问题描述
我使用Visual Studio 2015年企业和ASP.NET vNext Beta8发行和消费说明JWT令牌here.
I am using Visual Studio 2015 Enterprise and ASP.NET vNext Beta8 to issue and consume JWT tokens as described here.
在我们的实现我们存储Redis的一些客户的详细资料在令牌发放时间,我们希望这刷新信息时,用户注销。
In our implementation we're storing some client details in Redis at token issuing time and we would like the flush this information when the user logs out.
我的问题是,什么是与OIDC注销的最佳实践?
My question is what is the best practices for logging out with OIDC?
虽然我可以推出自己的位指示,为此我不禁注意到打开ID连接(OIDC)似乎有点催芽处理这种情况。例如OIDC有OnLogoutEndpoint处理程序和LogoutEndpointPath设置。但是,当我打电话OIDC注销URI的处理似乎接受任何随机的X WWW的形式urlen codeD形式我扔它,在任何特定的方式似乎并不苛求的了presence令牌。
While I could roll my own contoller for this purpose I couldn't help but notice Open ID Connect (OIDC) seems somewhat primed to handle this case. For example OIDC has an OnLogoutEndpoint handler and LogoutEndpointPath settings. But when I call the OIDC logout URI that handler appears to accept any random x-www-form-urlencoded form I throw at it and doesn't in any particular way seem to be demanding the presence of a token.
这是正确的OIDC注销的做法任何意见将是非常美联社preciated。
Any advice on proper OIDC logout practices would be very much appreciated.
推荐答案
在 AspNet.Security.OpenIdConnect.Server ,用于注销端点的逻辑被保留为锻炼。
In AspNet.Security.OpenIdConnect.Server, the logic used for the logout endpoint is left as an exercise.
在此样本,它是使用MVC 6控制器,在那里你实现 - 当然 - 自由添加自定义逻辑,从您的Redis服务器上删除缓存的详细信息
In this sample, it is implemented using an MVC 6 controller, where you're - of course - free to add custom logic to remove cached details from your Redis server.
[HttpPost("~/connect/logout")]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout() {
// When invoked, the logout endpoint might receive an unauthenticated request if the server cookie has expired.
// When the client application sends an id_token_hint parameter, the corresponding identity can be retrieved using AuthenticateAsync.
var identity = await HttpContext.Authentication.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme);
// Remove the cached details here. If you need to determine
// who's the authenticated user, you can use the identity variable.
// Remove the authentication cookie and return the user to the client application.
return SignOut("ServerCookie", OpenIdConnectServerDefaults.AuthenticationScheme);
}
您也可以做直接从 LogoutEndpoint 事件类似的东西。不要忘了叫 context.HandleResponse(),以确保请求没有被其他中间件拦截。
You can also do something similar directly from the LogoutEndpoint event. Don't forget to call context.HandleResponse() to make sure the request is not intercepted by another middleware.
这篇关于注销随着AspNet.Security.OpenIdConnect.Server(ASP.NET vNext)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!