堆栈内存溢出
  简体   繁体   English

不使用OpenIddict接收刷新令牌

[英]Do not receive refresh token with OpenIddict

 原文  2017-10-10 17:29:40       c#/ asp.net-core/ token/ refresh-token/ openiddict

问题描述

I have a web api project based on .net core 2.0. 我有一个基于.net core 2.0的Web api项目。

I followed pretty much the very good example on http://kevinchalet.com/2017/01/30/implementing-simple-token-authentication-in-aspnet-core-with-openiddict/ . 我在http://kevinchalet.com/2017/01/30/implementing-simple-token-authentication-in-aspnet-core-with-openiddict/上跟踪了非常好的示例。

The code that returns the SignIn() result for the auth. 返回Auth的SignIn()结果的代码。 method looks like so: 方法看起来像这样: 

if (request.IsPasswordGrantType())
{
    // (...)
    if (useraccount != null && useraccount.Failcount <= AppConstants.AuthMaxAllowedFailedLogin)
    {
        var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme, OpenIdConnectConstants.Claims.Name, OpenIdConnectConstants.Claims.Role);

        identity.AddClaim(OpenIdConnectConstants.Claims.Subject, AppConstants.AuthSubjectClaim, OpenIdConnectConstants.Destinations.AccessToken);
        identity.AddClaim(OpenIdConnectConstants.Claims.Name, useraccount.Username, OpenIdConnectConstants.Destinations.AccessToken);

        return SignIn(new ClaimsPrincipal(identity), OpenIdConnectServerDefaults.AuthenticationScheme);
    }
    // (...)
}

My startup code looks like so: 我的启动代码如下所示: 

services.AddDbContext<DbContext>(options =>
{
    options.UseInMemoryDatabase(nameof(DbContext));
    options.UseOpenIddict();
});

services.AddOpenIddict(options =>
{
    options.AddEntityFrameworkCoreStores<DbContext>();
    options.AddMvcBinders();
    options.EnableTokenEndpoint(DcpConstants.ApiTokenRoute);
    options.AllowPasswordFlow();
    options.AllowRefreshTokenFlow();
    options.SetAccessTokenLifetime(TimeSpan.FromHours(1));
    options.SetRefreshTokenLifetime(TimeSpan.FromDays(1));
    options.DisableHttpsRequirement();
});

services.AddAuthentication(options =>
{
    options.DefaultScheme = OAuthValidationDefaults.AuthenticationScheme;
}).AddOAuthValidation();

Now, when I send the post request with the following params: 现在,当我使用以下参数发送发布请求时: 

username: foo@bar.com
password: myPassword
grant_type: password
scope: openid profile offline_access

I only receive scope, token_type, access_token, expires_in and id_token and no refresh_token. 我只收到范围,令牌类型,访问令牌,expires_in和id_token,而没有refresh_token。

What am I missing? 我想念什么?

2 个解决方案

解决方案1
 4 已采纳  2017-10-10 20:47:50

Returning a refresh token with the password is definitely allowed by the OAuth2 specification and thus, fully supported by OpenIddict. OAuth2规范明确允许使用密码返回刷新令牌,因此OpenIddict完全支持。

For a refresh token to be returned by OpenIddict, you have to grant the special offline_access scope when calling SignIn . 为了使OpenIddict返回刷新令牌,必须在调用SignIn时授予特殊的offline_access作用域。 Eg: 例如: 

if (request.IsPasswordGrantType())
{
    // (...)
    if (useraccount != null && useraccount.Failcount <= AppConstants.AuthMaxAllowedFailedLogin)
    {
        var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme, OpenIdConnectConstants.Claims.Name, OpenIdConnectConstants.Claims.Role);

        identity.AddClaim(OpenIdConnectConstants.Claims.Subject, AppConstants.AuthSubjectClaim, OpenIdConnectConstants.Destinations.AccessToken);
        identity.AddClaim(OpenIdConnectConstants.Claims.Name, useraccount.Username, OpenIdConnectConstants.Destinations.AccessToken);

        var ticket = new AuthenticationTicket(
            new ClaimsPrincipal(identity),
            new AuthenticationProperties(),
            OpenIdConnectServerDefaults.AuthenticationScheme);

        // You have to grant the 'offline_access' scope to allow
        // OpenIddict to return a refresh token to the caller.
        ticket.SetScopes(OpenIdConnectConstants.Scopes.OfflineAccess);

        return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);
    }
    // (...)
}

Note that you'll also have to handle the grant_type=refresh_token requests in your controller. 请注意,您还必须在控制器中处理grant_type=refresh_token请求。 Here's an example using Identity: https://github.com/openiddict/openiddict-samples/blob/dev/samples/RefreshFlow/AuthorizationServer/Controllers/AuthorizationController.cs#L75-L109 这是使用身份的示例: https : //github.com/openiddict/openiddict-samples/blob/dev/samples/RefreshFlow/AuthorizationServer/Controllers/AuthorizationController.cs#L75-L109

解决方案2
 0  2017-10-10 18:58:51

options.AllowPasswordFlow();

Refresh Token cannot be used with Password flow, as the user is never redirected to login at Auth Server in this flow and so can't directly authorize the application : 刷新令牌不能与密码流一起使用,因为在此流中用户从未重定向到Auth Server上, 因此无法直接授权该应用程序

If the application uses the username-password OAuth authentication flow, no refresh token is issued, as the user cannot authorize the application in this flow. 如果应用程序使用用户名密码OAuth身份验证流程,则不会发出刷新令牌,因为用户无法在此流程中授权应用程序。 If the access token expires, the application using username-password OAuth flow must re-authenticate the user. 如果访问令牌过期,则使用用户名-密码OAuth流的应用程序必须重新认证用户。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 OpenIddict 刷新令牌始终返回 null - Refresh token with OpenIddict returns always principal to null OpenIddict - 如何获取用户的访问令牌? - OpenIddict - How do you obtain the access token for a user? OpenIddict Asp.net Core 5.0 如何获取与刷新令牌流相关的主体 - OpenIddict Asp.net Core 5.0 How to Get Principal Associated in Refresh Token Flow OpenIddict在响应之前获取token_id - OpenIddict get token_id before response Openiddict 可以创建令牌但似乎无效 - Openiddict can create token but seems to be invalid OpenIddict:如何手动检查访问令牌并获取身份 - OpenIddict: How to manually check access token and get identity 如何解密加密的访问令牌? (OpenIddict 3.x) - How does one decrypt an encrypted Access Token? (OpenIddict 3.x) 如何实现谷歌 API 刷新令牌 - How do I implement Google API refresh token 如何使用 OpenIddict 参数配置 SwaggerGen 以授予客户端凭据? - How do I configure SwaggerGen with OpenIddict parameters for client credentials grant? 你如何从 Imgur 获取 access_token 和 refresh_token? - How do you get access_token and refresh_token from Imgur?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM