OWIN认证，当前过期令牌和删除的cookie [英] OWIN authentication, expire current token and remove cookie

问题描述

我有一个OWIN中间件进行身份验证。我们拥有两个身份验证类型。
第一种类型是使用以下配置承载令牌

  VAR OAuthOptions =新OAuthAuthorizationServerOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ExternalBearer，
        TokenEndpointPath =新PathString（/令牌），
        供应商=新ApplicationOAuthProvider（PublicClientId）
        AccessTokenExpireTimeSpan = TimeSpan.FromDays（14），
        AllowInsecureHttp = TRUE，
        AccessTokenFormat =新SecureTokenFormatter（GetMachineKey（））
    };
 

和外部登录第二种类型使用的身份验证cookie

  app.UseCookieAuthentication（新CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ExternalCookie，
    AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive，
    CookieHttpOnly = TRUE，
    CookieSec​​ure = CookieSec​​ureOption.SameAsRequest，
    CookieName =.AspNet。 + DefaultAuthenticationTypes.ExternalCookie，
    ExpireTimeSpan = TimeSpan.FromMinutes（5），
    Tick​​etDataFormat =新SecureTokenFormatter（GetMachineKey（））
}）;
 

当用户注销，我们实际上发出两条注销

<$p$p><$c$c>Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);

和

<$p$p><$c$c>Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ExternalBearer);

随着第一位的，我期待看到.AspNet.ExternalCookie的Cookie从浏览器，这是不会被删除。
随着第二个，我期待让我的令牌无效，该User.Current.Identity = null，这是没有的。

那么，如何我可以
1）物理注销当前会话的当前标识？
2）从浏览器中删除Cookie的外部？

解决方案

我有，你有同样的问题和搜索后3天我发现asnwer（有点...）。

尝试这些code线之一（也是唯一一个）在你的日志了。 （他们都为我工作，但和我使用的第一个，但更多的例子越好，右？）

  Request.GetOwinContext（）Authentication.SignOut（）;Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);HttpContext.Current.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);
 

问题是很好这篇文章中描述，但它并没有提供一个固定的工作（至少对我来说没有）
http://coding.abel.nu/2014/ 11 /醒目的非系统webowin-cookie的怪物/

I have a OWIN Middleware for authentication. We have two type of authentication in place. First type is bearer token using the following configuration

var OAuthOptions =  new OAuthAuthorizationServerOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ExternalBearer,
        TokenEndpointPath = new PathString("/Token"),
        Provider = new ApplicationOAuthProvider(PublicClientId),
        AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
        AllowInsecureHttp = true,
        AccessTokenFormat = new SecureTokenFormatter(GetMachineKey())
    };

And second type use authentication cookie for external Login

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ExternalCookie,
    AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
    CookieHttpOnly = true,
    CookieSecure = CookieSecureOption.SameAsRequest,
    CookieName = ".AspNet." + DefaultAuthenticationTypes.ExternalCookie,
    ExpireTimeSpan = TimeSpan.FromMinutes(5),
    TicketDataFormat = new SecureTokenFormatter(GetMachineKey())
});

When the User Logout, we actually issue two Logout

Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);

And

Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ExternalBearer);

With the first one, I am expecting to see the .AspNet.ExternalCookie Cookie deleted from the Browser, which is not. With the second one, I am expecting to get my Token invalidated and The User.Current.Identity = null, which is not.

So how I can 1) Physically logout the current Identity for the current Session? 2) Remove the external Cookie from the Browser?

解决方案

I had the same issue you had and after 3 days of searching I found the asnwer(sort of...).

Try ONE(and only one) of these code lines in your log out. (they all worked for me, but and I'm using the first one, but the more examples the better, right??)

Request.GetOwinContext().Authentication.SignOut();

Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

HttpContext.Current.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

The problem is well described in this article, but it does not provide a working fix(at least for me it didn't) http://coding.abel.nu/2014/11/catching-the-system-webowin-cookie-monster/

这篇关于OWIN认证，当前过期令牌和删除的cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！