Asp.net mvc 刷新令牌不';删除用户后不会失败
我想知道这是我的失败还是ASP.NET Identity的错误/功能 我们在ASP.NETMVC5项目中使用ASP.NETIdentity1.0。OAuth的配置如下:Asp.net mvc 刷新令牌不';删除用户后不会失败,asp.net-mvc,asp.net-identity,Asp.net Mvc,Asp.net Identity,我想知道这是我的失败还是ASP.NET Identity的错误/功能 我们在ASP.NETMVC5项目中使用ASP.NETIdentity1.0。OAuth的配置如下: public partial class Startup { static Startup() { PublicClientId = "self"; UserManagerFactory = () => new UserManager<ApplicationUser&
public partial class Startup
{
static Startup()
{
PublicClientId = "self";
UserManagerFactory = () => new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/token"),
Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory),
RefreshTokenProvider = new AuthenticationTokenProvider()
{
OnCreate = CreateRefreshToken,
OnReceive = ReceiveRefreshToken
},
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true
};
}
public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; }
public static Func<SphUserManager> UserManagerFactory { get; set; }
public static string PublicClientId { get; private set; }
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/login")
});
// Use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);
}
private static void CreateRefreshToken(AuthenticationTokenCreateContext context)
{
context.SetToken(context.SerializeTicket());
}
private static void ReceiveRefreshToken(AuthenticationTokenReceiveContext context)
{
context.DeserializeTicket(context.Token);
}
}
公共部分类启动
{
静态启动()
{
PublicClientId=“self”;
UserManagerFactory=()=>新的UserManager(新的UserStore(新的ApplicationDbContext());
OAuthOptions=新的OAuthAuthorizationServerOptions
{
TokenEndpointPath=新路径字符串(“/token”),
Provider=新的ApplicationAuthProvider(PublicClientId,UserManagerFactory),
RefreshTokenProvider=新的AuthenticationTokenProvider()
{
OnCreate=CreateRefreshToken,
OnReceive=ReceiverFreshToken
},
AuthorizeEndpointPath=新路径字符串(“/api/Account/ExternalLogin”),
AccessTokenExpireTimeSpan=TimeSpan.FromDays(14),
AllowInsecureHttp=true
};
}
公共静态OAuthAuthorizationServerOptions OAuthOptions{get;private set;}
公共静态函数UserManagerFactory{get;set;}
公共静态字符串PublicClientId{get;private set;}
//有关配置身份验证的详细信息,请访问http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder应用程序)
{
//使应用程序能够使用cookie存储登录用户的信息
app.UseCookieAuthentication(新的CookieAuthenticationOptions
{
AuthenticationType=DefaultAuthenticationTypes.ApplicationOkie,
LoginPath=新路径字符串(“/login”)
});
//使用cookie临时存储有关使用第三方登录提供程序登录的用户的信息
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
//使应用程序能够使用承载令牌对用户进行身份验证
应用程序使用OAuthBealerTokens(OAuthOptions);
}
私有静态void CreateRefreshToken(AuthenticationTokenCreateContext上下文)
{
SetToken(context.SerializeTicket());
}
私有静态无效ReceiverFreshToken(AuthenticationTokenReceiveContext上下文)
{
DeserializeTicket(context.Token);
}
}
我们使用WebAPI注册和登录用户。刷新令牌不用于刷新访问令牌。这是我们没有想到的:
这是正确的行为吗?我应该做一些特殊的事情来“使”令牌无效吗?Katana OAuth2中间件中的刷新令牌支持基本上取决于您,因此如果您删除用户,那么也取决于该逻辑来撤销(删除)该用户的所有刷新令牌。我将撤销刷新令牌,但它在客户端上。用户可以从web应用程序(管理)中删除,并且与令牌没有连接。同样,如何实现刷新令牌取决于您——如果您希望在删除用户时刷新令牌无效,则需要进行此关联。我理解。我希望这会容易些。谢谢你的回复。我也希望它更容易些。请参阅以下内容以了解更多信息: