问题
I am working on a aspnet core MVC project which calls an API which is secured by OAuth2.0.
I was able to access the API and get the response properly with the code below,
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options =>
{
options.Authority = Configuration["AzureAD:Instance"] +
"/" + Configuration["AzureAD:TenantId"];
options.ClientId = Configuration["AzureAD:ClientId"];
options.Secret = Configuration["AzureAD:Secret"];
options.Callback = Configuration["AzureAD:Callback"];
options.ResponseType = "code id_token";
options.SaveTokens = true;
});
services.AddMvc(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
...
app.UseCookiePolicy();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "sign-in",
template: "signin-oidc")};
...
});
}
Controller.cs
I am getting the token from the HttpContext.
But the token expires after few hours. Is there a way to refresh the id token before it expires. I tried few examples in stack overflow. But none worked for me.
Is there a way to get this to work without using the IdentityModel used in example below? https://github.com/mderriey/aspnet-core-token-renewal/blob/master/src/MvcClient/Startup.cs
回答1:
You don't need to refresh id token . Id token contains information about an End-User , once your client app get id token from OpenID provider , it will validate the token , decode the token and sign in user using cookie authentication . The user information is serialized and stored in application cookie which will send on each next request from browser to keep user's basic profile information and authentication status .
By default ,the cookie is created with a session-based lifetime - that is, until the browser/tab is closed . So id token will be used at the first time and then cookie authentication take over .
Usually what we consider is how to refresh the access token . Access token allows access to certain defined server resources , we can use refresh token to renew access token after it expires .
The article your provides is showing how to refresh access token , and aligns the lifetime of the ASP.NET session cookie with OIDC access token(control the cookie's lifetime ). That is not much related to your scenario .
来源:https://stackoverflow.com/questions/56958336/refresh-id-token-before-it-expires-in-aspnet-core-mvc