我有一个 MVC 应用程序,其授权由身份服务器管理。当我第一次访问我的网站时,它被重定向到身份服务器登录页面,然后我再次被重定向到我的网站。
我的问题是,如果我注销身份服务器,当我再次访问我的网站(使用身份服务器授权)时,我被重定向到身份服务器,但登录是自动完成的,允许我访问我的网站而无需将用户/密码放入身份服务器。
我想这是因为 cookie 在客户端中仍然存在(如果我在浏览器中手动删除所有 cookie,则需要用户/密码)。
如何禁用自动登录(强制始终需要用户名/密码)?
我的启动客户端配置是这样的:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
LoginPath = new PathString("/Home/Logged/"),
AuthenticationType = "Cookies",
ExpireTimeSpan = TimeSpan.FromDays(2),
SlidingExpiration = true,
CookieName = ".AspNet.MyApp"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "MyApp",
Authority = IS_URL,
RedirectUri = localHostURL + "/Home/Logged/",
PostLogoutRedirectUri = localHostURL + "/Account/Login/",
ResponseType = "code id_token token",
Scope = "openid profile read write sampleApi",
SignInAsAuthenticationType = "Cookies",
UseTokenLifetime = true,
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = async n =>
{
var nid = new ClaimsIdentity(
n.AuthenticationTicket.Identity.AuthenticationType,
"given_name",
"role");
// get userinfo data
var userInfoClient = new UserInfoClient(
new System.Uri(n.Options.Authority + "/connect/userinfo"),
n.ProtocolMessage.AccessToken);
var userInfo = await userInfoClient.GetAsync();
userInfo.Claims.ToList().ForEach(ui => nid.AddClaim(new Claim(ui.Item1, ui.Item2)));
//keep the id_token for logout
nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
// add access token for sample API
nid.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken));
// keep track of access token expiration
nid.AddClaim(new Claim("expires_at", TimeSpan.FromDays(2).ToString()));
// add some other app specific claim
nid.AddClaim(new Claim("app_specific", "some data"));
n.AuthenticationTicket = new AuthenticationTicket(
nid,
n.AuthenticationTicket.Properties);
},
RedirectToIdentityProvider = n =>
{
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
}
});
提前致谢!
最佳答案
要从身份服务器注销,您需要重定向到结束 session 端点。
通常是 /connect/endsession
。只有这样才能清除身份验证 session cookie。
查看规范: https://openid.net/specs/openid-connect-session-1_0.html#RPLogout
关于c# - 如何在thinktecture IdentityServer中禁用自动登录,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40490992/