Asp.net mvc 具有mvc和api的Identity server 3客户端未刷新访问令牌
我有一个工作身份提供者。我设计用于对其进行身份验证的客户端是一个结合了MVC和WebAPI的单一项目。初始身份验证由MVC完成。如果访问令牌变为无效,它将按预期刷新 MVC端: 公共部分类启动{Asp.net mvc 具有mvc和api的Identity server 3客户端未刷新访问令牌,asp.net-mvc,identityserver3,thinktecture-ident-server,Asp.net Mvc,Identityserver3,Thinktecture Ident Server,我有一个工作身份提供者。我设计用于对其进行身份验证的客户端是一个结合了MVC和WebAPI的单一项目。初始身份验证由MVC完成。如果访问令牌变为无效,它将按预期刷新 MVC端: 公共部分类启动{ public void ConfigureAuth(IAppBuilder app) { //AntiForgeryConfig.UniqueClaimTypeIdentifier = "sub"; JwtSecurityTokenHandler.Inbo
public void ConfigureAuth(IAppBuilder app)
{
//AntiForgeryConfig.UniqueClaimTypeIdentifier = "sub";
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
CookieName = "CookieName",
ReturnUrlParameter = "/Dashboard",
LogoutPath = new PathString("/"),
});
app.UseOpenIdConnectAuthentication(GetOpenIdConnectAuthenticationOptions());
}
private OpenIdConnectAuthenticationOptions GetOpenIdConnectAuthenticationOptions()
{
var options = new OpenIdConnectAuthenticationOptions
{
ClientId = "client.id",
Authority = AuthorityUrl,
RedirectUri = RedirectUri,
PostLogoutRedirectUri = RedirectUri,
ResponseType = "code id_token",
Scope = "openid profile email offline_access roles company utc_offset service_api",
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
},
SignInAsAuthenticationType = "Cookies",
Notifications = GetOpenIdConnectAuthenticationNotifications()
};
return options;
}
private OpenIdConnectAuthenticationNotifications GetOpenIdConnectAuthenticationNotifications()
{
var container = UnityLazyInit.Container;
var authorizationProvider = container.Resolve<AuthorizationProvider>();
var notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async n =>
{
authorizationProvider.Authority = Authority;
authorizationProvider.LoginMethod = LoginMethod;
var tokenResponse = await authorizationProvider.GetAccessAndRefreshTokens(n);
var userInfoClaims = await authorizationProvider.GetUserInfoClaims(tokenResponse);
userInfoClaims = authorizationProvider.TransformUserInfoClaims(userInfoClaims);
// create new identity
var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
id.AddClaims(userInfoClaims);
id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString()));
id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
id.AddClaim(new Claim("sid", n.AuthenticationTicket.Identity.FindFirst("sid").Value));
var user = authorizationProvider.GetUser(id);
var applicationClaims = authorizationProvider.GetApplicationClaims(user);
id.AddClaims(applicationClaims);
var permisionClaims = authorizationProvider.GetPermisionClaims(user);
id.AddClaims(permisionClaims);
n.AuthenticationTicket = new AuthenticationTicket(
new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType, "name", "role"),
n.AuthenticationTicket.Properties);
},
RedirectToIdentityProvider = n =>
{
// if signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
};
return notifications;
}
}
public void ConfigureAuth(IAppBuilder应用程序)
{
//AntiForgeryConfig.UniqueClaimTypeIdentifier=“sub”;
JwtSecurityTokenHandler.InboundClaimTypeMap=new Dictionary();
app.UseCookieAuthentication(新的CookieAuthenticationOptions
{
AuthenticationType=“Cookies”,
CookieName=“CookieName”,
ReturnUrlParameter=“/Dashboard”,
LogoutPath=新路径字符串(“/”,
});
使用OpenIDConnectAuthentication(GetOpenIdConnectAuthenticationOptions());
}
私有OpenIdConnectAuthenticationOptions GetOpenIdConnectAuthenticationOptions()
{
var options=新的OpenIdConnectAuthenticationOptions
{
ClientId=“client.id”,
Authority=AuthorityUrl,
RedirectUri=RedirectUri,
PostLogoutRedirectUri=RedirectUri,
ResponseType=“代码id\u令牌”,
Scope=“openid配置文件电子邮件脱机\u访问角色公司utc\u偏移服务\u api”,
TokenValidationParameters=新的TokenValidationParameters
{
NameClaimType=“name”,
RoleClaimType=“角色”
},
SignInAsAuthenticationType=“Cookies”,
通知=GetOpenIdConnectAuthenticationNotifications()
};
返回选项;
}
私有OpenIdConnectAuthenticationNotifications GetOpenIdConnectAuthenticationNotifications()
{
var container=UnityLazyInit.container;
var authorizationProvider=container.Resolve();
var notifications=新的OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived=异步n=>
{
authorizationProvider.Authority=权限;
authorizationProvider.LoginMethod=LoginMethod;
var tokenResponse=await authorizationProvider.GetAccessAndRefreshTokens(n);
var userInfoClaims=await authorizationProvider.GetUserInfoClaims(tokenResponse);
userInfoClaims=authorizationProvider.TransformUserInfoClaims(userInfoClaims);
//创建新身份
var id=新的ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
id.AddClaims(userInfoClaims);
id.AddClaim(新的声明(“access_token”,tokenResponse.AccessToken));
id.AddClaim(新声明(“expires_at”,DateTime.Now.AddSeconds(tokenResponse.ExpiresIn.ToLocalTime().ToString());
id.AddClaim(新声明(“刷新令牌”,tokenResponse.refreshttoken));
id.AddClaim(新声明(“id_token”,n.ProtocolMessage.IdToken));
id.AddClaim(新声明(“sid”,n.AuthenticationTicket.Identity.FindFirst(“sid”).Value));
var user=authorizationProvider.GetUser(id);
var applicationClaims=authorizationProvider.GetApplicationClaims(用户);
id.AddClaims(applicationClaims);
var PermissionClaims=authorizationProvider.GetPermissionClaims(用户);
id.AddClaims(许可索赔);
n、 AuthenticationTicket=新的AuthenticationTicket(
新的索赔实体(id.Claims,n.AuthenticationTicket.Identity.AuthenticationType,“名称”,“角色”),
n、 AuthenticationTicket.Properties);
},
RedirectToIdentityProvider=n=>
{
//如果注销,请添加id\u令牌\u提示
if(n.ProtocolMessage.RequestType==OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint=n.OwinContext.Authentication.User.FindFirst(“id_令牌”);
if(idTokenHint!=null)
{
n、 ProtocolMessage.IdTokenHint=IdTokenHint.Value;
}
}
返回Task.FromResult(0);
}
};
退货通知;
}
}
表示层(浏览器端)利用了angulerjs,但是我没有加入任何对身份验证的支持。我依赖MVC
当表示层调用API时,它会根据MVC检索到的访问令牌自动进行验证,但如果过期,它将无法刷新访问令牌。它也不会在未经授权的情况下返回。它似乎正在尝试刷新,但失败。当api调用尝试刷新令牌时,演示文稿将接收标识提供程序错误页面的HTML
我该如何解决这个问题?在我看来,当MVC和API结合在一起时,它们应该自动进行身份验证和刷新,但这对我来说不起作用
注:澄清上述启动配置是共享的,但MVC和API是共享的
new Client
{
ClientName = "MVC Client",
ClientId = "client.id",
ClientSecrets = new List<Secret> {
new Secret("secret".Sha256())
},
Flow = Flows.Hybrid,
AllowedScopes = new List<string>
{
Constants.StandardScopes.OpenId,
Constants.StandardScopes.Profile,
Constants.StandardScopes.Email,
Constants.StandardScopes.OfflineAccess,
"roles",
"company",
"utc_offset",
"service_api
新客户端
{
ClientName=“MVC客户端”,
ClientId=“client.id”,
ClientSecrets=新列表{
新密码(“Secret.Sha256())
},
流量=流量。混合,
AllowedScopes=新列表
{
Constants.StandardScopes.OpenId,
常量.StandardScopes.Profile,
Constants.StandardScopes.Email,
常量.StandardScopes.OfflineAccess,
“角色”,
“公司”,
“utc_偏移量”,
“服务api
"
},
RequireConsent = false,
RedirectUris = new List<string>
{
REMOVED
},
PostLogoutRedirectUris = new List<string>
{
REMOVED
},
AllowedCorsOrigins = new List<string>
{
REMOVED
},
AccessTokenLifetime = 60,
IdentityTokenLifetime = 60,
AbsoluteRefreshTokenLifetime = 60 * 60 * 24,
SlidingRefreshTokenLifetime = 60 * 15,
},
requiresent=false,
重定向URI=新建
n.AuthenticationTicket.Properties.ExpiresUtc = DateTimeOffset.UtcNow.AddSeconds(int.Parse(n.ProtocolMessage.ExpiresIn));
n.AuthenticationTicket.Properties.IssuedUtc = DateTime.Now;
//Add encrypted MVC auth cookie
n.AuthenticationTicket = new AuthenticationTicket(
nid,
n.AuthenticationTicket.Properties);