0
我想知道这是我的失败还是ASP.NET身份的错误/功能。删除用户后,刷新令牌不会失败
我们在ASP.NET MVC 5项目中使用ASP.NET Identity 1.0。 OAuth配置如下:
public partial class Startup
{
static Startup()
{
PublicClientId = "self";
UserManagerFactory =() => new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/token"),
Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory),
RefreshTokenProvider = new AuthenticationTokenProvider()
{
OnCreate = CreateRefreshToken,
OnReceive = ReceiveRefreshToken
},
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true
};
}
public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; }
public static Func<SphUserManager> UserManagerFactory { get; set; }
public static string PublicClientId { get; private set; }
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/login")
});
// Use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);
}
private static void CreateRefreshToken(AuthenticationTokenCreateContext context)
{
context.SetToken(context.SerializeTicket());
}
private static void ReceiveRefreshToken(AuthenticationTokenReceiveContext context)
{
context.DeserializeTicket(context.Token);
}
}
我们使用Web API来注册和登录用户。刷新令牌比用于刷新访问令牌。这是我们没有想到的:
- 注册用户
- 登录用户,并获得访问令牌和刷新令牌(/令牌,grant_type =密码...)
- 删除用户(直接从数据库或管理中)。
- 调用刷新令牌并且请求不会失败。访问令牌延长并且用户仍然通过验证(/令牌,grant_type = refresh_token ...)
它是正确的行为吗?我应该做一些特殊的“无效”令牌吗?
我会撤销刷新令牌,但它在客户端上。用户可以从Web应用程序中删除(管理),并且与令牌没有关系。 – xrasvo
同样,如何实现刷新令牌取决于您 - 如果您希望在删除用户时刷新令牌无效,那么您需要进行此关联。 –
我明白了。我希望这会更容易。谢谢回复。 – xrasvo