我正在使用IdentityServer4和一个MVC客户端。 当客户端会话过期时,我希望我的用户被迫再次登录。 但是无论我做什么IdentityServer似乎都会在会话结束时自动将用户重新登录。
我在客户端启动的是(会话是30秒来测试)
services.AddAuthentication(options => { options.DefaultScheme = "Cookies"; options.DefaultChallengeScheme = "oidc"; }) .AddCookie("Cookies", options => { options.ExpireTimeSpan = new TimeSpan(0, 0, 30); }) .AddOpenIdConnect("oidc", options => { options.SignInScheme = "Cookies"; options.Authority = identityUrl; options.RequireHttpsMetadata = false; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.Scope.Add("Billing"); options.Scope.Add("offline_access"); options.UseTokenLifetime = false; });然后我在IdentityServer中的配置如下:
new Client { ClientId = "Test", ClientName = "Test", AllowedGrantTypes = GrantTypes.HybridAndClientCredentials, AlwaysIncludeUserClaimsInIdToken = true, RequireConsent = false, IdentityTokenLifetime = 30, AccessTokenLifetime = 30, ClientSecrets = { new Secret("secret".Sha256()) }, RedirectUris = { billingUrl + "/signin-oidc" }, PostLogoutRedirectUris = { billingUrl + "/signout-callback-oidc" }, AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, "Billing", "role", "VisionBlue.Cloud.BillingAPI" }, AllowOfflineAccess = true },使用fiddler我可以在30秒后看到一个请求被发送到身份服务器的/连接/授权,这将自动再次登录用户。
有任何想法吗? 我已将所有超时设置为30秒作为测试。
I am using IdentityServer4 and an MVC client. When the clients session expires I want my users to be forced to login again. However no matter what I do IdentityServer seems to automatically log the user back in when the session ends.
My Startup in the client is (session is 30 seconds to test)
services.AddAuthentication(options => { options.DefaultScheme = "Cookies"; options.DefaultChallengeScheme = "oidc"; }) .AddCookie("Cookies", options => { options.ExpireTimeSpan = new TimeSpan(0, 0, 30); }) .AddOpenIdConnect("oidc", options => { options.SignInScheme = "Cookies"; options.Authority = identityUrl; options.RequireHttpsMetadata = false; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.Scope.Add("Billing"); options.Scope.Add("offline_access"); options.UseTokenLifetime = false; });Then my config in IdentityServer is as follows:
new Client { ClientId = "Test", ClientName = "Test", AllowedGrantTypes = GrantTypes.HybridAndClientCredentials, AlwaysIncludeUserClaimsInIdToken = true, RequireConsent = false, IdentityTokenLifetime = 30, AccessTokenLifetime = 30, ClientSecrets = { new Secret("secret".Sha256()) }, RedirectUris = { billingUrl + "/signin-oidc" }, PostLogoutRedirectUris = { billingUrl + "/signout-callback-oidc" }, AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, "Billing", "role", "VisionBlue.Cloud.BillingAPI" }, AllowOfflineAccess = true },Using fiddler I can see after 30 seconds a request is sent to /connect/authorize on the IdentityServer which is automatically logging the user in again.
Any ideas? I have set all timeouts to 30 seconds as a test.
最满意答案
在授权请求( https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest )上使用prompt=login的OpenID Connect参数。 这将告诉IdentityServer您希望用户重新进行身份验证,而不是使用SSO或IdentityServer会话长度。
您应该可以在OpenIdConnectOptions中使用ASP.NET Core执行此操作:
options.Events.OnRedirectToIdentityProvider = context => { context.ProtocolMessage.Prompt = "login"; eturn Task.CompletedTask; };可能有更简单的方法来设置它。
Use the OpenID Connect parameter of prompt=login on your authorization request (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). This will tell IdentityServer that you want the user to re-authenticate instead of using SSO or IdentityServer session length.
You should be able to do this in ASP.NET Core using in your OpenIdConnectOptions:
options.Events.OnRedirectToIdentityProvider = context => { context.ProtocolMessage.Prompt = "login"; eturn Task.CompletedTask; };There might be an easier way to set this though.
更多推荐
发布评论