OAuth 2 中的访问令牌撤销实现 [英] Access token revocation implementation in OAuth 2

查看:48
本文介绍了OAuth 2 中的访问令牌撤销实现的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我使用 OWIN OAuth 2 来实现我的授权服务器提供程序.现在,我想实现令牌撤销(当我的客户端应用程序想要注销时).
任何人都可以帮助我并告诉我如何在 OWIN KATANA OAuth 2 中实现令牌撤销.是否有一些好的做法?

I've used OWIN OAuth 2 to implement my Authorization Server Provider. Now, I want to implement token revocation (when my client application wants to logout).
Can anybody help me and tell how to implement token revocation in OWIN KATANA OAuth 2. Are there some good practices for it?

推荐答案

OAuth 2.0 中涉及到两种令牌.一个是访问令牌,另一个是刷新令牌.

There are two kinds of token involved in OAuth 2.0. One is access token and the other is refresh token.

对于刷新令牌,我真的推荐 使用 ASP.NET Web API 2、Owin 和身份的基于令牌的身份验证,由 Taiser Joudeh 编写.他提供了有关设置基于令牌的身份验证(包括撤销刷新令牌)的分步教程.

For refresh token, I really recommend Token Based Authentication using ASP.NET Web API 2, Owin, and Identity written by Taiseer Joudeh. He provides a step by step tutorial on setting up token based authentication, including revoking refresh token.

对于访问令牌,我使用黑名单来存储撤销的访问令牌.当用户登出时,我将用户当前的访问令牌添加到黑名单中.如果有新的请求,我首先检查它的访问令牌是否在黑名单中.如果是,拒绝请求,否则让 OAuth 组件进行验证.

For access token, I use a black list to store revoked access tokens. When a user logins out, I add the user's current access token into a black list. And if a new request comes, I first check whether its access token is in the black list. If yes, reject the request, other wise let OAuth component do the validation.

以下是一些实现细节:

我使用缓存作为黑名单并将缓存项的到期时间设置为访问令牌的到期时间.缓存项(访问令牌)过期后将自动从黑名单中删除.(我们不需要在访问令牌过期后将其保留在黑名单中.如果令牌过期,无论是否在黑名单中,都无法通过OAuth验证机制).

I use cache to work as a black list and set cache item's expiration to the access token's expiration. The cache item (access token) will be removed from black list automatically after it expires. (We don't need to keep the access token in the black list after it expires. If the token expires, no matter whether it's in the black list or not, it can't pass OAuth validation mechanism).

以下代码展示了如何拒绝访问令牌在黑名单中的请求.

The following code shows how to reject a request if its access token is in the black list.

app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()
    {
        Provider = new OAuthBearerAuthenticationProvider()
            {
                OnRequestToken = context =>
                   {
                        if(blackList.contans(context.Token))
                        {
                            context.Token = string.Empty;
                        }

                        return Task.FromResult<object>(null);
                    }
            }
    }

我所做的是如果我在黑名单中找到访问令牌,我将访问令牌设置为空字符串.后来,当 OAuth 组件尝试解析令牌时,它发现令牌为空.当然,空字符串不是有效的令牌,因此它会拒绝请求,就像您使用无效的访问令牌发送请求一样.

What I do is if I find the access token in black list, I set the access token to empty string. Later, when the OAuth component tries to parse the token, it finds out that the token is empty. Definitely, an empty string isn't a valid token, so it will reject the request, just like you send a request with an invalid access token.

这篇关于OAuth 2 中的访问令牌撤销实现的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆