堆栈内存溢出
  简体   繁体   English

如何在 thinktecture IdentityServer 中禁用自动登录

[英]how to disable auto login in thinktecture IdentityServer

 原文  2016-11-08 15:45:02       c#/ owin/ identityserver3/ thinktecture

问题描述

i have a MVC app with authorization managed by identityserver.我有一个由身份服务器管理授权的 MVC 应用程序。 When i access first time to my web, it is redirect to identityserver loggin page and after i am redirected to my web again.当我第一次访问我的网站时,它被重定向到身份服务器登录页面,然后我又被重定向到我的网站。

My problem is, if i logout of identityserver, when i access again to my web (with identityserver authorization) i am redirected to identityserver but login is done automatically alowing me access to my web without put user/pass in identityserver.我的问题是,如果我退出身份服务器,当我再次访问我的网站(使用身份服务器授权)时,我会被重定向到身份服务器,但登录是自动完成的,允许我访问我的网站,而无需将用户/密码放入身份服务器。

I supose it is because cookie is still alive in client (if i delete manually in my browser all cookies then user/pass is required).我认为这是因为客户端中的 cookie 仍然存在(如果我在浏览器中手动删除所有 cookie,则需要用户/密码)。

How can i disable auto login (force that user/pass is always required) ?如何禁用自动登录(强制始终需要用户/密码)?

my startup client configuration is like:我的启动客户端配置如下:

 app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            LoginPath = new PathString("/Home/Logged/"),
            AuthenticationType = "Cookies",
            ExpireTimeSpan = TimeSpan.FromDays(2),
            SlidingExpiration = true,
            CookieName = ".AspNet.MyApp"

        });


        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            ClientId = "MyApp",
            Authority = IS_URL,
            RedirectUri = localHostURL + "/Home/Logged/",
            PostLogoutRedirectUri = localHostURL + "/Account/Login/",
            ResponseType = "code id_token token", 
            Scope = "openid profile read write sampleApi",
            SignInAsAuthenticationType = "Cookies",

            UseTokenLifetime = true,

            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                SecurityTokenValidated = async n =>
                {
                    var nid = new ClaimsIdentity(
                        n.AuthenticationTicket.Identity.AuthenticationType,
                        "given_name",
                        "role");

                    // get userinfo data
                    var userInfoClient = new UserInfoClient(
                        new System.Uri(n.Options.Authority + "/connect/userinfo"),
                        n.ProtocolMessage.AccessToken);

                    var userInfo = await userInfoClient.GetAsync();
                    userInfo.Claims.ToList().ForEach(ui => nid.AddClaim(new Claim(ui.Item1, ui.Item2)));

                    //keep the id_token for logout

                   nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));

                   // add access token for sample API
                   nid.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken));

                    // keep track of access token expiration
                    nid.AddClaim(new Claim("expires_at", TimeSpan.FromDays(2).ToString()));

                    // add some other app specific claim
                    nid.AddClaim(new Claim("app_specific", "some data"));

                    n.AuthenticationTicket = new AuthenticationTicket(
                        nid,
                        n.AuthenticationTicket.Properties);
                },
                RedirectToIdentityProvider = n =>
                {
                    if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
                    {
                        var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");

                        if (idTokenHint != null)
                        {
                            n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
                        }
                    }

                    return Task.FromResult(0);
                }
            }
        });

Thanks in advance!提前致谢!

4 个解决方案

解决方案1
 1  2016-11-09 09:53:23

To log out from identityserver you need to redirect to the end session endpoint.要从身份服务器注销,您需要重定向到结束会话端点。

Typically /connect/endsession .通常/connect/endsession Only this way the authentication session cookie can be cleared.只有这样才能清除身份验证会话 cookie。

See the spec: https://openid.net/specs/openid-connect-session-1_0.html#RPLogout请参阅规范: https : //openid.net/specs/openid-connect-session-1_0.html#RPLogout

解决方案2
 0  2016-11-08 22:35:30

On login requests/redirects to idsrv, set the prompt parameter to login .在登录请求/重定向到 idsrv 时,将prompt参数设置为login

OnRedirectToIdentityProvider = n =>
{

    if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
    {    
        n.ProtocolMessage.Prompt = "login";
    }

    return Task.FromResult(0);
}

IdSrv docs (see prompt) IdSrv 文档(见提示)

prompt (optional)

login the login UI will be shown, even if the user is already signed-in and has a valid session. login将显示登录 UI,即使用户已经登录并且具有有效的会话。

OpenId Connect spec around /authorize requests 围绕/authorize请求的 OpenId Connect 规范

prompt=login

The Authorization Server SHOULD prompt the End-User for reauthentication.授权服务器应该提示最终用户重新认证。 If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.如果它不能重新验证最终用户,它必须返回一个错误,通常是 login_required。

解决方案3
 0  2017-06-09 16:21:36

I had similar requirement.我有类似的要求。 Not the most elegant way, but I solved it by reducing the cookie expiration to 10 seconds and turning slidingexpiration off.不是最优雅的方法,但我通过将 cookie 过期时间减少到 10 秒并关闭滑动过期时间来解决它。 Here the edge case is if the relying party comes back within 10 seconds, login prompt is bypassed.这里的边缘情况是,如果依赖方在 10 秒内回来,则绕过登录提示。

解决方案4
 0  2020-05-05 14:51:14

I battled with this for a confidentialclient app using MVC (Not Core).我为使用 MVC(非核心)的机密客户端应用程序与此作斗争。 I eventually resolved this as follows: Under Notifications in the ConfigureAuth(IAppBuilder app) add a reference to a new task: RedirectToIdentityProvider = OnRedirectToIdentityProvider, Then add the task:我最终解决了这个问题:在ConfigureAuth(IAppBuilder app)中的 Notifications 下添加对新任务的引用: RedirectToIdentityProvider = OnRedirectToIdentityProvider,然后添加任务:

private Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification
<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) 
     {             
         // Forces the user to login. 
         if (notification.ProtocolMessage.Prompt == null) 
         { 
             notification.ProtocolMessage.Prompt = "login";                 
         } 
         return Task.FromResult(0); 
     }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 是否可以自定义Thinktecture.IdentityServer.v2登录页面? - Is there a way to customize the Thinktecture.IdentityServer.v2 login page? 如何在IdentityServer 3中禁用https - How to disable https in IdentityServer 3 thinktecture IdentityServer“记住我”配置 - thinktecture IdentityServer “remember me” configuration 使用Thinktecture.IdentityServer.v3时如何检查资源服务器中的用户角色 - How to check user role in a resource server when using Thinktecture.IdentityServer.v3 来自OpenIdConnect提供程序的配置文件数据-Thinktecture IdentityServer V3 - Profile data from OpenIdConnect provider - Thinktecture IdentityServer V3 ThinkTecture IdentityServer3与Microsoft.Owin.Security.OAuth2 - ThinkTecture IdentityServer3 vs Microsoft.Owin.Security.OAuth2 OneDrive oauth wpf 禁用自动登录浏览器 - OneDrive oauth wpf disable auto login browser 远程登录身份服务器3 - remote login identityserver3 Identityserver4登录ValidateAntiForgeryToken - Identityserver4 Login ValidateAntiForgeryToken 如何从IdentityServer3登录页面返回自定义参数? - How to return custom parameter from IdentityServer3 login page?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM