问题描述
我已经配置了一个 ASOS OpenIdConnect 服务器和一个使用Microsoft.AspNetCore.Authentication.OpenIdConnect"的 asp.net core mvc 应用程序:1.0.0 和"Microsoft.AspNetCore.Authentication.Cookies":1.0.0".我已经测试了授权码"工作流程,一切正常.
I have configured an ASOS OpenIdConnect Server using and an asp.net core mvc app that uses the "Microsoft.AspNetCore.Authentication.OpenIdConnect": "1.0.0 and "Microsoft.AspNetCore.Authentication.Cookies": "1.0.0". I have tested the "Authorization Code" workflow and everything works.
客户端 Web 应用程序按预期处理身份验证,并创建一个 cookie 存储 id_token、access_token 和 refresh_token.
The client web app processes the authentication as expected and creates a cookie storing the id_token, access_token, and refresh_token.
如何强制 Microsoft.AspNetCore.Authentication.OpenIdConnect 在过期时请求新的 access_token?
asp.net core mvc 应用忽略过期的 access_token.
The asp.net core mvc app ignores the expired access_token.
我想让 openidconnect 查看过期的 access_token,然后使用刷新令牌进行调用以获取新的 access_token.它还应该更新 cookie 值.如果刷新令牌请求失败,我希望 openidconnect注销"cookie(删除它或其他东西).
I would like to have openidconnect see the expired access_token then make a call using the refresh token to get a new access_token. It should also update the cookie values. If the refresh token request fails I would expect openidconnect to "sign out" the cookie (remove it or something).
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
AuthenticationScheme = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
ClientId = "myClient",
ClientSecret = "secret_secret_secret",
PostLogoutRedirectUri = "http://localhost:27933/",
RequireHttpsMetadata = false,
GetClaimsFromUserInfoEndpoint = true,
SaveTokens = true,
ResponseType = OpenIdConnectResponseType.Code,
AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet,
Authority = http://localhost:27933,
MetadataAddress = "http://localhost:27933/connect/config",
Scope = { "email", "roles", "offline_access" },
});
推荐答案
asp.net core 的 openidconnect 认证中好像没有编程来管理服务器上收到的 access_token .
It seems there is no programming in the openidconnect authentication for asp.net core to manage the access_token on the server after received.
我发现我可以拦截cookie验证事件并检查访问令牌是否已过期.如果是这样,请使用 grant_type=refresh_token 对令牌端点进行手动 HTTP 调用.
I found that I can intercept the cookie validation event and check if the access token has expired. If so, make a manual HTTP call to the token endpoint with the grant_type=refresh_token.
通过调用 context.ShouldRenew = true;这将导致更新 cookie 并在响应中将其发送回客户端.
By calling context.ShouldRenew = true; this will cause the cookie to be updated and sent back to the client in the response.
我已经提供了我所做工作的基础,一旦所有工作都得到解决,我将努力更新此答案.
I have provided the basis of what I have done and will work to update this answer once all work as been resolved.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
AuthenticationScheme = "Cookies",
ExpireTimeSpan = new TimeSpan(0, 0, 20),
SlidingExpiration = false,
CookieName = "WebAuth",
Events = new CookieAuthenticationEvents()
{
OnValidatePrincipal = context =>
{
if (context.Properties.Items.ContainsKey(".Token.expires_at"))
{
var expire = DateTime.Parse(context.Properties.Items[".Token.expires_at"]);
if (expire > DateTime.Now) //TODO:change to check expires in next 5 mintues.
{
logger.Warn($"Access token has expired, user: {context.HttpContext.User.Identity.Name}");
//TODO: send refresh token to ASOS. Update tokens in context.Properties.Items
//context.Properties.Items["Token.access_token"] = newToken;
context.ShouldRenew = true;
}
}
return Task.FromResult(0);
}
}
});
这篇关于如何使用刷新令牌和 OpenId Connect 在 asp.net core 中处理过期的访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!