在 asp.net vnext 上使用不记名令牌身份验证刷新令牌
refresh token with bearer token authentication on asp.net vnext
我有一个 angularJS 应用程序,它使用 asp.net vnext,它使用 JwtBearerAuthentication 进行身份验证。我使用 AspNet.Security.OpenIdConnect.Server 来验证应用程序。当我登录时,我收到一个 json 响应,其中包含我可以用于授权请求的 access_token。我也想收到刷新令牌。这怎么可能?
Startup.cs
public void Configure(IApplicationBuilder app) {
app.UseJwtBearerAuthentication(options => {
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
options.TokenValidationParameters.ValidateAudience = false;
options.Authority = Configuration.Get<string>("OAuth:Authority");
options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
metadataAddress: options.Authority + ".well-known/openid-configuration",
configRetriever: new OpenIdConnectConfigurationRetriever(),
docRetriever: new HttpDocumentRetriever() { RequireHttps = false });
});
app.UseOpenIdConnectServer(configuration => {
configuration.Issuer = new Uri(Configuration.Get<string>("OpenId:Issuer"));
configuration.AllowInsecureHttp = true;
configuration.AuthorizationEndpointPath = PathString.Empty;
configuration.AuthenticationScheme = OpenIdConnectServerDefaults.AuthenticationScheme;
configuration.Provider = new AuthorizationProvider();
});
}
AuthorizationProvider.cs
public class AuthorizationProvider : OpenIdConnectServerProvider {
public override Task ValidateClientAuthentication(ValidateClientAuthenticationContext context) {
context.Skipped();
return Task.FromResult<object>(null);
}
public override Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context) {
string username = context.UserName;
string password = context.Password;
UserManager<ApplicationUser> userManager = context.HttpContext.RequestServices.GetRequiredService<UserManager<ApplicationUser>>();
ApplicationUser user = userManager.FindByNameAsync(username).Result;
if (userManager.CheckPasswordAsync(user, password).Result) {
ClaimsIdentity identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.AddClaim(ClaimTypes.Name, username, "token id_token");
List<string> roles = userManager.GetRolesAsync(user).Result.ToList();
foreach (string role in roles) {
identity.AddClaim(ClaimTypes.Role, role, "token id_token");
}
ClaimsPrincipal principal = new ClaimsPrincipal(identity);
context.Validated(principal);
} else {
context.Rejected("invalid credentials");
}
return Task.FromResult<object>(null);
}
}
AngularJS 登录码
$http({
method: 'POST',
url: 'connect/token',
headers: {
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'
},
data: $.param({
grant_type: 'password',
username: email,
password: password
})
}).then(function (response) {
if (response.status == 200) {
var token = response.data.access_token;
localStorage.setItem('token', token);
}
});
创建您的刷新令牌提供程序并将其包含到您的身份验证选项中。您可以在这里找到在类似环境中如何使用它的完整示例:
与 OAuthAuthorizationServerMiddleware
不同,ASOS 提供 built-in 刷新令牌支持:您不必为此创建自己的令牌提供程序。
请注意,从 ASOS beta3(2015 年 10 月发布)开始,您现在必须请求并授予 offline_access
范围以检索刷新令牌,as recommended by the OpenID Connect specs: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/128
您需要更新 GrantResourceOwnerCredentials
以允许 ASOS 向您的客户端应用程序发出刷新令牌:
public override async Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context) {
string username = context.UserName;
string password = context.Password;
UserManager<ApplicationUser> userManager = context.HttpContext.RequestServices.GetRequiredService<UserManager<ApplicationUser>>();
ApplicationUser user = await userManager.FindByNameAsync(username);
if (await userManager.CheckPasswordAsync(user, password)) {
ClaimsIdentity identity = new ClaimsIdentity(
context.Options.AuthenticationScheme);
identity.AddClaim(ClaimTypes.Name, username,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
foreach (string role in await userManager.GetRolesAsync(user)) {
identity.AddClaim(ClaimTypes.Role, role,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
AuthenticationTicket ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
// Call SetResources with the list of resource servers
// the access token should be issued for.
ticket.SetResources("resource_server_1");
// Only grant the "offline_access" scope
// if it was requested by the client application:
List<string> scopes = new List<string>();
if (context.Request.HasScope("offline_access")) {
scopes.Add("offline_access");
}
// Call SetScopes with the list of scopes you want to grant.
ticket.SetScopes(scopes);
context.Validate(ticket);
} else {
context.Reject("invalid credentials");
}
return Task.FromResult(0);
}
...和您的 Angular 代码指定 scope
参数:
$http({
method: 'POST',
url: 'connect/token',
headers: {
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'
},
data: $.param({
grant_type: 'password',
username: email,
password: password,
scope: 'offline_access'
})
}).then(function (response) {
if (response.status == 200) {
var token = response.data.access_token;
var refreshToken = response.data.refresh_token;
localStorage.setItem('token', token);
localStorage.setItem('refresh_token', refreshToken);
}
});
要检索新的访问令牌,请使用 refresh_token
授权:
$http({
method: 'POST',
url: 'connect/token',
headers: {
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'
},
data: $.param({
grant_type: 'refresh_token',
refresh_token: refreshToken
})
}).then(function (response) {
if (response.status == 200) {
var token = response.data.access_token;
localStorage.setItem('token', token);
}
});
我有一个 angularJS 应用程序,它使用 asp.net vnext,它使用 JwtBearerAuthentication 进行身份验证。我使用 AspNet.Security.OpenIdConnect.Server 来验证应用程序。当我登录时,我收到一个 json 响应,其中包含我可以用于授权请求的 access_token。我也想收到刷新令牌。这怎么可能?
Startup.cs
public void Configure(IApplicationBuilder app) {
app.UseJwtBearerAuthentication(options => {
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
options.TokenValidationParameters.ValidateAudience = false;
options.Authority = Configuration.Get<string>("OAuth:Authority");
options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
metadataAddress: options.Authority + ".well-known/openid-configuration",
configRetriever: new OpenIdConnectConfigurationRetriever(),
docRetriever: new HttpDocumentRetriever() { RequireHttps = false });
});
app.UseOpenIdConnectServer(configuration => {
configuration.Issuer = new Uri(Configuration.Get<string>("OpenId:Issuer"));
configuration.AllowInsecureHttp = true;
configuration.AuthorizationEndpointPath = PathString.Empty;
configuration.AuthenticationScheme = OpenIdConnectServerDefaults.AuthenticationScheme;
configuration.Provider = new AuthorizationProvider();
});
}
AuthorizationProvider.cs
public class AuthorizationProvider : OpenIdConnectServerProvider {
public override Task ValidateClientAuthentication(ValidateClientAuthenticationContext context) {
context.Skipped();
return Task.FromResult<object>(null);
}
public override Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context) {
string username = context.UserName;
string password = context.Password;
UserManager<ApplicationUser> userManager = context.HttpContext.RequestServices.GetRequiredService<UserManager<ApplicationUser>>();
ApplicationUser user = userManager.FindByNameAsync(username).Result;
if (userManager.CheckPasswordAsync(user, password).Result) {
ClaimsIdentity identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.AddClaim(ClaimTypes.Name, username, "token id_token");
List<string> roles = userManager.GetRolesAsync(user).Result.ToList();
foreach (string role in roles) {
identity.AddClaim(ClaimTypes.Role, role, "token id_token");
}
ClaimsPrincipal principal = new ClaimsPrincipal(identity);
context.Validated(principal);
} else {
context.Rejected("invalid credentials");
}
return Task.FromResult<object>(null);
}
}
AngularJS 登录码
$http({
method: 'POST',
url: 'connect/token',
headers: {
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'
},
data: $.param({
grant_type: 'password',
username: email,
password: password
})
}).then(function (response) {
if (response.status == 200) {
var token = response.data.access_token;
localStorage.setItem('token', token);
}
});
创建您的刷新令牌提供程序并将其包含到您的身份验证选项中。您可以在这里找到在类似环境中如何使用它的完整示例:
与 OAuthAuthorizationServerMiddleware
不同,ASOS 提供 built-in 刷新令牌支持:您不必为此创建自己的令牌提供程序。
请注意,从 ASOS beta3(2015 年 10 月发布)开始,您现在必须请求并授予 offline_access
范围以检索刷新令牌,as recommended by the OpenID Connect specs: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/128
您需要更新 GrantResourceOwnerCredentials
以允许 ASOS 向您的客户端应用程序发出刷新令牌:
public override async Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context) {
string username = context.UserName;
string password = context.Password;
UserManager<ApplicationUser> userManager = context.HttpContext.RequestServices.GetRequiredService<UserManager<ApplicationUser>>();
ApplicationUser user = await userManager.FindByNameAsync(username);
if (await userManager.CheckPasswordAsync(user, password)) {
ClaimsIdentity identity = new ClaimsIdentity(
context.Options.AuthenticationScheme);
identity.AddClaim(ClaimTypes.Name, username,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
foreach (string role in await userManager.GetRolesAsync(user)) {
identity.AddClaim(ClaimTypes.Role, role,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
AuthenticationTicket ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
// Call SetResources with the list of resource servers
// the access token should be issued for.
ticket.SetResources("resource_server_1");
// Only grant the "offline_access" scope
// if it was requested by the client application:
List<string> scopes = new List<string>();
if (context.Request.HasScope("offline_access")) {
scopes.Add("offline_access");
}
// Call SetScopes with the list of scopes you want to grant.
ticket.SetScopes(scopes);
context.Validate(ticket);
} else {
context.Reject("invalid credentials");
}
return Task.FromResult(0);
}
...和您的 Angular 代码指定 scope
参数:
$http({
method: 'POST',
url: 'connect/token',
headers: {
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'
},
data: $.param({
grant_type: 'password',
username: email,
password: password,
scope: 'offline_access'
})
}).then(function (response) {
if (response.status == 200) {
var token = response.data.access_token;
var refreshToken = response.data.refresh_token;
localStorage.setItem('token', token);
localStorage.setItem('refresh_token', refreshToken);
}
});
要检索新的访问令牌,请使用 refresh_token
授权:
$http({
method: 'POST',
url: 'connect/token',
headers: {
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'
},
data: $.param({
grant_type: 'refresh_token',
refresh_token: refreshToken
})
}).then(function (response) {
if (response.status == 200) {
var token = response.data.access_token;
localStorage.setItem('token', token);
}
});