IdentityServer4 - 刷新令牌混合流程 - Cookie 和存储
IdentityServer4 - Refresh Tokens Hybrid Flow - Cookies and storage
我已经遵循了 Quickstart Hybrid Flow here 但我需要一些关于在使用刷新令牌后保存令牌的帮助和建议。
如果我说的是真的,选项 SaveTokens 允许将令牌保存在 cookie 中。
首先,在 cookie 中存储访问和刷新令牌是否是个好主意(安全问题)?
其他问题,我通过代码正确检索刷新令牌
var refreshToken = await HttpContext.GetTokenAsync("refresh_token"); 但是现在,当我获得新的访问令牌时,我该如何存储它(没有 SetTokenAsync 方法)?...因为没有它,我在调用 [=12 时检索旧的访问令牌=] 而我想要新的。
谢谢
Interactive clients should use an authorization code-based flow. To
protect against code substitution, either hybrid flow or PKCE should
be used.
因此,PKCE 和混合流的组合不是必需的,而且可能没有用。
If PKCE is available, this is the simpler solution to the problem.
PKCE is already the official recommendation for native applications
and SPAs - and with the release of ASP.NET Core 3 also by default
supported in the OpenID Connect handler as well.
所以不要使用混合流,而是将其配置为 interactive ASP.NET Core MVC client。
new Client
{
ClientId = "mvc",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Code,
RequireConsent = false,
RequirePkce = true,
// where to redirect to after login
RedirectUris = { "http://localhost:5002/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
}
}
mvc 客户端具有预期配置的位置:
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.ClientSecret = "secret";
options.ResponseType = "code";
options.SaveTokens = true;
});
我还可以推荐this post from Brock Allen. This may answer your question about cookies. You can also check the post Dominick Baier
有关如何使用刷新令牌的信息,请阅读 。
我已经遵循了 Quickstart Hybrid Flow here 但我需要一些关于在使用刷新令牌后保存令牌的帮助和建议。
如果我说的是真的,选项 SaveTokens 允许将令牌保存在 cookie 中。
首先,在 cookie 中存储访问和刷新令牌是否是个好主意(安全问题)?
其他问题,我通过代码正确检索刷新令牌
var refreshToken = await HttpContext.GetTokenAsync("refresh_token"); 但是现在,当我获得新的访问令牌时,我该如何存储它(没有 SetTokenAsync 方法)?...因为没有它,我在调用 [=12 时检索旧的访问令牌=] 而我想要新的。
谢谢
Interactive clients should use an authorization code-based flow. To protect against code substitution, either hybrid flow or PKCE should be used.
因此,PKCE 和混合流的组合不是必需的,而且可能没有用。
If PKCE is available, this is the simpler solution to the problem.
PKCE is already the official recommendation for native applications and SPAs - and with the release of ASP.NET Core 3 also by default supported in the OpenID Connect handler as well.
所以不要使用混合流,而是将其配置为 interactive ASP.NET Core MVC client。
new Client
{
ClientId = "mvc",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Code,
RequireConsent = false,
RequirePkce = true,
// where to redirect to after login
RedirectUris = { "http://localhost:5002/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
}
}
mvc 客户端具有预期配置的位置:
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.ClientSecret = "secret";
options.ResponseType = "code";
options.SaveTokens = true;
});
我还可以推荐this post from Brock Allen. This may answer your question about cookies. You can also check the post Dominick Baier
有关如何使用刷新令牌的信息,请阅读