IdentityServer4强制用户重新输入凭据

本文介绍了IdentityServer4强制用户重新输入凭据的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我正在使用IdentityServer4和MVC客户端.当客户端会话期满时，我希望我的用户被迫再次登录.但是，无论我做什么，IdentityServer似乎都会在会话结束时自动将用户重新登录.

I am using IdentityServer4 and an MVC client. When the clients session expires I want my users to be forced to login again. However no matter what I do IdentityServer seems to automatically log the user back in when the session ends.

我在客户端的启动时间为(会话需要30秒才能测试)

My Startup in the client is (session is 30 seconds to test)

services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookies";
            options.DefaultChallengeScheme = "oidc";                                                
        })
            .AddCookie("Cookies", options => { options.ExpireTimeSpan = new TimeSpan(0, 0, 30); })
            .AddOpenIdConnect("oidc", options =>
            {
                options.SignInScheme = "Cookies";

                options.Authority = identityUrl;
                options.RequireHttpsMetadata = false;

                options.SaveTokens = true;                  
                options.GetClaimsFromUserInfoEndpoint = true;

                options.Scope.Add("Billing");
                options.Scope.Add("offline_access");

                options.UseTokenLifetime = false;                   
            });

然后我在IdentityServer中的配置如下:

Then my config in IdentityServer is as follows:

new Client
            {
                ClientId = "Test",
                ClientName = "Test",
                AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

                AlwaysIncludeUserClaimsInIdToken = true,

                RequireConsent = false,

                IdentityTokenLifetime = 30,
                AccessTokenLifetime = 30,

                ClientSecrets =
                {
                    new Secret("secret".Sha256())
                },              

                RedirectUris = { billingUrl + "/signin-oidc" },
                PostLogoutRedirectUris = { billingUrl + "/signout-callback-oidc" },

                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "Billing",
                    "role",
                    "VisionBlue.Cloud.BillingAPI"
                },

                AllowOfflineAccess = true
            },

使用提琴手，我可以看到30秒后，一个请求被发送到IdentityServer上的/connect/authorize上，该服务器自动重新登录用户.

Using fiddler I can see after 30 seconds a request is sent to /connect/authorize on the IdentityServer which is automatically logging the user in again.

有什么想法吗?我已将所有超时设置为30秒作为测试.

Any ideas? I have set all timeouts to 30 seconds as a test.

推荐答案

在授权请求上使用prompt=login的OpenID Connect参数( https://openid.net/specs/openid-connect-core -1_0.html#AuthRequest ).这将告诉IdentityServer您希望用户重新认证，而不是使用SSO或IdentityServer会话长度.

Use the OpenID Connect parameter of prompt=login on your authorization request(https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). This will tell IdentityServer that you want the user to re-authenticate instead of using SSO or IdentityServer session length.

您应该可以在OpenIdConnectOptions中使用ASP.NET Core来做到这一点:

You should be able to do this in ASP.NET Core using in your OpenIdConnectOptions:

options.Events.OnRedirectToIdentityProvider = context =>
{
    context.ProtocolMessage.Prompt = "login";
    return Task.CompletedTask;
};

不过，可能有一种更简单的方法来设置它.

There might be an easier way to set this though.

这篇关于IdentityServer4强制用户重新输入凭据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！