如何停止IdentityServer4刷新令牌过期？

Question

我已经为Amazon Alexa用例实现了IdentityServer4，并且似乎在refresh_tokens过期问题上：

我的客户端设置如下：

new Client
{
    ClientId = AlexaUsername,
    ClientName = "Amazon Alexa",
    ClientUri = "https://alexa.amazon.co.uk",
    LogoUri = "/images/alexa.png",
    // no interactive user, use the clientid/secret for authentication
    AllowedGrantTypes = GrantTypes.Code,
    // secret for authentication
    ClientSecrets =
    {
        new Secret(...)
    },
    RedirectUris =  Options.AlexaService.PermittedUris,
    // scopes that client has access to
    AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, AlexaApiScope },
    AlwaysIncludeUserClaimsInIdToken = true,
    AlwaysSendClientClaims = true,
    AllowOfflineAccess = true,
    RefreshTokenExpiration = TokenExpiration.Sliding,
    AbsoluteRefreshTokenLifetime = 0,
    AccessTokenLifetime = 3600,
    AuthorizationCodeLifetime = 360,
    AllowRememberConsent = true
}

我的服务定义如下（not cert不为null）：

services.AddIdentity<ApplicationUser, ApplicationRole>(config =>
{
    //config.SignIn.RequireConfirmedEmail = true;
    //https://docs.microsoft.com/en-us/aspnet/core/security/authentication/accconfirm?tabs=aspnetcore2x%2Csql-server
    config.Lockout.MaxFailedAccessAttempts = 7; 
})
    .AddEntityFrameworkStores<ApplicationDbContext>()
    .AddRoleManager<ApplicationRoleManager>()
    .AddDefaultTokenProviders();

// Add application services.
services.AddTransient<IEmailSender, EmailSender>();

X509Certificate2 cert = GetCertificateIssuer(settings);
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;

var nestedServices = services.BuildServiceProvider();
var DataSecurityService = nestedServices.GetService<IDataSecurityService>();

if (cert == null)
{
    services.AddIdentityServer()
    .AddDeveloperSigningCredential()
    .AddInMemoryPersistedGrants()
    .AddInMemoryIdentityResources(Config.GetIdentityResources())
    .AddInMemoryApiResources(Config.GetApiResources())
    .AddInMemoryClients(Config.GetClients(DataSecurityService))
    .AddAspNetIdentity<ApplicationUser>();
}
else
{
    services.AddIdentityServer(options => { options.IssuerUri = settings.Authority;
                                           options.PublicOrigin = settings.Authority;
        })
    .AddSigningCredential(cert)
    .AddConfigurationStore(options =>
    {
        options.ConfigureDbContext = builder =>
            builder.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"),
                sql => sql.MigrationsAssembly(migrationsAssembly));
    })
    //.AddInMemoryPersistedGrants()
    .AddOperationalStore(options =>
    {
        options.ConfigureDbContext = builder =>
            builder.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"),
                sql => sql.MigrationsAssembly(migrationsAssembly));

        // this enables automatic token cleanup. this is optional.
        options.EnableTokenCleanup = true;
        options.TokenCleanupInterval = 30; // interval in seconds
    })
    .AddAspNetIdentity<ApplicationUser>();
}

我在日志中看到了这一点：

2018-08-04 09:24:40.091 +01:00 [DBG] Start token request validation
2018-08-04 09:24:40.098 +01:00 [DBG] Start validation of refresh token request
2018-08-04 09:24:40.119 +01:00 [DBG] eny2fizHyrW3t98T2oOqNN+wy8thQvUsNz3HDL8UhjU= found in database: false
2018-08-04 09:24:40.119 +01:00 [DBG] refresh_token grant with value: f9f345127502ac6b72598404ff9be5bba041224393f5332c7262acfa7f6157c5 not found in store.
2018-08-04 09:24:40.119 +01:00 [ERR] Invalid refresh token
2018-08-04 09:24:40.120 +01:00 [ERR] Refresh token validation failed. aborting.
2018-08-04 09:24:40.164 +01:00 [ERR] {
  "ClientId": "xxx",
  "ClientName": "Amazon Alexa",
  "GrantType": "refresh_token",
  "Raw": {
    "grant_type": "refresh_token",
    "refresh_token": "xxx",
    "client_id": "xxxx"
  }
}

我曾经想到的一个问题是，随着IIS服务器重新启动，刷新令牌变得无效，并且无法持久保存。 为了获得Alexa要求的永久有效的刷新令牌，我需要更改什么？

Answer 1

添加RefreshTokenUsage = TokenUsage.ReUse似乎已经解决了问题，并且从上面的链接复制了代码（我尚未证明该代码是否必要）。