如何使用 IHttpClientFactory 刷新令牌
How to Refresh a token using IHttpClientFactory
我正在使用 IHttpClientFactory 从两个使用 Net Core 2.2 的外部 API 发送请求和接收 HTTP 响应。
我正在寻找一个好的策略来使用存储在 appsettings.json 中的刷新令牌来获取新的访问令牌。当当前请求returns 403或401错误时需要请求新的access token,当新的access和refresh token已经获取后,需要更新appsettings.json的新值以便在后续请求中使用。
我正在使用两个客户端向两个不同的 API 发送请求,但其中只有一个使用令牌身份验证机制。
我已经实现了一些简单有效的方法,但我正在寻找一种更优雅的解决方案,可以在当前令牌过期时动态更新 header :
我已经在Startup.ConfigureServices方法中注册了IHttpClientFactory,如下:
services.AddHttpClient();
注册后,我将在两种不同的方法中使用它来调用两个不同的 API,第一种方法是:
public async Task<AirCallRequest> GetInformationAsync(AirCallModel model)
{
try
{
CandidateResults modelCandidateResult = null;
var request = new HttpRequestMessage(HttpMethod.Get,
"https://*******/v2/*****");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", _appSettings.Value.Token);
var clientJAAPI = _httpClientFactory.CreateClient();
var responseclientJAAPI = await clientJAAPI.SendAsync(request);
if (responseclientJAAPI.IsSuccessStatusCode)
{
modelCandidateResult = await responseclientJAAPI.Content
.ReadAsAsync<CandidateResults>();
....
}
if ((responseclientJAAPI .StatusCode.ToString() == "Unauthorized")
{
await RefreshAccessToken();
//Calls recursively this method again
return await GetInformationAsync(model);
}
return null;
}
catch (Exception e)
{
return null;
}
}
刷新令牌的方法如下所示:
private async Task RefreshAccessToken()
{
var valuesRequest = new List<KeyValuePair<string, string>>();
valuesRequest.Add(new KeyValuePair<string, string>("client_id", "*****"));
valuesRequest.Add(new KeyValuePair<string, string>("client_secret","****"));
valuesRequest.Add(new KeyValuePair<string, string>("grant_type", "refresh_token"));
valuesRequest.Add(new KeyValuePair<string, string>("refresh_token", "*****"));
RefreshTokenResponse refreshTokenResponse = null;
var request = new HttpRequestMessage(HttpMethod.Post,
"https://*****/connect/token");
request.Content = new FormUrlEncodedContent(valuesRequest);
var clientJAAPI = _httpClientFactory.CreateClient();
var responseclientJAAPI = await clientJAAPI.SendAsync(request);
if (responseclientJAAPI.IsSuccessStatusCode)
{
refreshTokenResponse = await responseclientJAAPI.Content.ReadAsAsync<RefreshTokenResponse>();
//this updates the POCO object representing the configuration but not the appsettings.json :
_appSettings.Value.Token = refreshTokenResponse.access_token;
}
}
请注意,我正在更新代表配置的 POCO object 而不是 appsettings.json,因此新值存储在内存中。我想为后续请求更新 appsettings.json。
如果提出的解决方案需要在 Startup.ConfigureService 中定义 Httpclient 的主要设置,则需要允许创建 HttpClient 的不同实例,因为其中一个 HttpClient 实例(在另一种方法中使用再打电话 API) 不需要令牌来发送请求。
看来您需要 DelegatingHandler。简而言之,您可以“拦截”您的 http 请求并添加授权 header,然后尝试执行它,如果令牌无效,请刷新令牌并再试一次。类似于:
public class AuthenticationDelegatingHandler : DelegatingHandler
{
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
var token = await GetTokenAsync();
request.Headers.Authorization = new AuthenticationHeaderValue(token.Scheme, token.AccessToken);
var response = await base.SendAsync(request, cancellationToken);
if (response.StatusCode == HttpStatusCode.Unauthorized || response.StatusCode == HttpStatusCode.Forbidden)
{
token = await RefreshTokenAsync();
request.Headers.Authorization = new AuthenticationHeaderValue(token.Scheme, token.AccessToken);
response = await base.SendAsync(request, cancellationToken);
}
return response;
}
}
你像这样在 Startup.cs 中注册这个委托处理程序:
services.AddTransient<AuthenticationDelegatingHandler>();
services.AddHttpClient("MySecuredClient", client =>
{
client.BaseAddress = new Uri("https://baseUrl.com/");
})
.AddHttpMessageHandler<AuthenticationDelegatingHandler>();
然后这样使用:
var securedClient = _httpClientFactory.CreateClient("MySecuredClient");
securedClient.SendAsync(new HttpRequestMessage(HttpMethod.Get, "v2/relativeUrl"));
关于在 appsetting.json 中存储刷新令牌。我认为这不是一个好主意,因为刷新令牌没有过期时间。如果您第一次可以使用凭据获取新令牌,请使用它,然后存储刷新令牌in-memory 以供进一步刷新。
Here 您可以了解我如何管理客户端凭据令牌刷新并尝试使其适用于您的场景。
更新:
Here you can find same idea but implemented by professionals and available in nuget。用法很简单:
services.AddAccessTokenManagement(options =>
{
options.Client.Clients.Add("identityserver", new ClientCredentialsTokenRequest
{
Address = "https://demo.identityserver.io/connect/token",
ClientId = "m2m.short",
ClientSecret = "secret",
Scope = "api" // optional
});
});
services.AddHttpClient<MyClient>(client =>
{
client.BaseAddress = new Uri("https://demo.identityserver.io/api/");
})
.AddClientAccessTokenHandler();
MyClient 发送的请求将始终具有有效的不记名令牌。刷新自动执行。
我正在使用 IHttpClientFactory 从两个使用 Net Core 2.2 的外部 API 发送请求和接收 HTTP 响应。
我正在寻找一个好的策略来使用存储在 appsettings.json 中的刷新令牌来获取新的访问令牌。当当前请求returns 403或401错误时需要请求新的access token,当新的access和refresh token已经获取后,需要更新appsettings.json的新值以便在后续请求中使用。
我正在使用两个客户端向两个不同的 API 发送请求,但其中只有一个使用令牌身份验证机制。
我已经实现了一些简单有效的方法,但我正在寻找一种更优雅的解决方案,可以在当前令牌过期时动态更新 header :
我已经在Startup.ConfigureServices方法中注册了IHttpClientFactory,如下:
services.AddHttpClient();
注册后,我将在两种不同的方法中使用它来调用两个不同的 API,第一种方法是:
public async Task<AirCallRequest> GetInformationAsync(AirCallModel model)
{
try
{
CandidateResults modelCandidateResult = null;
var request = new HttpRequestMessage(HttpMethod.Get,
"https://*******/v2/*****");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", _appSettings.Value.Token);
var clientJAAPI = _httpClientFactory.CreateClient();
var responseclientJAAPI = await clientJAAPI.SendAsync(request);
if (responseclientJAAPI.IsSuccessStatusCode)
{
modelCandidateResult = await responseclientJAAPI.Content
.ReadAsAsync<CandidateResults>();
....
}
if ((responseclientJAAPI .StatusCode.ToString() == "Unauthorized")
{
await RefreshAccessToken();
//Calls recursively this method again
return await GetInformationAsync(model);
}
return null;
}
catch (Exception e)
{
return null;
}
}
刷新令牌的方法如下所示:
private async Task RefreshAccessToken()
{
var valuesRequest = new List<KeyValuePair<string, string>>();
valuesRequest.Add(new KeyValuePair<string, string>("client_id", "*****"));
valuesRequest.Add(new KeyValuePair<string, string>("client_secret","****"));
valuesRequest.Add(new KeyValuePair<string, string>("grant_type", "refresh_token"));
valuesRequest.Add(new KeyValuePair<string, string>("refresh_token", "*****"));
RefreshTokenResponse refreshTokenResponse = null;
var request = new HttpRequestMessage(HttpMethod.Post,
"https://*****/connect/token");
request.Content = new FormUrlEncodedContent(valuesRequest);
var clientJAAPI = _httpClientFactory.CreateClient();
var responseclientJAAPI = await clientJAAPI.SendAsync(request);
if (responseclientJAAPI.IsSuccessStatusCode)
{
refreshTokenResponse = await responseclientJAAPI.Content.ReadAsAsync<RefreshTokenResponse>();
//this updates the POCO object representing the configuration but not the appsettings.json :
_appSettings.Value.Token = refreshTokenResponse.access_token;
}
}
请注意,我正在更新代表配置的 POCO object 而不是 appsettings.json,因此新值存储在内存中。我想为后续请求更新 appsettings.json。
如果提出的解决方案需要在 Startup.ConfigureService 中定义 Httpclient 的主要设置,则需要允许创建 HttpClient 的不同实例,因为其中一个 HttpClient 实例(在另一种方法中使用再打电话 API) 不需要令牌来发送请求。
看来您需要 DelegatingHandler。简而言之,您可以“拦截”您的 http 请求并添加授权 header,然后尝试执行它,如果令牌无效,请刷新令牌并再试一次。类似于:
public class AuthenticationDelegatingHandler : DelegatingHandler
{
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
var token = await GetTokenAsync();
request.Headers.Authorization = new AuthenticationHeaderValue(token.Scheme, token.AccessToken);
var response = await base.SendAsync(request, cancellationToken);
if (response.StatusCode == HttpStatusCode.Unauthorized || response.StatusCode == HttpStatusCode.Forbidden)
{
token = await RefreshTokenAsync();
request.Headers.Authorization = new AuthenticationHeaderValue(token.Scheme, token.AccessToken);
response = await base.SendAsync(request, cancellationToken);
}
return response;
}
}
你像这样在 Startup.cs 中注册这个委托处理程序:
services.AddTransient<AuthenticationDelegatingHandler>();
services.AddHttpClient("MySecuredClient", client =>
{
client.BaseAddress = new Uri("https://baseUrl.com/");
})
.AddHttpMessageHandler<AuthenticationDelegatingHandler>();
然后这样使用:
var securedClient = _httpClientFactory.CreateClient("MySecuredClient");
securedClient.SendAsync(new HttpRequestMessage(HttpMethod.Get, "v2/relativeUrl"));
关于在 appsetting.json 中存储刷新令牌。我认为这不是一个好主意,因为刷新令牌没有过期时间。如果您第一次可以使用凭据获取新令牌,请使用它,然后存储刷新令牌in-memory 以供进一步刷新。
Here 您可以了解我如何管理客户端凭据令牌刷新并尝试使其适用于您的场景。
更新:
Here you can find same idea but implemented by professionals and available in nuget。用法很简单:
services.AddAccessTokenManagement(options =>
{
options.Client.Clients.Add("identityserver", new ClientCredentialsTokenRequest
{
Address = "https://demo.identityserver.io/connect/token",
ClientId = "m2m.short",
ClientSecret = "secret",
Scope = "api" // optional
});
});
services.AddHttpClient<MyClient>(client =>
{
client.BaseAddress = new Uri("https://demo.identityserver.io/api/");
})
.AddClientAccessTokenHandler();
MyClient 发送的请求将始终具有有效的不记名令牌。刷新自动执行。