C# 如何停止IdentityServer4刷新令牌过期?
我已经为Amazon Alexa用例实现了IdentityServer 4,并且似乎在刷新令牌过期时遇到了问题: 我的客户端设置如下:C# 如何停止IdentityServer4刷新令牌过期?,c#,identityserver4,C#,Identityserver4,我已经为Amazon Alexa用例实现了IdentityServer 4,并且似乎在刷新令牌过期时遇到了问题: 我的客户端设置如下: new Client { ClientId = AlexaUsername, ClientName = "Amazon Alexa", ClientUri = "https://alexa.amazon.co.uk", LogoUri = "/images/alexa.png", // no interactive use
new Client
{
ClientId = AlexaUsername,
ClientName = "Amazon Alexa",
ClientUri = "https://alexa.amazon.co.uk",
LogoUri = "/images/alexa.png",
// no interactive user, use the clientid/secret for authentication
AllowedGrantTypes = GrantTypes.Code,
// secret for authentication
ClientSecrets =
{
new Secret(...)
},
RedirectUris = Options.AlexaService.PermittedUris,
// scopes that client has access to
AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, AlexaApiScope },
AlwaysIncludeUserClaimsInIdToken = true,
AlwaysSendClientClaims = true,
AllowOfflineAccess = true,
RefreshTokenExpiration = TokenExpiration.Sliding,
AbsoluteRefreshTokenLifetime = 0,
AccessTokenLifetime = 3600,
AuthorizationCodeLifetime = 360,
AllowRememberConsent = true
}
我的服务定义如下(not cert不为空):
我的一个想法是,当IIS服务器重新启动而不是持久化时,刷新令牌将变得无效。要获得Alexa所需的永久有效刷新令牌,我需要做哪些更改?添加
refreshtTokenUsage=TokenUsage。重用
似乎已经解决了问题,还可以从上面的链接复制代码(我还没有证明该代码是否必要)您将AccessTokenLifetime
设置为0。为什么?我想我没有!AccessTokenLifetime=3600,我将AbsoluteRefreshTokenLifetime设置为0,因为我不小心写了它,我想写AbsoluteRefreshTokenLifetime
。谢谢。根据AbsoluteRefreshTokenLifetime
Zero的文档,当与RefreshTokenExpiration=slide一起使用时,允许刷新永不过期的令牌参见此问题
services.AddIdentity<ApplicationUser, ApplicationRole>(config =>
{
//config.SignIn.RequireConfirmedEmail = true;
//https://docs.microsoft.com/en-us/aspnet/core/security/authentication/accconfirm?tabs=aspnetcore2x%2Csql-server
config.Lockout.MaxFailedAccessAttempts = 7;
})
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddRoleManager<ApplicationRoleManager>()
.AddDefaultTokenProviders();
// Add application services.
services.AddTransient<IEmailSender, EmailSender>();
X509Certificate2 cert = GetCertificateIssuer(settings);
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
var nestedServices = services.BuildServiceProvider();
var DataSecurityService = nestedServices.GetService<IDataSecurityService>();
if (cert == null)
{
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients(DataSecurityService))
.AddAspNetIdentity<ApplicationUser>();
}
else
{
services.AddIdentityServer(options => { options.IssuerUri = settings.Authority;
options.PublicOrigin = settings.Authority;
})
.AddSigningCredential(cert)
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"),
sql => sql.MigrationsAssembly(migrationsAssembly));
})
//.AddInMemoryPersistedGrants()
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"),
sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30; // interval in seconds
})
.AddAspNetIdentity<ApplicationUser>();
}
2018-08-04 09:24:40.091 +01:00 [DBG] Start token request validation
2018-08-04 09:24:40.098 +01:00 [DBG] Start validation of refresh token request
2018-08-04 09:24:40.119 +01:00 [DBG] eny2fizHyrW3t98T2oOqNN+wy8thQvUsNz3HDL8UhjU= found in database: false
2018-08-04 09:24:40.119 +01:00 [DBG] refresh_token grant with value: f9f345127502ac6b72598404ff9be5bba041224393f5332c7262acfa7f6157c5 not found in store.
2018-08-04 09:24:40.119 +01:00 [ERR] Invalid refresh token
2018-08-04 09:24:40.120 +01:00 [ERR] Refresh token validation failed. aborting.
2018-08-04 09:24:40.164 +01:00 [ERR] {
"ClientId": "xxx",
"ClientName": "Amazon Alexa",
"GrantType": "refresh_token",
"Raw": {
"grant_type": "refresh_token",
"refresh_token": "xxx",
"client_id": "xxxx"
}
}