Web API 2、OWIN 身份验证、注销不会注销 [英] Web API 2, OWIN Authentication, SignOut doesn't logout
问题描述
我正在做一些工作研究,以期使用不记名令牌作为身份验证机制(即 AngularJS UI,在 Web API [2] 项目中通过 OWIN 进行身份验证).
I'm doing some research for work with a view to using Bearer tokens as an authentication mechanism (i.e. AngularJS UI, authenticates via OWIN in a Web API [2] project).
我的登录工作正常,角色信息和所有一切都很好,但我无法获得注销的令牌.
I have the login working fine, role information and all that is fine, but I cannot get the token to logout.
我的启动配置是这样的:
My startup configuration is this:
OAuthOptions = new OAuthAuthorizationServerOptions() {
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AccessTokenExpireTimeSpan = SESSION_TIMEOUT,
AllowInsecureHttp = true
};
我的注销操作就是这样:
And my logout action is simply this:
public HttpResponseMessage Logout() {
var authentication = HttpContext.Current.GetOwinContext().Authentication;
authentication.SignOut(DefaultAuthenticationTypes.ExternalBearer);
return new HttpResponseMessage(HttpStatusCode.OK);
}
为了简洁起见,我省略了所有身份验证内容,但为了确认我在设置令牌时使用了 ExternalBearer.
I've left all the authentication stuff out for brevity, but to confirm I am using ExternalBearer when setting up the token.
在我的 UI 中,我将令牌存储在本地存储中(此处不涉及 cookie,这是一个深思熟虑的设计决定).所以我的 UI 上有一个 logout 按钮,点击 Logout 操作并且代码运行良好.
In my UI I'm storing the token in local storage (no cookies are involved here, which is a deliberate design decision). So I have a logout button on my UI, the Logout action is hit and the code runs fine.
但是,如果我随后在 API 上执行了需要授权的操作,请求仍然会通过(即,即使用户应该已经注销,他们仍然经过身份验证.
However if I subsequently hit the an action on the API which requires authorisation, the request still goes through (i.e. the user is still authenticated even though they should have been signed out.
要么我遗漏了一些非常明显的东西(不会是第一次;-),要么这里发生了一些更基本的事情 - 最后我正在 ping @leastprivilege,因为我知道这是他们的领域.
Either I'm missing something really obvious (wouldn't be the first time ;-) or there's something more fundamental going on here - finally I'm pinging @leastprivilege as I know this is their area.
将不胜感激地收到任何帮助或见解.
Any help or insight would be gratefully received.
我唯一能想到的是令牌在服务器/API 端是无状态的,因此不能过期或注销.
Only thing I can think of is that the token is stateless on the server/API side and hence can't be expired or signed out.
如果是这样的话,我想我可以:
If that is the case I guess I could either:
a) 添加一个刷新令牌,它创建一个在过去过期的新令牌 - 这甚至可以工作吗?- 实际上取消它,它会发出一个新令牌......旧令牌仍然有效
a) Add a refresh token which creates a new token that expires in the past - would this even work? - actually cancel that, it would issue a new token ... the old one would still be valid
b) 将不记名令牌存储在数据库中并每次检查,在注销时删除令牌(自然加盐、散列等).然而,这只是让我们重新拥有一个有状态的服务器.
b) Store the bearer token in the database and check each time, removing the token on logout (naturally salted, hashed, etc). However this is just bringing us back to having a stateful server.
c) 当有人明确注销时,我可以(并且将会)从本地存储中删除令牌,但是如果 坏人 可以拦截令牌,令牌在技术上仍然有效.自然,无论如何,以上所有内容都将超过 SSL,这应该会抑制坏人/女孩.
c) I can (and will) be removing the token from local storage when someone explicitly logs out, however the token is still technically valid if a baddy can intercept the token. Naturally all the above will be over SSL anyway, which should inhibit the bad guys/girls.
d) 也许这就是为什么很多人将不记名令牌存储在 cookie 中(作为一种存储机制),因此一旦您退出登录,至少 cookie 将在下次刷新时被删除.
d) Perhaps this is why lots of people are storing the Bearer token in a cookie (as a storage mechanism) so once you logout as least the cookie will be removed on the next refresh.
对不起,上面有点脑残,只是想先发制人的问题
推荐答案
由于 OAuth 不是身份验证协议,因此没有注销的概念.删除客户端上的访问令牌 - 这就是您所能做的.
Since OAuth is not an authentication protocol, there is no notion of signout. Delete the access token on the client - that's all you can do.
如果您想使服务器端的令牌无效,请为其添加一个唯一 ID 并在您的服务中进行跟踪 - 您需要手动构建类似的东西.
If you want to invalidate the token on the server side, add a unique id to it and keep track in your service - you would need to manually build something like that.
这篇关于Web API 2、OWIN 身份验证、注销不会注销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
