我们做：的https：// WWW .nu​​get.org /包/ Microsoft.Owin.Security.OAuth 。

Let's suppose that we're using OAuth Bearer tokens to secure our API. There is NuGet package with OWIN middleware that will do it for us: https://www.nuget.org/packages/Microsoft.Owin.Security.OAuth.

Everethig看起来不错，直到提出了有关问题的访问令牌到期 - 我们不希望强制使用，以一遍遍重新登录。据我了解有三种基本方式：

Everethig looks great, until raises question about access token expiration - we don't want to force use to re-login over and over again. As far as I understand there are three basic ways:

1. 请访问令牌到期时间非常大（1个月为实例）


2. 使用OAuth的刷新令牌，增加了很多困难，这两个认证服务器和用户应用程序code（在下​​面的文章<一个描述href=\"http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/\" rel=\"nofollow\">http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/)

1. Make Access Token expiration time very big (1 month for instance)
2. Use OAuth Refresh Tokens that adds much difficulties to both Authentication Server and the user application code (described in following article http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/)

我很好奇，是有可能创造这将需要访问令牌即将到期，只是新的访问令牌回答来模拟那种滑动过期了的OAuth访问令牌的？端点

I'm curious is it possible to create the endpoint that will require access token that is about to expire and just answer with new access token to simulate kind of sliding expiration for OAuth Access Tokens?

推荐答案

警告！这是解决方案， NO应该使用：如果你不知道100％你的应用保证访问令牌不能compomised（例如，XSS漏洞允许偷访问令牌）。在这个解决方案，一旦访问令牌泄露它可以使用为无限期延长访问。 OAuth的刷新令牌正好解决了这个问题，限制了损害访问令牌用极短的时间量，一般15分钟左右的情况下访问。

WARNING! Here is solution that NO ONE SHOULD USE if you're not 100% sure that your application guarantee that Access Token can not be compomised (for instance, XSS vulnerability allows to steal Access Token). In this solution once Access Token leaked it can be use to indefinitely prolong access. OAuth Refresh Tokens solves exactly this problem, limiting access in case of compromising Access Token with very short amount of time, usually about 15 minutes.

[Authorize]
public class RefreshTokenController : ApiController
{
    [HttpGet]
    public HttpResponseMessage ReissueToken()
    {
        // just use old identity
        var identity = ((ClaimsPrincipal)User).Identity as ClaimsIdentity;

        var ticket = new AuthenticationTicket(identity, new AuthenticationProperties());
        DateTimeOffset currentUtc = new SystemClock().UtcNow;

        ticket.Properties.IssuedUtc = currentUtc;
        ticket.Properties.ExpiresUtc = currentUtc.AddMinutes(30);

        string token = Startup.OAuthBearerAuthOptions.AccessTokenFormat.Protect(ticket);

        return new HttpResponseMessage(HttpStatusCode.OK)
        {
            Content = new ObjectContent<object>(new
            {
                accessToken = token,
                expiresIn = (int)((ticket.Properties.ExpiresUtc.Value - ticket.Properties.IssuedUtc.Value).TotalSeconds),
            }, Configuration.Formatters.JsonFormatter)
        };
    }
}

这篇关于承载的OAuth访问令牌滑动过期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！