问题
I am building an app, which is a Javascript SPA with Asp.net mvc controllers in the backend. I am trying to use IdentityServer for authentication. I have authorize attribute on my controllers. One of the requirements I have is that the user's session should be expired in a certain amount of time(if no activity, user should be prompted to login). The implicit flow does not work for me because of security restrictions. I grabbed the Identity4 samples https://github.com/IdentityServer/IdentityServer4.Samples and tried using the cookieauthentication middleware, setting the ExpireTimeSpan to see if that expires the cookie. Somehow even after the expiration of the timespan specified, I am still able to make a call into the controllers. How can I accomplish something similar to a asp.net session timeout with Identity Server and Asp.net mvc?
回答1:
It is known issue see https://github.com/aspnet/Security/pull/893, fixed for 1.1.0.
Wait 1.1.0 version or use OnTokenValidated to set expire property:
OnTokenValidated = async (context) =>
{
context.Properties.ExpiresUtc = <expire>;
await Task.FromResult(0);
}
Also see for another solution: https://github.com/aspnet/Security/issues/855#issuecomment-229495399
来源:https://stackoverflow.com/questions/39711593/identityserver-and-asp-net-mvc