我正在使用Angular JS和Web API2构建SPA,使用Oauth2进行身份验证.我的问题,令牌’出口是固定的,比如20分钟.那么如果用户在20分钟内没有任何请求,我们如何重定向到logion页面呢?
刷新令牌不起作用,因为系统将自动刷新令牌,尽管用户在有效时间内没有任何操作.
干杯,
解决方法
我使用AuthorizeAttribute并覆盖OnAuthorization
public override void OnAuthorization(HttpActionContext actionContext) { string token = string.Empty; AuthenticationTicket ticket; //retrieve the token the client sent in the request... token = (actionContext.Request.Headers.Any(x => x.Key == "Authorization")) ? actionContext.Request.Headers.Where(x => x.Key == "Authorization").FirstOrDefault().Value.SingleOrDefault().Replace("Bearer ","") : ""; //Your OAuth Startup class may be called differently... ticket = Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(token); //verification using the ticket's properties. When it was set to expire (ExpiresUtc) or whatever other properties you may have appended to it's dictionnary. //if verification fails.. //actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized,"Verification failed."); //return; //Otherwise,send a new token with an extended expiration date... AuthenticationProperties refreshTokenProperties = new AuthenticationProperties(ticket.Properties.Dictionary) { IssuedUtc = ticket.Properties.IssuedUtc,ExpiresUtc = DateTime.UtcNow.AddMinutes(20) }; AuthenticationTicket newToken = new AuthenticationTicket(ticket.Identity,refreshTokenProperties); string newTokenHash = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(newToken); //add the new token to request properties. Can't add it to the header here,because creating response/response headers here will prevent process from proceeding to called controller method. actionContext.Request.Properties.Add(new KeyValuePair<string,object>("Token",newTokenHash)); }
然后使用ActionFilterAttribute过滤器链接它:
public override void OnActionExecuted(HttpActionExecutedContext actionExecutedContext) { if (actionExecutedContext.Response == null) return; var objectContent = actionExecutedContext.Response.Content as ObjectContent; //the token we put in the filter above... string tokenHash = (actionExecutedContext.Request.Properties.Any(x => x.Key == "Token")) ? (string)actionExecutedContext.Request.Properties.Where(x => x.Key == "Token").FirstOrDefault().Value : ""; }
您可以将新标头附加到响应,放入JSON有效负载响应或将其添加为响应cookie.然后,当您请求任何其他资源时,您使客户端使用此新哈希,这样,到期时间将每次额外滑动20分钟.
您可以在App_Start / WebApiConfig.cs中全局注册这些过滤器属性
config.Filters.Add(new ClassExtendingAuthorizeAttribute()); config.Filters.Add(new ClassExtendingActionFilterAttribute());
但正如jumuro所提到的,您可以让客户只使用刷新令牌.取决于你是否想要你的后端或前端来完成大部分的腿部工作.
希望能帮助到你.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。