1. 首頁
  2. 問答
  3. 使用IdentityServer4和Oidc客戶端導致Silent Renew停止工作時的會話超時

使用IdentityServer4和Oidc客戶端導致Silent Renew停止工作時的會話超時

2017-08-30 45 views
0

我目前參與了使用IdentityServer4作爲其身份驗證服務連接到.NET CORE 1.1 WebApi的Angular4 SPA應用程序的開發。使用IdentityServer4和Oidc客戶端導致Silent Renew停止工作時的會話超時

在Angular方面,我們使用了Damien Bod 1.2.1-0.的Oidc客戶端。

我們已成功地通過IdentityServer設置和登錄。問題出現在30分鐘我們得到 身份服務器上的SessionTimeout,從那裏Oidc客戶端獲得401,所以現在沒有授權。

Oidc客戶端被配置爲使用靜默更新,所以應該保持會話打開。然而,這似乎並非如此。來自Oidc作者Damien Bod的評論 似乎表明IdentityServer4會話已超時。

問題: 如何確保IdentityServer4會話在使用Oidc軟件包的Silent Renew時不超時。

安裝在我們IdentityServer4方:我們的客戶端

"ClientId": "MyId", 
     "ClientName": "MyName", 
     "AllowedGrantTypes": [ "implicit" ], 
     "RequireConsent": false, 
     "AllowedScopes": [ "openid", "profile", "email", "role", "api.write", "api.read", "offline_access" ], 
     "RedirectUris": [ "https://localhost:4200" ], 
     "PostLogoutRedirectUris": [ "https://localhost:4200" ], 
     "LogoutUri": "https://localhost:4200", 
     "AllowedCorsOrigins": [ "http://localhost:4200", "https://localhost:4200" ], 
     "AllowOfflineAccess": true, 
     "AllowAccessTokensViaBrowser": true, 
     "AccessTokenType": 0

設置:從IdentityServer

let openIDImplicitFlowConfiguration = new OpenIDImplicitFlowConfiguration(); 
    openIDImplicitFlowConfiguration.stsServer = environment.stsServer; 
    openIDImplicitFlowConfiguration.redirect_url = environment.redirect_url; 
    openIDImplicitFlowConfiguration.client_id = 'MyName'; 
    openIDImplicitFlowConfiguration.response_type = 'id_token token'; 
    openIDImplicitFlowConfiguration.scope = 'openid email profile role api.write api.read offline_access'; 
    openIDImplicitFlowConfiguration.post_logout_redirect_uri = environment.post_logout_redirect_uri; 
    openIDImplicitFlowConfiguration.start_checksession = false; 
    openIDImplicitFlowConfiguration.silent_renew = true; 
    openIDImplicitFlowConfiguration.startup_route = '/home'; 
    openIDImplicitFlowConfiguration.forbidden_route = '/forbidden'; 
    openIDImplicitFlowConfiguration.unauthorized_route = '/unauthorized'; 
    openIDImplicitFlowConfiguration.log_console_warning_active = true; 
    openIDImplicitFlowConfiguration.log_console_debug_active = true; 
    openIDImplicitFlowConfiguration.max_id_token_iat_offset_allowed_in_seconds = 10; 
    openIDImplicitFlowConfiguration.override_well_known_configuration = false; 
    openIDImplicitFlowConfiguration.override_well_known_configuration_url = environment.well_known_config_url; 
    openIDImplicitFlowConfiguration.storage = localStorage; 

    this.oidcSecurityService.setupModule(openIDImplicitFlowConfiguration);

日誌文件,其中顯示了超時:

2017-08-21 11:06:46.910 +12:00 [Information] Request starting HTTP/1.1 GET http://localhost:44345/connect/authorize?response_type=id_token%20token&client_id=AuctionX.Web.Ui.Client.Ng&redirect_uri=http://localhost:4200&scope=openid%20email%20profile%20role%20api.write%20api.read%20offline_access&nonce=N0.008974817642323441503270406807&state=15032704068070.2664008961443083 
2017-08-21 11:06:46.929 +12:00 [Information] Executed DbCommand (1ms) [Parameters=[@__get_Item_0='?' (Size = 450)], CommandType='Text', CommandTimeout='30'] 
SELECT TOP(1) [e].[Id], [e].[AccessFailedCount], [e].[ConcurrencyStamp], [e].[Email], [e].[EmailConfirmed], [e].[LockoutEnabled], [e].[LockoutEnd], [e].[NormalizedEmail], [e].[NormalizedUserName], [e].[PasswordHash], [e].[PhoneNumber], [e].[PhoneNumberConfirmed], [e].[SecurityStamp], [e].[TwoFactorEnabled], [e].[UserName] 
FROM [AspNetUsers] AS [e] 
WHERE [e].[Id] = @__get_Item_0 
2017-08-21 11:06:46.938 +12:00 [Information] AuthenticationScheme: "Identity.Application" signed out. 
2017-08-21 11:06:46.944 +12:00 [Information] AuthenticationScheme: "Identity.External" signed out. 
2017-08-21 11:06:46.950 +12:00 [Information] AuthenticationScheme: "Identity.TwoFactorUserId" signed out. 
2017-08-21 11:06:46.953 +12:00 [Information] "Identity.Application" was not authenticated. Failure message: "No principal." 

Log files from the Oidc Client 
VM543 vendor.bundle.js:441 onWellKnownEndpointsLoaded 
VM543 vendor.bundle.js:441 IsAuthorized: id_token isTokenExpired, start silent renew if active 
VM543 vendor.bundle.js:441 BEGIN refresh session Authorize 
VM543 vendor.bundle.js:441 RefreshSession created. adding myautostate: 15032774526950.18444551521534458 
VM543 vendor.bundle.js:441 startRenew for URL:https://localhost:44345/connect/authorize?response_type=id_token%20token&client_id=AuctionX.Web.Ui.Client.Ng&redirect_uri=http://localhost:4200&scope=openid%20email%20profile%20role%20api.write%20api.read%20offline_access&nonce=N0.055432655304242351503277452695&state=15032774526950.18444551521534458 
VM543 vendor.bundle.js:441 STS server: https://localhost:44345 
VM543 vendor.bundle.js:441 {issuer: "https://localhost:44345", jwks_uri: "https://localhost:44345/.well-known/openid-configuration/jwks", authorization_endpoint: "https://localhost:44345/connect/authorize", token_endpoint: "https://localhost:44345/connect/token", userinfo_endpoint: "https://localhost:44345/connect/userinfo", …} 
VM543 vendor.bundle.js:441 AuthWellKnownEndpoints already defined 
VM543 vendor.bundle.js:441 BEGIN authorizedCallback, no auth data 
VM543 vendor.bundle.js:441 {id_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOT…5P2zqgYNYQOuq36tWm37eLOnZ7PE_TiQoHpX9iEbyaZQQmlPg", access_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOT…pU0eoTqFx9sUbjRw__r8z_-FjaTQH0acMb9K8uKzqOn5dgxnw", token_type: "Bearer", expires_in: "120", scope: "openid%20email%20profile%20role%20api.write%20api.read%20offline_access", …} 
VM543 vendor.bundle.js:441 authorizedCallback created, begin token validation 
VM543 vendor.bundle.js:441 jwks_uri: https://localhost:44345/.well-known/openid-configuration/jwks 
VM543 vendor.bundle.js:126701 Angular is running in the development mode. Call enableProdMode() to enable the production mode. 
VM543 vendor.bundle.js:441 validate_id_token_iat_max_offset: 2328 < 10000 
VM543 vendor.bundle.js:441 From the server:DsQ3fMYhzDrjDQJPMfqRzg 
VM543 vendor.bundle.js:441 client validation not decoded:DsQ3fMYhzDrjDQJPMfqRzg 
VM543 vendor.bundle.js:441 AuthorizedCallback token(s) validated, continue 
VM543 vendor.bundle.js:441 eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOTFhMjFiYTA3NjVkM2QzNDhjIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1MDMyNzc0NTMsImV4cCI6MTUwMzI3NzU3MywiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNDUiLCJhdWQiOlsiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNDUvcmVzb3VyY2VzIiwiYXVjdGlvblguYXBpIl0sImNsaWVudF9pZCI6IkF1Y3Rpb25YLldlYi5VaS5DbGllbnQuTmciLCJzdWIiOiI1QkU4NjM1OS0wNzNDLTQzNEItQUQyRC1BMzkzMjIyMkRBQkUiLCJhdXRoX3RpbWUiOjE1MDMyNzU5NzQsImlkcCI6ImxvY2FsIiwicm9sZSI6ImFkbWluIiwic2NvcGUiOlsib3BlbmlkIiwiZW1haWwiLCJwcm9maWxlIiwicm9sZSIsImFwaS53cml0ZSIsImFwaS5yZWFkIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.ZvIho_FnuW_27b_sgLL_nJj_45tqlO4oMSkgFKj8cDObR--4OC1wESgo9jH6vjPR4Gx42DK5iiryaW8X91Yr_X8l-rcwECMacsXR_aZYCVKOC5kORLNHEzSg1ha0vI7EQCn2wuLn_z-ljJGVhxMbc2tI_kCt4abuChA0AryKt0EFCQ_11rvZry_yW49nlUBO_WgkgSB4R5x9MHQiWKlW6UOW-1t790QoARQjyp9WJ0AsHc4xtBjOmLJzOb7kTjp7ND5zrM7QVBK5HOewaV4fL7cVjWGXEZmH9m9D3pU0eoTqFx9sUbjRw__r8z_-FjaTQH0acMb9K8uKzqOn5dgxnw 
VM543 vendor.bundle.js:441 eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOTFhMjFiYTA3NjVkM2QzNDhjIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1MDMyNzc0NTMsImV4cCI6MTUwMzI3NzU0MywiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNDUiLCJhdWQiOiJBdWN0aW9uWC5XZWIuVWkuQ2xpZW50Lk5nIiwibm9uY2UiOiJOMC4wNTU0MzI2NTUzMDQyNDIzNTE1MDMyNzc0NTI2OTUiLCJpYXQiOjE1MDMyNzc0NTMsImF0X2hhc2giOiJEc1EzZk1ZaHpEcmpEUUpQTWZxUnpnIiwic2lkIjoiMWJkNjQ0YmVhMjQwZjM1MDc2YzQ5NzVjOTg0ZjI1N2IiLCJzdWIiOiI1QkU4NjM1OS0wNzNDLTQzNEItQUQyRC1BMzkzMjIyMkRBQkUiLCJhdXRoX3RpbWUiOjE1MDMyNzU5NzQsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.pExwBcxTQiT2nY38l5f6ZGNs4gzLTYZlUEO6sDl_Q2fPmzjppKn-7yU8bhjCy6xZKKuOT3pRO3JmZFEln1CDBfJqTsOg4UH8tu0MIIeMkiIBwjMooqb-ocN6JPwkrr-CuSk90xsQmGPqdaSRLC7IHFQ2VPq5Ic7b9Jd4CXIDZQbBKdR2PEC8n2Rfl-ayDOEXzOni8ylQ5ksu28eRicv7-HYimnF3Xc63xiBIC1NH4OofxQoqQRdBL2j8OJDKXQY6oDZxUNBLsIf1-jnM_MUTnr4tHoiX-XIhbZuTa5P2zqgYNYQOuq36tWm37eLOnZ7PE_TiQoHpX9iEbyaZQQmlPg 
VM543 vendor.bundle.js:441 storing to storage, getting the roles 
VM543 vendor.bundle.js:441 onWellKnownEndpointsLoaded 
VM543 vendor.bundle.js:441 IsAuthorized: id_token isTokenExpired, start silent renew if active 
VM543 vendor.bundle.js:441 BEGIN refresh session Authorize 
VM543 vendor.bundle.js:441 RefreshSession created. adding myautostate: 15032775466960.9369647619628338 
VM543 vendor.bundle.js:441 startRenew for URL:https://localhost:44345/connect/authorize?response_type=id_token%20token&client_id=AuctionX.Web.Ui.Client.Ng&redirect_uri=http://localhost:4200&scope=openid%20email%20profile%20role%20api.write%20api.read%20offline_access&nonce=N0.223876239755147031503277546696&state=15032775466960.9369647619628338 
VM543 vendor.bundle.js:441 STS server: https://localhost:44345 
VM543 vendor.bundle.js:441 {issuer: "https://localhost:44345", jwks_uri: "https://localhost:44345/.well-known/openid-configuration/jwks", authorization_endpoint: "https://localhost:44345/connect/authorize", token_endpoint: "https://localhost:44345/connect/token", userinfo_endpoint: "https://localhost:44345/connect/userinfo", …} 
VM543 vendor.bundle.js:441 AuthWellKnownEndpoints already defined 
VM543 vendor.bundle.js:441 BEGIN authorizedCallback, no auth data 
VM543 vendor.bundle.js:441 {id_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOT…y0UvzWAIigtnoy8ho-RvIHCVLfFNdrS_YockJLRhwZZHtOgVg", access_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOT…Q4CSsXVqa58bI7tROqruKxn9bb3q7zPIV-KSTOhXGAFo7ZN7Q", token_type: "Bearer", expires_in: "120", scope: "openid%20email%20profile%20role%20api.write%20api.read%20offline_access", …} 
VM543 vendor.bundle.js:441 authorizedCallback created, begin token validation 
VM543 vendor.bundle.js:441 jwks_uri: https://localhost:44345/.well-known/openid-configuration/jwks 
VM543 vendor.bundle.js:126701 Angular is running in the development mode. Call enableProdMode() to enable the production mode. 
VM543 vendor.bundle.js:441 validate_id_token_iat_max_offset: 2334 < 10000 
VM543 vendor.bundle.js:441 From the server:VBff-XldgCju7j-ghbcK3g 
VM543 vendor.bundle.js:441 client validation not decoded:VBff-XldgCju7j-ghbcK3g 
VM543 vendor.bundle.js:441 AuthorizedCallback token(s) validated, continue 
VM543 vendor.bundle.js:441 eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOTFhMjFiYTA3NjVkM2QzNDhjIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1MDMyNzc1NDcsImV4cCI6MTUwMzI3NzY2NywiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNDUiLCJhdWQiOlsiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNDUvcmVzb3VyY2VzIiwiYXVjdGlvblguYXBpIl0sImNsaWVudF9pZCI6IkF1Y3Rpb25YLldlYi5VaS5DbGllbnQuTmciLCJzdWIiOiI1QkU4NjM1OS0wNzNDLTQzNEItQUQyRC1BMzkzMjIyMkRBQkUiLCJhdXRoX3RpbWUiOjE1MDMyNzU5NzQsImlkcCI6ImxvY2FsIiwicm9sZSI6ImFkbWluIiwic2NvcGUiOlsib3BlbmlkIiwiZW1haWwiLCJwcm9maWxlIiwicm9sZSIsImFwaS53cml0ZSIsImFwaS5yZWFkIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.Xy1X3CeEaTYAWNKkYrIKKhZiEYkRnGJve1pP2kDO5qRg5-Qe-g9h-0BB-j5TeXE1VIrBOJ-1vr6Vkr28jfyAz7t02rHnK9Vs94xFc2H8UNcF98YBT-7GKqRd-FB1L3lQqtZWMku4b01qmIPSjUThzShcdgrbOsIpwdxC3UB-Ziram6EfUme10Wpb2J1vto7rEKcurQ6LZI3645x0rTlGS2fXU7x0UQxfxhAX9VNYwAreT8T2-O4mLzr9Ejbd-kMEfXNALIUUJ3KKRmGOGCHM5fwHzsuX67gIqJXueQ4CSsXVqa58bI7tROqruKxn9bb3q7zPIV-KSTOhXGAFo7ZN7Q 
VM543 vendor.bundle.js:441 eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlY2ZkYTVhMmI1OTAwOTFhMjFiYTA3NjVkM2QzNDhjIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1MDMyNzc1NDcsImV4cCI6MTUwMzI3NzYzNywiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNDUiLCJhdWQiOiJBdWN0aW9uWC5XZWIuVWkuQ2xpZW50Lk5nIiwibm9uY2UiOiJOMC4yMjM4NzYyMzk3NTUxNDcwMzE1MDMyNzc1NDY2OTYiLCJpYXQiOjE1MDMyNzc1NDcsImF0X2hhc2giOiJWQmZmLVhsZGdDanU3ai1naGJjSzNnIiwic2lkIjoiMWJkNjQ0YmVhMjQwZjM1MDc2YzQ5NzVjOTg0ZjI1N2IiLCJzdWIiOiI1QkU4NjM1OS0wNzNDLTQzNEItQUQyRC1BMzkzMjIyMkRBQkUiLCJhdXRoX3RpbWUiOjE1MDMyNzU5NzQsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.f-PzKxDafEIRPIz_qL_xtbI4QlDybyyRWMhnxUaNzOS1SJGVLVY1zpx89Y0MHlSe8NSZgtBOieB_Wr52nKZLm85ItMOCSpr5I5uZBi_mdufBEJWzOfbcnPT53pvpETwBVxSAOJvJXq-XxC-rxCeoHs7xd57M57RWa_Wla_rgh2-dVdscHHxA7fKDToEM_SpLgmFlI4QWV3DnMtkNWVzXkSNq1Iv5AOvtfI_j5Dz5XgsJAoyI1vWQHZqRuNO8_TK0g2oudvfv-xji1Uc_oFA_0rEdfoacNoyAwe4vky0UvzWAIigtnoy8ho-RvIHCVLfFNdrS_YockJLRhwZZHtOgVg 
VM543 vendor.bundle.js:441 storing to storage, getting the roles 
VM543 vendor.bundle.js:441 onWellKnownEndpointsLoaded 
home:1 Refused to display 'https://localhost:44345/account/login?returnUrl=%2Fconnect%2Fauthorize%2Flogin%3Fresponse_type%3Did_token%2520token%26client_id%3DAuctionX.Web.Ui.Client.Ng%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A4200%26scope%3Dopenid%2520email%2520profile%2520role%2520api.write%2520api.read%2520offline_access%26nonce%3DN0.481244061017480631503277824820%26state%3D15032778248200.2571680787467199' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

來源

2017-08-30 dreza

回答

0

這是可能的,這是根本不是UI客戶端的問題,而是Cookie在Ide上失效ntityServer方面等有效簽署用戶。

這似乎延長,這是SecurityStampValidationInterval如(至1小時)的設置:

services.AddIdentity<IdentityUser, IdentityRole>(
         options => 
         { 
          options.Cookies.ApplicationCookie.AuthenticationScheme = cookieAuth.AuthenticationScheme; 

          options.SecurityStampValidationInterval = TimeSpan.FromHours(1); 

          options.Password.RequiredLength = 8; 
          options.Password.RequireUppercase = true; 
          options.Password.RequireLowercase = true; 
          options.Password.RequireNonAlphanumeric = true; 
          options.Password.RequireDigit = true; 
         })

然而,這並不理想,因爲用戶即使沒有發生任何變化在1小時後仍註銷。爲什麼這種情況尚未確定。

來源

2017-09-05 23:44:14 dreza

相關問題

 相關問題