我有一个关于超时和身份服务器的问题。目前,我有一个通过身份服务器授权的Web表单客户端,该客户端会发出cookie。处于非活动状态 10 分钟后,此 Cookie 将过期,用户将被定向到身份验证端点,并自动重新授权身份。是否可以绕过此重新身份验证步骤并自动注销用户?如果做不到这一点,这是另一种方式,可以将用户强制到身份的登录页面。理想情况下,我不希望通过同一身份服务器授权的其他客户端具有此十分钟超时规则。 我目前的设置如下,
客户端启动:
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType("Cookies");
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
ExpireTimeSpan = TimeSpan.FromMinutes(10),
SlidingExpiration = true
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "oidc",
Authority = "IdentityUrl",
ClientId = "ClientId",
ClientSecret = "ClientSecret",
RedirectUri = "RedirectUri",
ResponseType = "code id_token",
Scope = "scopes",
PostLogoutRedirectUri = "PostLogoutRedirectUri",
RequireHttpsMetadata = true,
UseTokenLifetime = false,
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = context =>
{
if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
context.ProtocolMessage.IdTokenHint = context.OwinContext.Authentication
.User.FindFirst(Constants.ResponseTypes.IdToken)?.Value;
return Task.FromResult(0);
},
SecurityTokenValidated = n =>
{
var id = n.AuthenticationTicket.Identity;
id.AddClaim(new Claim(Constants.ResponseTypes.IdToken, n.ProtocolMessage.IdToken));
n.AuthenticationTicket = new AuthenticationTicket(id, n.AuthenticationTicket.Properties);
return Task.FromResult(0);
}
}
});
app.UseStageMarker(PipelineStage.Authenticate);
}
}
默认.aspx
public partial class _Default : HSTPage
{
protected void Page_Load(object sender, EventArgs e)
{
if (Context.Request.IsAuthenticated) Response.Redirect("HomePageUrl");
else
{
HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties
{
RedirectUri = "CallBackUrl"
});
}
}
}
最后是身份服务器配置
var idpAssemblyName = GetAssemblyName<Startup>();
services.AddIdentityServer()
.AddSigningCredential(LoadCertificateFromStore(_configuration))
.AddConfigurationStore(storeOptions => storeOptions.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, options => options.MigrationsAssembly(idpAssemblyName)))
.AddOperationalStore(storeOptions => storeOptions.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, options => options.MigrationsAssembly(idpAssemblyName)))
.AddAspNetIdentity<IdentityUser>();
在RedirectToIdentityProvider通知中添加Challenge():
RedirectToIdentityProvider = context =>
{
if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
context.ProtocolMessage.IdTokenHint = context.OwinContext.Authentication
.User.FindFirst(Constants.ResponseTypes.IdToken)?.Value;
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Token)
{
n.OwinContext.Authentication.Challenge();
}
return Task.FromResult(0);
},