尹念念的博客

ASP.NET WebApi OAuth2身份认证---刷新token

发布时间:2019-12-25 15:32:45阅读: 157 评论数:

接上篇文章 传送门

当token过期后,OAuth2.0提供了token刷新机制:

public void ConfigureOAuth(IAppBuilder app)
{
    OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
    {
        AllowInsecureHttp = true,
        TokenEndpointPath = new PathString("/token"),
        AccessTokenExpireTimeSpan = TimeSpan.FromSeconds(10),
        Provider = new SimpleAuthorizationServerProvider(),
 
        //refresh token provider
        RefreshTokenProvider = new SimpleRefreshTokenProvider()
    };
 
    // Token Generation
    app.UseOAuthAuthorizationServer(OAuthServerOptions);
    app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}


1、添加新的RefreshTokenProvider

public class SimpleRefreshTokenProvider : IAuthenticationTokenProvider
{
    public async Task CreateAsync(AuthenticationTokenCreateContext context)
    {
        var refreshTokenId = Guid.NewGuid().ToString("n");
 
        using (AuthRepository _repo = new AuthRepository())
        {
 
            var token = new RefreshToken()
            {
                Id = refreshTokenId.GetHash(),
                Subject = context.Ticket.Identity.Name,
                IssuedUtc = DateTime.UtcNow,
                ExpiresUtc = DateTime.UtcNow.AddMinutes(30)
            };
 
            context.Ticket.Properties.IssuedUtc = token.IssuedUtc;
            context.Ticket.Properties.ExpiresUtc = token.ExpiresUtc;
 
            token.ProtectedTicket = context.SerializeTicket();
 
            var result = await _repo.AddRefreshToken(token);
 
            if (result)
            {
                context.SetToken(refreshTokenId);
            }
 
        }
    }
 
    public async Task ReceiveAsync(AuthenticationTokenReceiveContext context)
    {
 
        string hashedTokenId = context.Token.GetHash();
 
        using (AuthRepository _repo = new AuthRepository())
        {
            var refreshToken = await _repo.FindRefreshToken(hashedTokenId);
 
            if (refreshToken != null)
            {
                //Get protectedTicket from refreshToken class
                context.DeserializeTicket(refreshToken.ProtectedTicket);
                var result = await _repo.RemoveRefreshToken(hashedTokenId);
            }
        }
    }
 
    public void Create(AuthenticationTokenCreateContext context)
    {
        throw new NotImplementedException();
    }
 
    public void Receive(AuthenticationTokenReceiveContext context)
    {
        throw new NotImplementedException();
    }
 
}

我们实现了其中两个异步方法,对两个同步方法不做实现。其中CreateAsync用来生成RefreshToken值,生成后需要持久化在数据库中,客户端需要拿RefreshToken来请求刷新token,此时ReceiveAsync方法将拿客户的RefreshToken和数据库中RefreshToken做对比,验证成功后删除此refreshToken。


2、重新请求token

1.png

可以看到这次请求不但得到了token,还得到了refresh_token


3、当token过期后,凭借上次得到的refresh_token重新获取token

2.png

此次请求又得到了新的refresh_token,每次refresh_token只能用一次,因为在方法ReceiveAsync中我们一旦拿到refresh_token就删除了记录。