首页 文章

在授权Http请求期间,ASP Web API如何使用刷新令牌生成新令牌

提问于
浏览
0

我在我的asp.net web api中使用访问令牌 . 我使用Angular4作为客户端应用程序 . 登录后我获得了访问令牌和刷新令牌 . 我有一个authorize属性来检查我的Get / Post请求是否有效 . 我在每个请求中发送带有访问令牌的刷新令牌 . 当我的访问令牌过期时,我的authorize属性阻止我访问get / post函数 . 如何使用有效的刷新令牌授权我的get / post函数,并在验证get / post方法期间生成新的访问令牌 .

angular asp.net-web-api oauth-2.0 owin access-token

1 回答

  • 1

    访问令牌和刷新令牌是两回事 .

    访问令牌用于 access 资源 . 您可以在每次请求时将访问令牌发送到资源 .

    刷新令牌用于获取新的访问令牌,而无需发送凭据 . The refresh token is send to the authorization endpoint. 但仅在访问令牌过期后(返回未经授权的响应) .

    确保在访问令牌过期之前刷新令牌不会过期 . 因为否则您将不得不再次发送凭据 .

    另请注意,refesh令牌应保密,因为它可用于检索令牌而无需发送凭据 . 始终通过安全线路发送 .

    • 更新 -

    The server side of the refresh token

    我假设你有一个OAuthAuthorizationServerProvider来处理登录 . 就像是:

    internal class ApplicationOAuthProvider : OAuthAuthorizationServerProvider
{
    public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {

    为了选择加入,您可以覆盖GrantRefreshToken以接受刷新令牌:

    public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context)
{
    // chance to change authentication ticket for refresh token requests
    var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
    var appUser = await userManager.FindByNameAsync(context.Ticket.Identity.Name);
    var oAuthIdentity = await appUser.GenerateUserIdentityAsync(userManager);
    var newTicket = new AuthenticationTicket(oAuthIdentity, context.Ticket.Properties);

    context.Validated(newTicket);
}

    添加提供程序以向故障单添加刷新令牌:

    internal class ApplicationOAuthRefreshTokenProvider : AuthenticationTokenProvider
{
    public override void Create(AuthenticationTokenCreateContext context)
    {
        var form = context.Request.ReadFormAsync().Result;
        var grantType = form.GetValues("grant_type");

        // If I remember correctly we arrive here for all implemented grant types.
        // But we don't want to add a refresh token to the refresh token itself.

        if (grantType[0] != "refresh_token")
        {
            // 35 days.
            int expire = 35 * 24 * 60 * 60;
            context.Ticket.Properties.ExpiresUtc = new DateTimeOffset(DateTime.Now.AddSeconds(expire));
            context.SetToken(context.SerializeTicket());
        }
        base.Create(context);
    }

    public override void Receive(AuthenticationTokenReceiveContext context)
    {
        context.DeserializeTicket(context.Token);
        base.Receive(context);
    }

}

    不要忘记在创业公司注册:

    public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        // Other statements ...

        // Configure the application for OAuth based flow
        var oAuthOptions = new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/Token"),
            Provider = new ApplicationOAuthProvider("self"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
#if LIVE
            AllowInsecureHttp = false,
#else
            AllowInsecureHttp = true,
#endif
            RefreshTokenProvider = new ApplicationOAuthRefreshTokenProvider()
        };
        app.UseOAuthBearerTokens(oAuthOptions);
    }
    回复于

相关问题