IdentityServer4 Reference Token caching options

问题

I use IdentityServer4 and want use it for mine microservices.
I have two services now:
- AuthService
- MVC site
I want use reference token with short lifetime cycle for often requesting actual claims from AuthService, but I can't found property for setting cache lifetime.

How I can configure cache time for claims and is it good idea for getting actual claims for user?

I tried set AccessTokenLifeTime, IdentityTokenLifeTime, TokenValidationParameters.ClockSkew, but it's not work for this task.

MVC Startup:

...
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(options =>
                {
                    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = "oidc";
                })
                .AddCookie("Cookies")
            .AddOpenIdConnect("oidc", options =>
                {
                    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.Authority = "https://localhost:5001";
                    options.ClientId = "client";
                    options.ClientSecret = "secret";
                    options.ResponseType = "code id_token";

                    options.RequireHttpsMetadata = false;

                    options.Scope.Add(IdentityServerConstants.StandardScopes.OpenId);
                    options.Scope.Add(IdentityServerConstants.StandardScopes.Profile);
                    options.Scope.Add("epp");
                    options.Scope.Add("roles");
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        NameClaimType = "name",
                        RoleClaimType = "role",
                        ClockSkew = TimeSpan.FromSeconds(10)
                    };
                });
...

Auth Service, Config.cs:

...
new Client
                {
                    ClientId = "client",
                    ClientName = "Display name",
                    AllowedGrantTypes = new List<string>{GrantType.Hybrid},
                    ClientSecrets = new List<Secret>
                    {
                        new Secret("secret".Sha256())
                    },
                    RequireConsent = false,
                    AllowedScopes =
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                        "epp",
                        "roles",
                    },
                    RedirectUris = new List<string>
                    {
                        "https://localhost:5003/signin-oidc"
                    },
                    PostLogoutRedirectUris = new List<string>{ "https://localhost:5003/signout-callback-oidc" },

                    AccessTokenType = AccessTokenType.Reference,
                    AlwaysIncludeUserClaimsInIdToken = true,
                    AlwaysSendClientClaims = true,
                    AllowAccessTokensViaBrowser = true,
                    AccessTokenLifetime = 10,
                    IdentityTokenLifetime = 10,
                    UpdateAccessTokenClaimsOnRefresh = true
                }

回答1:

There is no caching layer for claims. The claims along with the ClaimsPrincipal are rebuilt every time a protected ([Authorize]) endpoint is ran. This is done by the authentication middleware. Normally, you would have cookie authentication scheme which allows you to avoid going back to the UserInfo endpoint every time and in general the revalidation of the token until it expires or the authentication cookie is effectively removed (through sign out or other means).

来源：https://stackoverflow.com/questions/56573592/identityserver4-reference-token-caching-options

标签

asp.net-mvc

authentication

token

identityserver4