IdentityServer3 + Entity Frameworkによるトークン検証

Question

Identity Server 3とEntity Frameworkを使用しています。私のASP.NET MVCアプリケーションは以下の設定を使用してSSO/IdentityServerアプリケーションにログインし、そのアクセストークンはAPIを呼び出すためにJavaScriptによって使用されるクッキーに保存されます。

問題は、私は私のASP.NET MVCアプリケーションにログインし、データベースに移動し、データベーステーブルからそのトークンを削除すると、私のAPIは無効なベアラートークンを期待どおりに言うが、私はASPの更新ページ。 NET MVCアプリ、それはまだログインして表示され、私はそれがクッキーの設定のためだと思う。

MVCアプリケーションにサーバーからのトークンを常に検証するように頼むにはどうすればよいですか？あなたは、MVCのうち、利用者が署名する必要があり

class Factory 
{ 
     public static IdentityServerServiceFactory Configure() 
     { 
      var efConfig = new EntityFrameworkServiceOptions 
      { 
       ConnectionString = "DefaultConnection", 

      }; 

      // these two calls just pre-populate the test DB from the in-memory config 
      ConfigureClients(Clients.Get(), efConfig); 
      ConfigureScopes(Scopes.Get(), efConfig); 

      var factory = new IdentityServerServiceFactory(); 

      //var scopeStore = new InMemoryScopeStore(Scopes.Get()); 
      //factory.ScopeStore = new Registration<IScopeStore>(scopeStore); 
      //var clientStore = new InMemoryClientStore(Clients.Get()); 
      //factory.ClientStore = new Registration<IClientStore>(clientStore); 

      factory.CorsPolicyService = new Registration<ICorsPolicyService>(new DefaultCorsPolicyService { AllowAll = true }); 

      factory.RegisterOperationalServices(efConfig); 
      factory.RegisterConfigurationServices(efConfig); 

      return factory; 
     } 


     public static void ConfigureClients(IEnumerable<Client> clients, EntityFrameworkServiceOptions options) 
     { 
      using (var db = new ClientConfigurationDbContext(options.ConnectionString, options.Schema)) 
      { 
       if (!db.Clients.Any()) 
       { 
        foreach (var c in clients) 
        { 
         var e = c.ToEntity(); 
         db.Clients.Add(e); 
        } 
        db.SaveChanges(); 
       } 
      } 
     } 

     public static void ConfigureScopes(IEnumerable<Scope> scopes, EntityFrameworkServiceOptions options) 
     { 
      using (var db = new ScopeConfigurationDbContext(options.ConnectionString, options.Schema)) 
      { 
       if (!db.Scopes.Any()) 
       { 
        foreach (var s in scopes) 
        { 
         var e = s.ToEntity(); 
         db.Scopes.Add(e); 
        } 
        db.SaveChanges(); 
       } 
      } 
     } 
} 

IdentityServerクライアント構成

public class Clients 
{ 
     public static List<Client> Get() 
     { 
      return new List<Client> 
      { 
       new Client 
       { 
        ClientName = "Resource Owner Flow", 
        ClientId = "resourceowner", 
        ClientSecrets = new List<Secret> {new Secret("vkgk8M4pj".Sha256())}, 
        Flow = Flows.ResourceOwner , //Password authentication 
        PrefixClientClaims = false, 
        AccessTokenType = AccessTokenType.Jwt, 
        AllowedScopes = new List<string> 
        { 
         Constants.StandardScopes.OpenId, 
         Constants.StandardScopes.Profile, 
         Constants.StandardScopes.Email, 
         Constants.StandardScopes.Roles, 
         Constants.StandardScopes.Address, 
         Constants.StandardScopes.AllClaims, 
         Constants.StandardScopes.OfflineAccess, 
         SsoConfigHelper.SellutionApiScope 
        }, 
        RequireConsent = false, 
        AllowRememberConsent = true, 
        LogoutSessionRequired = true, 

        RefreshTokenExpiration = TokenExpiration.Absolute, 
        RefreshTokenUsage = TokenUsage.OneTimeOnly, 
        UpdateAccessTokenClaimsOnRefresh = true, 
        AbsoluteRefreshTokenLifetime =(int)TimeSpan.FromDays(1).TotalSeconds 
       }, 

       ///////////////////////////////////////////////////////////// 
       // MVC OWIN Implicit Client 
       ///////////////////////////////////////////////////////////// 
       new Client 
       { 
        ClientName = "Sellution Application", 
        ClientId = "sellutionapp", 
        Flow = Flows.Hybrid, 
        AllowAccessTokensViaBrowser = false, 

        AllowedScopes = new List<string> 
        { 
         Constants.StandardScopes.OpenId, 
         Constants.StandardScopes.Profile, 
         Constants.StandardScopes.Email, 
         Constants.StandardScopes.Roles, 
         Constants.StandardScopes.Address, 
         Constants.StandardScopes.AllClaims, 
         SsoConfigHelper.SellutionApiScope 
        }, 
        ClientSecrets = new List<Secret> 
        { 
         new Secret("secret".Sha256()) 
        }, 

        AccessTokenType = AccessTokenType.Reference, 
        RequireConsent = false, 
        AllowRememberConsent = true, 
        LogoutSessionRequired = true, 
       }, 

      }; 
     } 
} 

Answer 1

：

public static class AuthConfig 
{ 
     public static void RegisterAuth(IAppBuilder app) 
     { 
      ServicePointManager.ServerCertificateValidationCallback = 
       (sender, certificate, chain, sslPolicyErrors) => true; 

      JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>(); 

      app.UseCookieAuthentication(new CookieAuthenticationOptions 
      { 
       AuthenticationType = "Cookies", 
       SlidingExpiration = true, 
       ExpireTimeSpan = SellutionConstants.Globals.AccessTokenExpirationTimeSpan 
      }); 

      app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions 
      { 
       ClientId = "sellutionapp", 
       Authority = SsoConfigHelper.SellutionSts, 
       ResponseType = "code id_token", 
       Scope = "openid profile roles all_claims " + SsoConfigHelper.SellutionApiScope, 
       UseTokenLifetime = false, 

       TokenValidationParameters = new TokenValidationParameters 
       { 
        NameClaimType = "name", 
        RoleClaimType = "role", 
       }, 

       SignInAsAuthenticationType = "Cookies", 

       Notifications = new OpenIdConnectAuthenticationNotifications 
       { 
        AuthorizationCodeReceived = async n => 
        { 
         // use the code to get the access and refresh token 
         var tokenClient = new TokenClient(
          SsoConfigHelper.SellutionStsTokenEndpoint, 
          "sellutionapp", 
          "secret"); 

         if (String.IsNullOrEmpty(n.RedirectUri)) 
         { 
          n.RedirectUri = n.Request.Scheme + "://" + n.Request.Host + n.Request.PathBase; 
         } 

         var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(n.Code, n.RedirectUri); 
         if (tokenResponse.IsError) 
         { 
          throw new Exception(tokenResponse.Error); 
         } 


         // use the access token to retrieve claims from userinfo 
         var userInfoClient = new UserInfoClient(
         new Uri(SsoConfigHelper.SellutionStsUserInfoEndpoint), 
         tokenResponse.AccessToken); 

         var userInfoResponse = await userInfoClient.GetAsync(); 

         // create new identity 
         var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType); 
         id.AddClaims(userInfoResponse.GetClaimsIdentity().Claims); 

         id.AddClaim(new Claim("access_token", tokenResponse.AccessToken)); 
         id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString())); 
         //id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken)); 
         id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken)); 
         id.AddClaim(new Claim("sid", n.AuthenticationTicket.Identity.FindFirst("sid").Value)); 

         LoginCookieHelper.SetUserData(tokenResponse.AccessToken); 
         n.AuthenticationTicket = new AuthenticationTicket(
          new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType, "name", "role"), 
          n.AuthenticationTicket.Properties); 
        }, 

        RedirectToIdentityProvider = n => 
        { 

         // This ensures that the address used for sign in and sign out is picked up dynamically from the request 
         // this allows you to deploy the app (to Azure Web Sites, for example) without having to change settings. 
         var appBaseUrl = n.Request.Scheme + "://" + n.Request.Host + n.Request.PathBase; 
         n.ProtocolMessage.RedirectUri = appBaseUrl; 
         n.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl; 

         // if signing out, add the id_token_hint 
         if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest) 
         { 
          var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token"); 

          if (idTokenHint != null) 
          { 
           n.ProtocolMessage.IdTokenHint = idTokenHint.Value; 
          } 
         } 

         return Task.FromResult(0); 
        } 
       } 
      }); 
     } 
} 

アイデンティティ・サーバーの構成：ASP.NET MVCアプリケーションの

AuthConfig.csあなたのコードに従ってCookieを使用しているので認証Cookiesという名前の認証では、ログアウトするときにその認証方式でサインアウトする必要があります（ストア内のトークンを削除しない）。

AuthenticationManager.SignOut("Cookies");は、コントローラの操作でログアウトに必要なものです。