我试图在访问令牌过期时使用刷新令牌。类似的问题已回答here https://stackoverflow.com/a/41557598/3501052. And 更新令牌的示例代码 https://stackoverflow.com/questions/41741982/identityserver4-using-refresh-tokens-after-following-the-quickstart-for-hybrid通过一个动作
我最终在startup.cs中得到以下代码
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationScheme = "Cookies",
//ExpireTimeSpan = TimeSpan.FromSeconds(100),
AutomaticAuthenticate = true,
AutomaticChallenge = true,
Events = new CookieAuthenticationEvents()
{
OnValidatePrincipal = async x =>
{
if (x.Properties?.Items[".Token.expires_at"] == null) return;
var logger = loggerFactory.CreateLogger(this.GetType());
var now = DateTimeOffset.UtcNow;
var tokenExpireTime = DateTime.Parse(x.Properties.Items[".Token.expires_at"]).ToUniversalTime();
var timeElapsed = now.Subtract(x.Properties.IssuedUtc.Value);
var timeRemaining = tokenExpireTime.Subtract(now.DateTime);
if (timeElapsed > timeRemaining)
{
var httpContextAuthentication = x.HttpContext.Authentication;//Donot use the HttpContext.Authentication to retrieve anything, this cause recursive call to this event
var oldAccessToken = await httpContextAuthentication.GetTokenAsync("access_token");
var oldRefreshToken = await httpContextAuthentication.GetTokenAsync("refresh_token");
logger.LogInformation($"Refresh token :{oldRefreshToken}, old access token:{oldAccessToken}");
var disco = await DiscoveryClient.GetAsync(AuthorityServer);
if (disco.IsError) throw new Exception(disco.Error);
var tokenClient = new TokenClient(disco.TokenEndpoint, ApplicationId, "secret");
var tokenResult = await tokenClient.RequestRefreshTokenAsync(oldRefreshToken);
logger.LogInformation("Refresh token requested. " + tokenResult.ErrorDescription);
if (!tokenResult.IsError)
{
var oldIdToken = await httpContextAuthentication.GetTokenAsync("id_token");
var newAccessToken = tokenResult.AccessToken;
var newRefreshToken = tokenResult.RefreshToken;
var tokens = new List<AuthenticationToken>
{
new AuthenticationToken {Name = OpenIdConnectParameterNames.IdToken, Value = oldIdToken},
new AuthenticationToken {Name = OpenIdConnectParameterNames.AccessToken, Value = newAccessToken},
new AuthenticationToken {Name = OpenIdConnectParameterNames.RefreshToken, Value = newRefreshToken}
};
var expiresAt = DateTime.UtcNow + TimeSpan.FromSeconds(tokenResult.ExpiresIn);
tokens.Add(new AuthenticationToken { Name = "expires_at", Value = expiresAt.ToString("o", CultureInfo.InvariantCulture) });
var info = await httpContextAuthentication.GetAuthenticateInfoAsync("Cookies");
info.Properties.StoreTokens(tokens);
await httpContextAuthentication.SignInAsync("Cookies", info.Principal, info.Properties);
}
x.ShouldRenew = true;
}
else
{
logger.LogInformation("Not expired");
}
}
}
});
客户端设置如下
AllowAccessTokensViaBrowser = true,
RefreshTokenUsage = TokenUsage.ReUse,
RefreshTokenExpiration = TokenExpiration.Sliding,
AbsoluteRefreshTokenLifetime = 86400,
AccessTokenLifetime = 10,
AllowOfflineAccess = true,
AccessTokenType = AccessTokenType.Reference
成功登录后,我收到的每个其他请求都是 401。日志说
[身份服务器]2017-07-04 10:15:58.819 +01:00 [调试]
在数据库中找到“TjpIkvHQi../cfivu6Nql5ADJJlZRuoJV1QI=”:True
[身份服务器]2017-07-04 10:15:58.820 +01:00 [调试]
“reference_token”授予值:
在商店中找到“..9e64c1235c6675fcef617914911846fecd72f7b372”,但有
已到期。
[身份服务器]2017-07-04 10:15:58.821 +01:00 [错误]无效
参考令牌。 "{ \"ValidateLifetime\": true,
\“AccessTokenType\”:\“参考\”,\“TokenHandle \”:
\“..9e64c1235c6675fcef617914911846fecd72f7b372\”}“
[身份服务器]2017-07-04 10:15:58.822 +01:00 [调试] 令牌是
无效的。
[身份服务器]2017-07-04 10:15:58.822 +01:00 [调试]创建
非活动令牌的内省响应。
[身份服务器]2017-07-04 10:15:58.822 +01:00 [信息]成功
象征性的内省。令牌状态:“非活动”,API 名称:“api1”
任何帮助将受到高度赞赏
UPDATE:
基本上,当令牌过期时我会得到一个System.StackOverflowException
在下面一行
var tokenExpireTime = DateTime.Parse(x.Properties.Items[".Token.expires_at"]).ToUniversalTime();
UPDATE 2:
不要使用 HttpContext.Authentication 检索任何内容。检查下面我的答案以找到有效的实现