问题描述

我需要对Angular2客户端WebApp实施授权/身份验证才能与资源服务器(WebApi)对话.

I need to implement Authorization/Authentication for an Angular2 Client Side WebApp to talk to a Resource Server(WebApi).

我正在调查IdentiyServer4并选择授予类型/流程". 这里

I am investigating IdentiyServer4 and choosing a Grant Type / Flow. HERE

1. 资源所有者密码凭据授予(我们现在使用的是.)这就是所谓的非交互式"身份验证，通常不建议这样做."
2. 授权码和混合<-不允许刷新令牌的隐式流解决方案.(对我来说似乎很复杂.但这是要走的路吗?)
3. 隐式流程-推荐用于我所看到的SPA.但不支持刷新令牌.

使用隐式流，我如何不要求SPA的用户每输入3600秒就必须输入一次密码?建议的access_token生存期.我认为获取新的授权URL有些不了解.

With Implicit Flow, how do I not require the user of the SPA to have to type in a password every say 3600 sec? A recommended access_token lifetime. I presume there is something I do not understand about getting the new authorization URL.

我看过的资源.

• IdentityServer4授予类型
• 客户端应用的隐式授权流
• OAuth 2.0授权指南
• SO-单页Oauth2隐式流-app刷新访问令牌

• IdentityServer4 Grant Types
• Implicit Grant Flow for Client-Side Apps
• A Guide To OAuth 2.0 Grants
• SO - Oauth2 Implicit Flow with single-page-app refreshing access tokens

谢谢你的回答，斯科特.我需要阅读.

Thanks for the answer Scott. I have some reading to do.

• IdentityServer4入门

推荐答案

使用隐式流时，您仍然可以使用自己的cookie生存期(即，超过3600秒).要避免访问令牌过期，可以使用以下事实:用户仍在IdentityServer中进行身份验证，以获取另一个访问令牌，而无需刷新令牌.

When using the Implicit flow you can still use your own cookie lifetimes (ie longer than 3600 seconds). To get around access tokens expiring, you can use the fact that the user is still authenticated within IdentityServer to fetch another access token, without the need for refresh tokens.

IdentityModel OpenID Connect JS客户端通过在访问之前触发事件来做到这一点令牌到期，并使用iframe向IdentityServer发出新的身份验证请求.如果用户仍登录到IdentityServer(与您自己的客户端应用程序相比，它具有不同的，通常存在时间更长的cookie)，则IdentityServer像正常的身份验证请求一样发送回新的令牌.这是在后台进行的，没有用户的交互，也没有中断.

The IdentityModel OpenID Connect JS Client does this by firing an event just before access token expiration and using an iframe to make a fresh authentication request to IdentityServer. If the user is still logged into IdentityServer (which has a different, typically longer lived cookie than your own client application), then IdentityServer sends back fresh tokens just like a normal authentication request. This happens in the background with no interaction from the user and no interruption.

请查看此库中的automaticSilentRenew功能以获取具体实施细节.

Check out the automaticSilentRenew functionality in this library for implementation specifics.

顺便说一句，对于IdentityServer，隐式，授权代码和混合授权类型是OpenID Connect授予类型.引用OAuth版本的资源可能不适用于您的用例.

By the way, the Implicit, Authorization Code and Hybrid grant types, in the case of IdentityServer, are OpenID Connect grant types. Resources referring to the OAuth versions may not apply to your use case.

这篇关于使用OAuth2隐式流程(IdentityServer4)，用户是否必须在每次访问令牌到期时都重新输入密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！