问题描述
我正在使用 Visual Studio 2015 Enterprise 和 ASP.NET vNext Beta8 来发布和使用 JWT 令牌,如 这里.
I am using Visual Studio 2015 Enterprise and ASP.NET vNext Beta8 to issue and consume JWT tokens as described here.
在我们的实现中,我们在发行令牌时将一些客户端详细信息存储在 Redis 中,并且我们希望在用户注销时刷新此信息.
In our implementation we're storing some client details in Redis at token issuing time and we would like the flush this information when the user logs out.
我的问题是使用 OIDC 注销的最佳做法是什么?
My question is what is the best practices for logging out with OIDC?
虽然我可以为此使用自己的控制器,但我不禁注意到 Open ID Connect (OIDC) 似乎已经准备好处理这种情况.例如,OIDC 有一个 OnLogoutEndpoint 处理程序和 LogoutEndpointPath 设置.但是,当我调用 OIDC 注销 URI 时,该处理程序似乎接受我抛出的任何随机 x-www-form-urlencoded 表单,并且似乎并没有以任何特定方式要求存在令牌.
While I could roll my own contoller for this purpose I couldn't help but notice Open ID Connect (OIDC) seems somewhat primed to handle this case. For example OIDC has an OnLogoutEndpoint handler and LogoutEndpointPath settings. But when I call the OIDC logout URI that handler appears to accept any random x-www-form-urlencoded form I throw at it and doesn't in any particular way seem to be demanding the presence of a token.
非常感谢任何有关正确 OIDC 注销做法的建议.
Any advice on proper OIDC logout practices would be very much appreciated.
推荐答案
在 AspNet.Security.OpenIdConnect.Server 中,用于注销端点的逻辑留作练习.
In AspNet.Security.OpenIdConnect.Server, the logic used for the logout endpoint is left as an exercise.
在这个 示例,它是使用 MVC 6 控制器实现的,您当然可以在其中自由添加自定义逻辑以从 Redis 服务器中删除缓存的详细信息.
In this sample, it is implemented using an MVC 6 controller, where you're - of course - free to add custom logic to remove cached details from your Redis server.
[HttpPost("~/connect/logout")]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout() {
// When invoked, the logout endpoint might receive an unauthenticated request if the server cookie has expired.
// When the client application sends an id_token_hint parameter, the corresponding identity can be retrieved using AuthenticateAsync.
var identity = await HttpContext.Authentication.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme);
// Remove the cached details here. If you need to determine
// who's the authenticated user, you can use the identity variable.
// Remove the authentication cookie and return the user to the client application.
return SignOut("ServerCookie", OpenIdConnectServerDefaults.AuthenticationScheme);
}
您也可以直接从 LogoutEndpoint 事件执行类似操作.不要忘记调用 context.HandleResponse() 以确保请求不会被其他中间件拦截.
You can also do something similar directly from the LogoutEndpoint event. Don't forget to call context.HandleResponse() to make sure the request is not intercepted by another middleware.
这篇关于使用 AspNet.Security.OpenIdConnect.Server (ASP.NET vNext) 注销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!