c# - 通过 asp.net core mvc 中的 refresh_token 静默更新 access_token
问题描述
问题在于客户端部分的自动更新访问令牌。下一个状态:在客户端(MVC)控制器上,我添加了授权属性,它通过了,因为客户端使用会话 cookie 进行身份验证,然后在服务器(Web API 应用程序)上发送请求。服务器验证令牌并说它已过期。如何在客户端更新访问令牌请参阅 MVC 启动文件:
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services.AddAutoMapper(typeof(MappingProfile).Assembly);
// Added for session state
services.AddDistributedMemoryCache();
services.AddSession();
services
.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie("Cookies")
.AddOpenIdConnect(options =>
{
options.MetadataAddress = Configuration["oidc:metadataAddress"];
options.SignInScheme = "Cookies";
options.ClientId = Configuration["oidc:clientId"];
options.ClientSecret = Configuration["oidc:clientSecret"];
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.CallbackPath = "/oidc-callback";
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("openid");
options.Scope.Add("email");
options.Scope.Add("profile");
options.TokenValidationParameters = new TokenValidationParameters()
{
NameClaimType = "name",
ValidateAudience = false,
RoleClaimType = "role"
};
options.Events = new OpenIdConnectEvents
{
OnTokenResponseReceived = async context=>
{
var user = context.Principal;
var identity = user.Identity as ClaimsIdentity;
var claim = new Claim("access_token", context.TokenEndpointResponse.AccessToken);
identity?.AddClaim(claim);
await Task.CompletedTask;
},
};
});
services.AddHttpContextAccessor();
services.AddReportServerClient();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory logFactory)
{
if (env.IsDevelopment())
{
app.UseBrowserLink();
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
//app.UseExceptionHandlers();
app.UseStaticFiles();
app.UseAuthentication();
app.UseSession();
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
RequireHeaderSymmetry = true,
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Main}/{action=Index}/{id?}");
//routes.MapRoute(
// name: "mainPage",
// template: "{controller=Main}/{action=Index}/{id?}");
});
}
还为 OpenIdConnectOptions 尝试了 UseTokenLifeTime,但这种情况不起作用。当我在浏览器中删除 cookie 并刷新页面时,它会转到 Auth 提供者并给我有效的令牌也试过
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
解决方案
您可以使用多种方式刷新访问令牌,下面我将说明如何使用 ASPNET Core 中的中间件获取访问令牌。
在您的启动类中,在 Configure 方法中添加以下行,该行将在访问令牌接近到期时更新它。注意在“app.UseAuthentication()”之后添加。
app.UseMiddleware<CheckAccessTokenValidityMiddleware>();
创建一个扩展方法,该方法将在访问令牌接近到期时自动更新访问令牌,如下所示
public class CheckAccessTokenValidityMiddleware
{
private readonly RequestDelegate _next;
private readonly IConfiguration _configuration;
public CheckAccessTokenValidityMiddleware(RequestDelegate next, IConfiguration configuration)
{
_next = next;
_configuration = configuration;
}
public async Task InvokeAsync(HttpContext context)
{
var expireAt = await context.GetTokenAsync("expires_at");
if (expireAt != null)
{
var dateExpireAt = DateTime.Parse(expireAt, null, DateTimeStyles.RoundtripKind);
if(dateExpireAt != null)
{
if ((dateExpireAt - DateTime.Now).TotalMinutes < 10)
{
var discoveryClient = new DiscoveryClient(_configuration["OIDC:Authority"]);
discoveryClient.Policy.RequireHttps = false;
var discovery = await discoveryClient.GetAsync();
if (!discovery.IsError)
{
using (var tokenClient = new TokenClient(discovery.TokenEndpoint, ClientConstants.KodelessClientId, ClientConstants.KodelessClientSecret))
{
var refreshToken = await context.GetTokenAsync("refresh_token");
var tokenResult = await tokenClient.RequestRefreshTokenAsync(refreshToken);
if (!tokenResult.IsError)
{
var newIdToken = tokenResult.IdentityToken;
var newAccessToken = tokenResult.AccessToken;
var newRefreshToken = tokenResult.RefreshToken;
var tokens = new List<AuthenticationToken>
{
new AuthenticationToken {Name = OpenIdConnectParameterNames.IdToken, Value = newIdToken},
new AuthenticationToken
{
Name = OpenIdConnectParameterNames.AccessToken,
Value = newAccessToken
},
new AuthenticationToken
{
Name = OpenIdConnectParameterNames.RefreshToken,
Value = newRefreshToken
}
};
var expiresAt = DateTime.Now + TimeSpan.FromSeconds(tokenResult.ExpiresIn);
tokens.Add(new AuthenticationToken
{
Name = "expires_at",
Value = expiresAt.ToString("o", CultureInfo.InvariantCulture)
});
var info = await context.AuthenticateAsync(AuthenticationConstants.Cookies);
info.Properties.StoreTokens(tokens);
await context.SignInAsync(AuthenticationConstants.Cookies, info.Principal, info.Properties);
}
else
{
await context.SignOutAsync(AuthenticationConstants.Cookies);
await context.SignOutAsync(AuthenticationConstants.Oidc);
}
}
}
}
}
}
await _next.Invoke(context);
}
}
推荐阅读
- java - HashMap成员的并发修改
- mongodb - 在 Zapier 上连接 Mongodb Atlas
- python - 如何在 HTML 代码中使用 python 变量
- javascript - 使用 JavaScript 从网络服务器中提取 JSON 数据
- spark-structured-streaming - 为什么 Spark Structured Streaming 窗口聚合在每次触发后进行评估
- javascript - Discordjs - 无法向该用户发送消息
- javascript - Javascript / Moment - 按对象值分组数组
- iis - IIS 能否在页面仍在加载时提供增量内容?
- macos - High Sierra - KDP 没有监听新连接
- biml - 在 BIML 变量中使用 CDATA 时是否可以保留换行符?