AccessTokenLifeTime 过期-身份服务器代码流程
AccessTokenLifeTime expiration- Identity server code flow
我有一个 ASP.NET 核心应用程序,带有用于身份验证和授权的 IdentityServer4。
我在前端使用带有 Angular 10 的 oidc-client。
问题是我的应用程序即使在令牌过期后也不会注销用户。它会静静地刷新。
我的 AccessTokenLifetime 设置为 5 分钟。
我的 CookieSlidingTime 设置为 10 分钟。
这是我的代码
const idServerSettings = {
authority: Constants.stsAuthority,
client_id: Constants.clientId,
scope: 'openid profile',
response_type: 'code',
redirect_uri: `${Constants.clientRoot}signin-callback`,
post_logout_redirect_uri: `${Constants.clientRoot}signout-callback`,
store: new WebStorageStateStore({ store: localStorage }),
automaticSilentRenew: true,
loadUserInfo: true
};
IdentityServer 配置
new Client {
ClientName="test",
ClientId="client-spa",
AllowedGrantTypes = GrantTypes.Code,
AlwaysIncludeUserClaimsInIdToken = true,
RedirectUris = new List<string>() { "https://localhost:44383/signin-callback" },
PostLogoutRedirectUris = {"https://localhost:44383/signout-callback" },
AllowedCorsOrigins = { "https://localhost:44383" },
AccessTokenLifetime = 60*5, // TODO
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"propel-api"
},
RequireClientSecret=false
}
var builder = services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
options.UserInteraction.LoginUrl = "/Account/Login";
options.UserInteraction.LogoutUrl = "/Account/Logout";
options.Authentication = new AuthenticationOptions()
{
CookieLifetime = TimeSpan.FromMinutes(10),
CookieSlidingExpiration = true,
};
静默刷新是因为您已将 automaticSilentRenew 设置为 true,根据 docs:
automaticSilentRenew (boolean, default: false): Flag to indicate if there should be an automatic attempt to renew the access token prior to its expiration. The attempt is made as a result of the accessTokenExpiring event being raised.
如果您正在寻找自动注销功能,但设计并非如此,您需要实施注销。 Ref.
要强制用户在闲置一段时间后 re-login,oidc-client-js (Ref) 上没有开箱即用的解决方案。你可以做的是:
将 automaticSilentRenew 设置为 false
实现您自己的逻辑以指示用户不活动并调用 signinSilent API manually. Ref
以下是此方法的一些示例:, Okta sample
如果你想在一段时间后强制用户re-login:
- 设置
automaticSilentRenew = false
- 在 IDS4 配置上为客户端设置
UserSsoLifetime。 Ref
UserSsoLifetime: The maximum duration (in seconds) since the last time the user authenticated. Defaults to null. You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials instead of being silently authenticated, when using a web application.
例如 UserSsoLifetime = 10 将在 10 秒不活动后强制用户 re-authenticate。
我有一个 ASP.NET 核心应用程序,带有用于身份验证和授权的 IdentityServer4。
我在前端使用带有 Angular 10 的 oidc-client。
问题是我的应用程序即使在令牌过期后也不会注销用户。它会静静地刷新。
我的 AccessTokenLifetime 设置为 5 分钟。
我的 CookieSlidingTime 设置为 10 分钟。
这是我的代码
const idServerSettings = {
authority: Constants.stsAuthority,
client_id: Constants.clientId,
scope: 'openid profile',
response_type: 'code',
redirect_uri: `${Constants.clientRoot}signin-callback`,
post_logout_redirect_uri: `${Constants.clientRoot}signout-callback`,
store: new WebStorageStateStore({ store: localStorage }),
automaticSilentRenew: true,
loadUserInfo: true
};
IdentityServer 配置
new Client {
ClientName="test",
ClientId="client-spa",
AllowedGrantTypes = GrantTypes.Code,
AlwaysIncludeUserClaimsInIdToken = true,
RedirectUris = new List<string>() { "https://localhost:44383/signin-callback" },
PostLogoutRedirectUris = {"https://localhost:44383/signout-callback" },
AllowedCorsOrigins = { "https://localhost:44383" },
AccessTokenLifetime = 60*5, // TODO
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"propel-api"
},
RequireClientSecret=false
}
var builder = services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
options.UserInteraction.LoginUrl = "/Account/Login";
options.UserInteraction.LogoutUrl = "/Account/Logout";
options.Authentication = new AuthenticationOptions()
{
CookieLifetime = TimeSpan.FromMinutes(10),
CookieSlidingExpiration = true,
};
静默刷新是因为您已将 automaticSilentRenew 设置为 true,根据 docs:
automaticSilentRenew (boolean, default: false): Flag to indicate if there should be an automatic attempt to renew the access token prior to its expiration. The attempt is made as a result of the accessTokenExpiring event being raised.
如果您正在寻找自动注销功能,但设计并非如此,您需要实施注销。 Ref.
要强制用户在闲置一段时间后 re-login,
oidc-client-js(Ref) 上没有开箱即用的解决方案。你可以做的是:将
automaticSilentRenew设置为 false实现您自己的逻辑以指示用户不活动并调用 signinSilent API manually. Ref
以下是此方法的一些示例:
如果你想在一段时间后强制用户re-login:
- 设置
automaticSilentRenew= false - 在 IDS4 配置上为客户端设置
UserSsoLifetime。 Ref
UserSsoLifetime: The maximum duration (in seconds) since the last time the user authenticated. Defaults to null. You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials instead of being silently authenticated, when using a web application.
例如
UserSsoLifetime = 10将在 10 秒不活动后强制用户 re-authenticate。- 设置