我使用IdentityServer4,并希望将其用于我的微服务. 我现在有两项服务: -AuthService -MVC网站 我想使用具有较短生命周期的引用令牌来经常向AuthService请求实际声明,但是找不到用于设置缓存生命周期的属性.
我如何配置声明的缓存时间,这是为用户获取实际声明的好主意吗?
我尝试设置AccessTokenLifeTime,IdentityTokenLifeTime,TokenValidationParameters.ClockSkew,但不适用于此任务.
MVC启动:
... JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); services.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = "oidc"; }) .AddCookie("Cookies") .AddOpenIdConnect("oidc", options => { options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.Authority = "localhost:5001"; options.ClientId = "client"; options.ClientSecret = "secret"; options.ResponseType = "code id_token"; options.RequireHttpsMetadata = false; options.Scope.Add(IdentityServerConstants.StandardScopes.OpenId); options.Scope.Add(IdentityServerConstants.StandardScopes.Profile); options.Scope.Add("epp"); options.Scope.Add("roles"); options.TokenValidationParameters = new TokenValidationParameters { NameClaimType = "name", RoleClaimType = "role", ClockSkew = TimeSpan.FromSeconds(10) }; }); ...身份验证服务,Config.cs:
... new Client { ClientId = "client", ClientName = "Display name", AllowedGrantTypes = new List<string>{GrantType.Hybrid}, ClientSecrets = new List<Secret> { new Secret("secret".Sha256()) }, RequireConsent = false, AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, "epp", "roles", }, RedirectUris = new List<string> { "localhost:5003/signin-oidc" }, PostLogoutRedirectUris = new List<string>{ "localhost:5003/signout-callback-oidc" }, AccessTokenType = AccessTokenType.Reference, AlwaysIncludeUserClaimsInIdToken = true, AlwaysSendClientClaims = true, AllowAccessTokensViaBrowser = true, AccessTokenLifetime = 10, IdentityTokenLifetime = 10, UpdateAccessTokenClaimsOnRefresh = true }解决方案
没有用于声明的缓存层.每当运行受保护的([Authorize])终结点时,都会重新构建声明和ClaimsPrincipal.这是由身份验证中间件完成的.通常,您将具有cookie身份验证方案,该方案允许您避免每次都返回到UserInfo端点,并且通常避免令牌的重新验证,直到令牌过期或有效地除去身份验证cookie(通过注销或其他方式)为止.
I use IdentityServer4 and want use it for mine microservices. I have two services now: - AuthService - MVC site I want use reference token with short lifetime cycle for often requesting actual claims from AuthService, but I can't found property for setting cache lifetime.
How I can configure cache time for claims and is it good idea for getting actual claims for user?
I tried set AccessTokenLifeTime, IdentityTokenLifeTime, TokenValidationParameters.ClockSkew, but it's not work for this task.
MVC Startup:
... JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); services.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = "oidc"; }) .AddCookie("Cookies") .AddOpenIdConnect("oidc", options => { options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.Authority = "localhost:5001"; options.ClientId = "client"; options.ClientSecret = "secret"; options.ResponseType = "code id_token"; options.RequireHttpsMetadata = false; options.Scope.Add(IdentityServerConstants.StandardScopes.OpenId); options.Scope.Add(IdentityServerConstants.StandardScopes.Profile); options.Scope.Add("epp"); options.Scope.Add("roles"); options.TokenValidationParameters = new TokenValidationParameters { NameClaimType = "name", RoleClaimType = "role", ClockSkew = TimeSpan.FromSeconds(10) }; }); ...Auth Service, Config.cs:
... new Client { ClientId = "client", ClientName = "Display name", AllowedGrantTypes = new List<string>{GrantType.Hybrid}, ClientSecrets = new List<Secret> { new Secret("secret".Sha256()) }, RequireConsent = false, AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, "epp", "roles", }, RedirectUris = new List<string> { "localhost:5003/signin-oidc" }, PostLogoutRedirectUris = new List<string>{ "localhost:5003/signout-callback-oidc" }, AccessTokenType = AccessTokenType.Reference, AlwaysIncludeUserClaimsInIdToken = true, AlwaysSendClientClaims = true, AllowAccessTokensViaBrowser = true, AccessTokenLifetime = 10, IdentityTokenLifetime = 10, UpdateAccessTokenClaimsOnRefresh = true }解决方案
There is no caching layer for claims. The claims along with the ClaimsPrincipal are rebuilt every time a protected ([Authorize]) endpoint is ran. This is done by the authentication middleware. Normally, you would have cookie authentication scheme which allows you to avoid going back to the UserInfo endpoint every time and in general the revalidation of the token until it expires or the authentication cookie is effectively removed (through sign out or other means).
更多推荐
IdentityServer4参考令牌缓存选项
发布评论