0
我想知道這是我的失敗還是ASP.NET身份的錯誤/功能。刪除用戶後,刷新令牌不會失敗
我們在ASP.NET MVC 5項目中使用ASP.NET Identity 1.0。 OAuth配置如下:
public partial class Startup
{
static Startup()
{
PublicClientId = "self";
UserManagerFactory =() => new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/token"),
Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory),
RefreshTokenProvider = new AuthenticationTokenProvider()
{
OnCreate = CreateRefreshToken,
OnReceive = ReceiveRefreshToken
},
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true
};
}
public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; }
public static Func<SphUserManager> UserManagerFactory { get; set; }
public static string PublicClientId { get; private set; }
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/login")
});
// Use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);
}
private static void CreateRefreshToken(AuthenticationTokenCreateContext context)
{
context.SetToken(context.SerializeTicket());
}
private static void ReceiveRefreshToken(AuthenticationTokenReceiveContext context)
{
context.DeserializeTicket(context.Token);
}
}
我們使用Web API來註冊和登錄用戶。刷新令牌比用於刷新訪問令牌。這是我們沒有想到的:
- 註冊用戶
- 登錄用戶,並獲得訪問令牌和刷新令牌(/令牌,grant_type =密碼...)
- 刪除用戶(直接從數據庫或管理中)。
- 調用刷新令牌並且請求不會失敗。訪問令牌延長並且用戶仍然通過驗證(/令牌,grant_type = refresh_token ...)
它是正確的行爲嗎?我應該做一些特殊的「無效」令牌嗎?
我會撤銷刷新令牌,但它在客戶端上。用戶可以從Web應用程序中刪除(管理),並且與令牌沒有關係。 – xrasvo
同樣,如何實現刷新令牌取決於您 - 如果您希望在刪除用戶時刷新令牌無效,那麼您需要進行此關聯。 –
我明白了。我希望這會更容易。謝謝回覆。 – xrasvo