4
我有一個OWIN中間件進行驗證。我們有兩種類型的身份驗證。 第一類是使用以下配置OWIN驗證,過期當前令牌並刪除cookie
var OAuthOptions = new OAuthAuthorizationServerOptions
{
AuthenticationType = DefaultAuthenticationTypes.ExternalBearer,
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true,
AccessTokenFormat = new SecureTokenFormatter(GetMachineKey())
};
和第二類使用的身份驗證cookie外部登錄
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ExternalCookie,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
CookieHttpOnly = true,
CookieSecure = CookieSecureOption.SameAsRequest,
CookieName = ".AspNet." + DefaultAuthenticationTypes.ExternalCookie,
ExpireTimeSpan = TimeSpan.FromMinutes(5),
TicketDataFormat = new SecureTokenFormatter(GetMachineKey())
});
承載令牌當用戶退出,我們實際上發出兩條註銷
Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);
並且
Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ExternalBearer);
隨着第一個,我期待看到.AspNet.ExternalCookie Cookie從瀏覽器中刪除,而不是。 隨着第二個,我期待讓我的令牌無效和User.Current.Identity = null,這不是。
所以我怎麼能 1)物理註銷當前會話的當前身份? 2)從瀏覽器中刪除外部Cookie?
我通過解決相同的問題:Request.GetOwinContext()。Authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie); FederatedAuthentication.SessionAuthenticationModule.SignOut(); – Alex 2016-08-20 07:46:51