如何让用户使用Implicit流程登录?
[英]How do I keep the user logged-in with Implicit flow?
问题描述
From what I understand, the end-result of the implicit flow is the access token, which allows the client (in my case a JS SPA) to authenticate into resource servers (APIs). 
据我所知,隐式流的最终结果是访问令牌,它允许客户端(在我的情况下是JS SPA)对资源服务器(API)进行身份验证。
The access token is usually only valid for ~1 hour, then it expires - making it useless . 访问令牌通常只有约1小时有效,然后到期 - 使其无用 。
What should my JS app do then? 我的JS应用程序应该怎么做? Redirecting the user back to the auth server is unrealistic since then the user will have to reenter their credentials every 1 hour! 将用户重定向回auth服务器是不现实的,因为用户必须每1小时重新输入一次凭据!
I also know that the implicit flow doesn't support refresh tokens so I can't use those either. 我也知道隐式流不支持刷新令牌,所以我也不能使用它们。
Is there a way to persist the user's login? 有没有办法坚持用户的登录? How do things like Facebook keep you logged-in indefinitely? 像Facebook这样的东西会让你无限期地登录?
2 个解决方案
解决方案1
2 已采纳 2017-12-05 16:58:32
Just to clarify, you are asking about the Implicit flow which is detailed in the OAuth 2.0 RFC rather than OpenID Connect which deals more with authentication of a user? 只是为了澄清一下,你问的是OAuth 2.0 RFC中详细介绍的隐式流,而不是OpenID Connect,它更多地涉及用户的身份验证?
With the implicit flow you do have to regularly call the authorisation endpoint to obtain a new token, but if the user remains logged into their identity provider then they should not be prompted to resubmit their credentials, and the token will be returned as a hash fragment in the redirect uri, with no user interaction required. 随着隐流你必须定期调用的授权端点,以获得新的令牌,但如果用户保持登录到他们的身份提供商然后他们应该不会提示重新提交他们的凭据,令牌将返回一个哈希代码在重定向uri中,无需用户交互。
You can use an AJAX call to get the token on a back-channel so your SPA app user experience is not affected by the need to get new tokens. 您可以使用AJAX调用在反向通道上获取令牌,这样您的SPA应用程序用户体验不会受到获取新令牌的影响。
To address the points you highlight in your question: 要解决您在问题中突出显示的要点:
The access token is usually only valid for ~1 hour, then it expires - making it useless.
Correct! 正确!
then the user will have to reenter their credentials every 1 hour!
Not necessarily. 不必要。
If the user stays logged into the identity provider (eg facebook, google) then there will be a browser cookie between the user and that provider. 如果用户保持登录身份提供者(例如,facebook,google),则用户和该提供者之间将存在浏览器cookie。 This effectively means the identity provider does not need the user to re-enter credentials. 这实际上意味着身份提供者不需要用户重新输入凭证。 The authorisation server should be able to return you a token with no interaction required. 授权服务器应该能够返回一个不需要交互的令牌。
Is there a way to persist the user's login?
You can't control it from your SPA. 您无法通过SPA控制它。 It's totally dependent on the user staying logged onto the identity provider. 它完全依赖于用户保持登录身份提供者。 If they stay logged into facebook, google (or whatever IDP you app uses) then you should be able to get tokens non-interactively. 如果他们保持登录Facebook,谷歌(或您的应用程序使用的任何IDP),那么您应该能够以非交互方式获取令牌。
This article nicely explains how the implicit flow can be implemented. 本文很好地解释了如何实现隐式流程。
解决方案2
0 2017-12-04 21:36:31
If the session at the OP is still active (via a cookie perhaps), then OpenID Connect has a mechanism to refresh tokens in a (hidden) iframe: prompt=none . 如果OP上的会话仍处于活动状态(可能通过cookie),则OpenID Connect有一种机制来刷新(隐藏)iframe中的令牌: prompt=none 。
According to the spec , when sending this flow... 根据规范 ,发送此流程时......
The Authorization Server MUST NOT display any authentication or consent user interface pages.
prompt=none is also referred to from the Session Management specification . prompt=none也是从会话管理规范中引用的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.