注销时未删除 IdentityServer3 令牌
IdentityServer3 Token Not Getting Deleted on Logout
我正在使用 IdentityServer3 并实现了自定义授权流程,以便与现有 SSO 实现向后兼容。我正在使用参考令牌进行 API 身份验证。我已经实施了 ITokenHandleStore 和 IUserService。
我能够成功登录并访问我的应用程序。问题是在我注销后,参考令牌仍然有效。
注销后我调用 HttpContext.Current.GetOwinContext().Authentication.SignOut();我还调用 /connect/endsession?id_token_hint=mYrEfErEnCeToKeN 并在查询字符串参数上为用户传递参考令牌。
但是,IUserService 中的 SignOutAsync 方法和 ITokenHandleStore 中的 RemoveAsync 方法都不会被调用。因此,令牌保留在我的令牌数据库中 table,即使在用户注销后,也会在后续请求中被视为有效令牌。
执行自定义授权流程时注销用户的正确方法是什么?如何从我的数据库令牌存储中删除记录?
当我调用结束会话端点时,来自 IdentityServer 的日志显示如下:
Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 :
2016-07-13 04:07:14.835 -04:00 [Information] End access token
validation request Sam.Web.MicroServices.IdentityService.vshost.exe
Information: 0 : 2016-07-13 04:09:22.289 -04:00 [Information] Start
end session request Sam.Web.MicroServices.IdentityService.vshost.exe
Information: 0 : 2016-07-13 04:09:22.349 -04:00 [Information] Start
end session request validation
Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 :
2016-07-13 04:09:22.412 -04:00 [Information] Start identity token
validation Sam.Web.MicroServices.IdentityService.vshost.exe Error: 0 :
2016-07-13 04:09:22.581 -04:00 [Error] Malformed JWT token
System.ArgumentException: IDX10709: 'jwtEncodedString' is not well
formed: '7dc2417fb752d096af2870c46ca8a181'. The string needs to be in
compact JSON format, which is of the form:
'..'. at
System.IdentityModel.Tokens.JwtSecurityToken..ctor(String
jwtEncodedString) in
c:\workspace\WilsonForDotNet45Release\src\System.IdentityModel.To
kens.Jwt\JwtSecurityToken.cs:line 68 at
IdentityServer3.Core.Validation.TokenValidator.GetClientIdFromJwt(String
token) in
c:\local\identity\server3\Core\source\Core\Validation\TokenVa
lidator.cs:line 347 Sam.Web.MicroServices.IdentityService.vshost.exe
Error: 0 : 2016-07-13 04:09:22.648 -04:00 [Error] No clientId
supplied, can't find id in identity tok en.
Sam.Web.MicroServices.IdentityService.vshost.exe Error: 0 : 2016-07-13
04:09:22.701 -04:00 [Error] "Error validating id token hint." "{
\"SubjectId\": \"unknown\", \"Raw\": {
\"id_token_hint\": \"7dc2417fb752d096af2870c46ca8a181\" } }" Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 :
2016-07-13 04:09:22.753 -04:00 [Information] Redirecting to logout
page Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 :
2016-07-13 04:09:22.872 -04:00 [Information] Logout endpoint submitted
Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 :
2016-07-13 04:09:22.944 -04:00 [Information] Clearing cookies
Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 :
2016-07-13 04:09:23.013 -04:00 [Information] rendering logged out page
当我调用 /revocation 端点时,IdentityServer 日志显示如下:
Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 :
2016-07-13 04:11:14.822 -04:00 [Information] CORS request made for
path: "/connect/r evocation" from origin:
"chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop"
Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 :
2016-07-13 04:11:14.864 -04:00 [Information] AllowedOrigins configured
and origin "c hrome-extension://fhbjgbiflinjbdggehcddcbncdddomop" is
not allowed Sam.Web.MicroServices.IdentityService.vshost.exe
Information: 0 : 2016-07-13 04:11:14.906 -04:00 [Information] Exiting;
origin "chrome-extension://fhb jgbiflinjbdggehcddcbncdddomop" is not
allowed Sam.Web.MicroServices.IdentityService.vshost.exe Information:
0 : 2016-07-13 04:11:14.941 -04:00 [Information] CorsPolicyService did
not allow origin Sam.Web.MicroServices.IdentityService.vshost.exe
Information: 0 : 2016-07-13 04:11:15.005 -04:00 [Information] Start
token revocation request 2016-07-13 04:11:15.063 -04:00 [Debug] Start
client validation 2016-07-13 04:11:15.064 -04:00 [Debug] Start parsing
for X.509 certificate 2016-07-13 04:11:15.065 -04:00 [Debug] client_id
is not found in post body 2016-07-13 04:11:15.066 -04:00 [Debug] Start
parsing for secret in post body 2016-07-13 04:11:15.067 -04:00 [Debug]
No secret in post body found 2016-07-13 04:11:15.068 -04:00 [Debug]
Start parsing Basic Authentication secret
Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 :
2016-07-13 04:11:15.069 -04:00 [Information] Parser found no secret
Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 :
2016-07-13 04:11:15.124 -04:00 [Information] No client secret found
Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 :
2016-07-13 04:11:15.175 -04:00 [Information] Returning error:
invalid_client
您在注销时收到错误消息的原因是您在 id_token_hint 参数中传回了访问令牌。此参数需要在登录时向您颁发的身份令牌(假设您使用的是 OpenID Connect)。
如果您只使用 OAuth,则结束会话端点不适合您。要撤销访问令牌,您需要使用 revocation endpoint。然后,这将从您的数据库中删除令牌。
您从吊销端点收到的错误似乎与另一个问题有关(看起来您没有提供客户端 ID 和密码)。
我正在使用 IdentityServer3 并实现了自定义授权流程,以便与现有 SSO 实现向后兼容。我正在使用参考令牌进行 API 身份验证。我已经实施了 ITokenHandleStore 和 IUserService。
我能够成功登录并访问我的应用程序。问题是在我注销后,参考令牌仍然有效。
注销后我调用 HttpContext.Current.GetOwinContext().Authentication.SignOut();我还调用 /connect/endsession?id_token_hint=mYrEfErEnCeToKeN 并在查询字符串参数上为用户传递参考令牌。
但是,IUserService 中的 SignOutAsync 方法和 ITokenHandleStore 中的 RemoveAsync 方法都不会被调用。因此,令牌保留在我的令牌数据库中 table,即使在用户注销后,也会在后续请求中被视为有效令牌。
执行自定义授权流程时注销用户的正确方法是什么?如何从我的数据库令牌存储中删除记录?
当我调用结束会话端点时,来自 IdentityServer 的日志显示如下:
Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:07:14.835 -04:00 [Information] End access token validation request Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:22.289 -04:00 [Information] Start end session request Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:22.349 -04:00 [Information] Start end session request validation Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:22.412 -04:00 [Information] Start identity token validation Sam.Web.MicroServices.IdentityService.vshost.exe Error: 0 : 2016-07-13 04:09:22.581 -04:00 [Error] Malformed JWT token System.ArgumentException: IDX10709: 'jwtEncodedString' is not well formed: '7dc2417fb752d096af2870c46ca8a181'. The string needs to be in compact JSON format, which is of the form: '..'. at System.IdentityModel.Tokens.JwtSecurityToken..ctor(String jwtEncodedString) in c:\workspace\WilsonForDotNet45Release\src\System.IdentityModel.To kens.Jwt\JwtSecurityToken.cs:line 68 at IdentityServer3.Core.Validation.TokenValidator.GetClientIdFromJwt(String token) in c:\local\identity\server3\Core\source\Core\Validation\TokenVa lidator.cs:line 347 Sam.Web.MicroServices.IdentityService.vshost.exe Error: 0 : 2016-07-13 04:09:22.648 -04:00 [Error] No clientId supplied, can't find id in identity tok en. Sam.Web.MicroServices.IdentityService.vshost.exe Error: 0 : 2016-07-13 04:09:22.701 -04:00 [Error] "Error validating id token hint." "{
\"SubjectId\": \"unknown\", \"Raw\": { \"id_token_hint\": \"7dc2417fb752d096af2870c46ca8a181\" } }" Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:22.753 -04:00 [Information] Redirecting to logout page Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:22.872 -04:00 [Information] Logout endpoint submitted Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:22.944 -04:00 [Information] Clearing cookies Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:23.013 -04:00 [Information] rendering logged out page
当我调用 /revocation 端点时,IdentityServer 日志显示如下:
Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:14.822 -04:00 [Information] CORS request made for path: "/connect/r evocation" from origin: "chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop" Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:14.864 -04:00 [Information] AllowedOrigins configured and origin "c hrome-extension://fhbjgbiflinjbdggehcddcbncdddomop" is not allowed Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:14.906 -04:00 [Information] Exiting; origin "chrome-extension://fhb jgbiflinjbdggehcddcbncdddomop" is not allowed Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:14.941 -04:00 [Information] CorsPolicyService did not allow origin Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:15.005 -04:00 [Information] Start token revocation request 2016-07-13 04:11:15.063 -04:00 [Debug] Start client validation 2016-07-13 04:11:15.064 -04:00 [Debug] Start parsing for X.509 certificate 2016-07-13 04:11:15.065 -04:00 [Debug] client_id is not found in post body 2016-07-13 04:11:15.066 -04:00 [Debug] Start parsing for secret in post body 2016-07-13 04:11:15.067 -04:00 [Debug] No secret in post body found 2016-07-13 04:11:15.068 -04:00 [Debug] Start parsing Basic Authentication secret Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:15.069 -04:00 [Information] Parser found no secret Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:15.124 -04:00 [Information] No client secret found Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:15.175 -04:00 [Information] Returning error: invalid_client
您在注销时收到错误消息的原因是您在 id_token_hint 参数中传回了访问令牌。此参数需要在登录时向您颁发的身份令牌(假设您使用的是 OpenID Connect)。
如果您只使用 OAuth,则结束会话端点不适合您。要撤销访问令牌,您需要使用 revocation endpoint。然后,这将从您的数据库中删除令牌。
您从吊销端点收到的错误似乎与另一个问题有关(看起来您没有提供客户端 ID 和密码)。