如何在不创建新刷新令牌的情况下使用刷新令牌更新 Owin 访问令牌?
How to update Owin access tokens with refresh tokens without creating new refresh token?
我已经设法获得了一个简单的示例代码,它可以创建一个不记名令牌,还可以通过阅读 Whosebug 上的其他论坛来通过刷新令牌请求新的不记名令牌。
启动 class 看起来像这样
public class Startup
{
public static void Configuration(IAppBuilder app)
{
app.UseOAuthBearerAuthentication(
new OAuthBearerAuthenticationOptions());
app.UseOAuthAuthorizationServer(
new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new OAuthAuthorizationServerProvider()
{
OnValidateClientAuthentication = async c =>
{
c.Validated();
},
OnGrantResourceOwnerCredentials = async c =>
{
if (c.UserName == "alice" && c.Password == "supersecret")
{
Claim claim1 = new Claim(ClaimTypes.Name, c.UserName);
Claim[] claims = new Claim[] { claim1 };
ClaimsIdentity claimsIdentity =
new ClaimsIdentity(
claims, OAuthDefaults.AuthenticationType);
c.Validated(claimsIdentity);
}
}
},
AccessTokenExpireTimeSpan = TimeSpan.FromSeconds(40),
AllowInsecureHttp = true,
RefreshTokenProvider = new ApplicationRefreshTokenProvider()
});
}
}
我还有一个 class 刷新令牌,如下所示:
public class ApplicationRefreshTokenProvider : AuthenticationTokenProvider
{
public override void Create(AuthenticationTokenCreateContext context)
{
// Expiration time in seconds
int expire = 2 * 60;
context.Ticket.Properties.ExpiresUtc = new DateTimeOffset(DateTime.Now.AddSeconds(expire));
context.SetToken(context.SerializeTicket());
}
public override void Receive(AuthenticationTokenReceiveContext context)
{
context.DeserializeTicket(context.Token);
}
}
我的理解是,通过提供 刷新令牌,您应该获得一个新的 访问令牌。然而,这段代码中发生的事情是,当我提供 refresh token 时,会创建一个新的 refresh token 并 returned 。我希望它在提供 username/password 时第一次创建 access 和 refresh token 但它似乎不正确每次使用刷新令牌请求新的访问令牌时创建新的刷新令牌?
例如,根据我的代码,访问令牌有 20 分钟的时间跨度,刷新令牌有两周的时间跨度,新的 access tokens 可以每 20 分钟创建一次,这很好,但是新的 refresh tokens 也将每 20 分钟创建一次,但持续 2 周。然后会创建很多 刷新令牌 但不会使用。
问题:
几个小时前我才开始reading/learning,所以我很不确定这是正确的行为还是我应该以某种方式更改我的代码以仅创建和return 一个新的 访问令牌 当一个 刷新令牌 被提供并且没有创建并且 return 一个新的 刷新令牌还有?非常感谢任何帮助或输入,谢谢!
由于还没有人回答,我将提供我所做的以及正在做我正在寻找的事情。因此,我现在要接受这个答案。
public class Startup
{
public static void Configuration(IAppBuilder app)
{
app.UseOAuthBearerAuthentication(
new OAuthBearerAuthenticationOptions());
app.UseOAuthAuthorizationServer(
new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new OAuthAuthorizationServerProvider()
{
OnValidateClientAuthentication = async c =>
{
c.Validated();
},
OnGrantResourceOwnerCredentials = async c =>
{
//Add a string with the current date
string dateNow = DateTime.UtcNow.ToString();
if (c.UserName == "alice" && c.Password == "supersecret")
{
Claim claim1 = new Claim(ClaimTypes.Name, c.UserName);
Claim[] claims = new Claim[] { claim1 };
ClaimsIdentity claimsIdentity =
new ClaimsIdentity(
claims, OAuthDefaults.AuthenticationType);
//Add a claim with the creationdate of the token
claimsIdentity.AddClaim(new Claim("creationDate", dateNow));
c.Validated(claimsIdentity);
}
}
},
AccessTokenExpireTimeSpan = TimeSpan.FromSeconds(40),
AllowInsecureHttp = true,
RefreshTokenProvider = new ApplicationRefreshTokenProvider()
});
}
}
我在 ApplicationRefreshTokenProvider 中做了这些更改
public class ApplicationRefreshTokenProvider : AuthenticationTokenProvider
{
public override void Create(AuthenticationTokenCreateContext context)
{
//Get the claim which holds creation date
DateTime creationDate = Convert.ToDateTime(clientid.Claims.Where(c => c.Type == "creationDate").Single().Value);
//Create a variable holding current time minus 30 seconds(This is how long time you can create new refresh tokens by providing your original refresh token)
DateTime now = DateTime.UtcNow.AddSeconds(-30);
//If the time has passed more than 30 seconds from the time you got your original access and refresh token by providing credentials
//you may not create and return new refresh tokens(Obviously the 30 seconds could be changed to something less or more aswell)
if(now < ceationDate)
{
// Expiration time in seconds
int expire = 2 * 60;
context.Ticket.Properties.ExpiresUtc = new DateTimeOffset(DateTime.Now.AddSeconds(expire));
context.SetToken(context.SerializeTicket());
}
}
public override void Receive(AuthenticationTokenReceiveContext context)
{
context.DeserializeTicket(context.Token);
}
}
我已经设法获得了一个简单的示例代码,它可以创建一个不记名令牌,还可以通过阅读 Whosebug 上的其他论坛来通过刷新令牌请求新的不记名令牌。
启动 class 看起来像这样
public class Startup
{
public static void Configuration(IAppBuilder app)
{
app.UseOAuthBearerAuthentication(
new OAuthBearerAuthenticationOptions());
app.UseOAuthAuthorizationServer(
new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new OAuthAuthorizationServerProvider()
{
OnValidateClientAuthentication = async c =>
{
c.Validated();
},
OnGrantResourceOwnerCredentials = async c =>
{
if (c.UserName == "alice" && c.Password == "supersecret")
{
Claim claim1 = new Claim(ClaimTypes.Name, c.UserName);
Claim[] claims = new Claim[] { claim1 };
ClaimsIdentity claimsIdentity =
new ClaimsIdentity(
claims, OAuthDefaults.AuthenticationType);
c.Validated(claimsIdentity);
}
}
},
AccessTokenExpireTimeSpan = TimeSpan.FromSeconds(40),
AllowInsecureHttp = true,
RefreshTokenProvider = new ApplicationRefreshTokenProvider()
});
}
}
我还有一个 class 刷新令牌,如下所示:
public class ApplicationRefreshTokenProvider : AuthenticationTokenProvider
{
public override void Create(AuthenticationTokenCreateContext context)
{
// Expiration time in seconds
int expire = 2 * 60;
context.Ticket.Properties.ExpiresUtc = new DateTimeOffset(DateTime.Now.AddSeconds(expire));
context.SetToken(context.SerializeTicket());
}
public override void Receive(AuthenticationTokenReceiveContext context)
{
context.DeserializeTicket(context.Token);
}
}
我的理解是,通过提供 刷新令牌,您应该获得一个新的 访问令牌。然而,这段代码中发生的事情是,当我提供 refresh token 时,会创建一个新的 refresh token 并 returned 。我希望它在提供 username/password 时第一次创建 access 和 refresh token 但它似乎不正确每次使用刷新令牌请求新的访问令牌时创建新的刷新令牌?
例如,根据我的代码,访问令牌有 20 分钟的时间跨度,刷新令牌有两周的时间跨度,新的 access tokens 可以每 20 分钟创建一次,这很好,但是新的 refresh tokens 也将每 20 分钟创建一次,但持续 2 周。然后会创建很多 刷新令牌 但不会使用。
问题:
几个小时前我才开始reading/learning,所以我很不确定这是正确的行为还是我应该以某种方式更改我的代码以仅创建和return 一个新的 访问令牌 当一个 刷新令牌 被提供并且没有创建并且 return 一个新的 刷新令牌还有?非常感谢任何帮助或输入,谢谢!
由于还没有人回答,我将提供我所做的以及正在做我正在寻找的事情。因此,我现在要接受这个答案。
public class Startup
{
public static void Configuration(IAppBuilder app)
{
app.UseOAuthBearerAuthentication(
new OAuthBearerAuthenticationOptions());
app.UseOAuthAuthorizationServer(
new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new OAuthAuthorizationServerProvider()
{
OnValidateClientAuthentication = async c =>
{
c.Validated();
},
OnGrantResourceOwnerCredentials = async c =>
{
//Add a string with the current date
string dateNow = DateTime.UtcNow.ToString();
if (c.UserName == "alice" && c.Password == "supersecret")
{
Claim claim1 = new Claim(ClaimTypes.Name, c.UserName);
Claim[] claims = new Claim[] { claim1 };
ClaimsIdentity claimsIdentity =
new ClaimsIdentity(
claims, OAuthDefaults.AuthenticationType);
//Add a claim with the creationdate of the token
claimsIdentity.AddClaim(new Claim("creationDate", dateNow));
c.Validated(claimsIdentity);
}
}
},
AccessTokenExpireTimeSpan = TimeSpan.FromSeconds(40),
AllowInsecureHttp = true,
RefreshTokenProvider = new ApplicationRefreshTokenProvider()
});
}
}
我在 ApplicationRefreshTokenProvider 中做了这些更改
public class ApplicationRefreshTokenProvider : AuthenticationTokenProvider
{
public override void Create(AuthenticationTokenCreateContext context)
{
//Get the claim which holds creation date
DateTime creationDate = Convert.ToDateTime(clientid.Claims.Where(c => c.Type == "creationDate").Single().Value);
//Create a variable holding current time minus 30 seconds(This is how long time you can create new refresh tokens by providing your original refresh token)
DateTime now = DateTime.UtcNow.AddSeconds(-30);
//If the time has passed more than 30 seconds from the time you got your original access and refresh token by providing credentials
//you may not create and return new refresh tokens(Obviously the 30 seconds could be changed to something less or more aswell)
if(now < ceationDate)
{
// Expiration time in seconds
int expire = 2 * 60;
context.Ticket.Properties.ExpiresUtc = new DateTimeOffset(DateTime.Now.AddSeconds(expire));
context.SetToken(context.SerializeTicket());
}
}
public override void Receive(AuthenticationTokenReceiveContext context)
{
context.DeserializeTicket(context.Token);
}
}