問題描述
我正在使用 Thinktecture AuthorizationServer (AS),它運行良好.
I am using Thinktecture AuthorizationServer (AS) and it is working great.
我想寫一個可以直接調(diào)用 WebAPI 的原生 javascript 單頁應(yīng)用,但是隱式流不提供刷新令牌.
I would like to write a native javascript single page app which can call a WebAPI directly, however implicit flow does not provide a refresh token.
如果進行 AJAX 調(diào)用,如果令牌已過期,API 將發(fā)送重定向到登錄頁面,因為數(shù)據(jù)使用動態(tài)彈出窗口,這將中斷用戶.
If an AJAX call is made, if the token has expired the API will send a redirect to the login page, since the data is using dynamic popups it will this will interrupt the user.
Facebook 或 Stackoverflow 如何做到這一點,并且仍然允許頁面上運行的 javascript 調(diào)用 API?
How does Facebook or Stackoverflow do this and still allow the javascript running on the page to call the APIs?
建議的解決方案
下面的場景聽起來合理嗎(假設(shè)這可以通過 iframe 完成):
Does the below scenario sound sensible (assuming this can be done with iframes):
我的 SPA 將我定向到 AS,我通過隱式流獲得了一個令牌.在 AS 我點擊允許 Read data 范圍,然后點擊 Remember decision,然后點擊 Allow 按鈕.
My SPA directs me to the AS and I obtain a token by Implicit Flow. Within AS I click allow Read data scope, and click Remember decision, then Allow button.
由于我點擊了 Remember decision 按鈕,每當我點擊 AS 獲取令牌時,都會自動傳回一個新令牌,而無需我登錄(我可以看到 FedAuth cookie 正在記住我的決定并相信這使它能夠正常工作).
Since I have clicked Remember decision button, whenever I hit AS for a token, a new token is passed back automatically without me needing to sign in ( I can see FedAuth cookie which is remembering my decision and believe this is enabling this to just work).
使用我的 SPA(不受信任的應(yīng)用程序),我沒有刷新令牌,只有訪問令牌.所以我改為:
With my SPA (untrusted app), I don't have a refresh-token only an access token. So instead I:
- 確保用戶已登錄并點擊記住決定(否則 iframe 將無法工作)
- 調(diào)用 WebAPI,如果 401 響應(yīng)嘗試通過以下步驟獲取新令牌...
- 在頁面上有一個隱藏的 iframe,我將設(shè)置 URL 以從授權(quán)服務(wù)器獲取新的訪問令牌.
- 從 iframe 的哈希片段中獲取新令牌,然后將其存儲在 SPA 中并用于所有未來的 WebAPI 請求.
如果 FedAuth cookie 被盜,我想我仍然會遇到麻煩.
I guess I would still be in trouble if the FedAuth cookie is stolen.
上述場景有什么標準或推薦的方法嗎?
Any standard or recommended way for the above scenario?
推薦答案
在 Google o-Auth 中,訪問令牌的有效期只有 1 小時,因此您需要每隔一小時以編程方式更新您的訪問令牌,簡單您可以創(chuàng)建web api來做到這一點,你需要一個刷新令牌,并且刷新令牌不會過期,使用c#代碼,我已經(jīng)做到了.
In Google o-Auth , the access token will only be valid for 1 hour, so you need to programmatically update your access token in each one hour, simple you can create web api to do so,you need to have a refresh token, and also that refresh token will not be expired , using c# code, I have done this.
if (dateTimeDiff > 55)
{
var request = (HttpWebRequest)WebRequest.Create("https://www.googleapis.com/oauth2/v3/token");
var postData = "refresh_token=your refresh token";
postData += "&client_id=your client id";
postData += "&client_secret=your client secrent";
postData += "&grant_type=refresh_token";
var data = Encoding.ASCII.GetBytes(postData);
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = data.Length;
request.UseDefaultCredentials = true;
using (var stream = request.GetRequestStream())
{
stream.Write(data, 0, data.Length);
}
var response = (HttpWebResponse)request.GetResponse();
string responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();
}
您需要將訪問令牌的最后更新日期時間保存在某處(例如在數(shù)據(jù)庫中),這樣,每當您必須發(fā)出請求時,您可以用當前日期時間減去它,如果它超過 60分鐘,你需要調(diào)用webapi來獲取新的token.
you need to save the last updated date time of the access token somewhere(say in database), so that , whenever you have to make a request , so you can subtract that with current date time , if it is more than 60 minutes , you need to call the webapi to get new token .
這篇關(guān)于具有單頁應(yīng)用刷新訪問令牌的 Oauth2 隱式流的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網(wǎng)!