問題描述

我正在使用 Visual Studio 2015 Enterprise 和 ASP.NET vNext Beta8 來發布和使用 JWT 令牌，如 這里.

I am using Visual Studio 2015 Enterprise and ASP.NET vNext Beta8 to issue and consume JWT tokens as described here.

在我們的實現中，我們在發行令牌時將一些客戶端詳細信息存儲在 Redis 中，并且我們希望在用戶注銷時刷新此信息.

In our implementation we're storing some client details in Redis at token issuing time and we would like the flush this information when the user logs out.

我的問題是使用 OIDC 注銷的最佳做法是什么?

My question is what is the best practices for logging out with OIDC?

雖然我可以為此使用自己的控制器，但我不禁注意到 Open ID Connect (OIDC) 似乎已經準備好處理這種情況.例如，OIDC 有一個 OnLogoutEndpoint 處理程序和 LogoutEndpointPath 設置.但是，當我調用 OIDC 注銷 URI 時，該處理程序似乎接受我拋出的任何隨機 x-www-form-urlencoded 表單，并且似乎并沒有以任何特定方式要求存在令牌.

While I could roll my own contoller for this purpose I couldn't help but notice Open ID Connect (OIDC) seems somewhat primed to handle this case. For example OIDC has an OnLogoutEndpoint handler and LogoutEndpointPath settings. But when I call the OIDC logout URI that handler appears to accept any random x-www-form-urlencoded form I throw at it and doesn't in any particular way seem to be demanding the presence of a token.

非常感謝任何有關正確 OIDC 注銷做法的建議.

Any advice on proper OIDC logout practices would be very much appreciated.

推薦答案

在 AspNet.Security.OpenIdConnect.Server 中，用于注銷端點的邏輯留作練習.

In AspNet.Security.OpenIdConnect.Server, the logic used for the logout endpoint is left as an exercise.

在這個 示例，它是使用 MVC 6 控制器實現的，您當然可以在其中自由添加自定義邏輯以從 Redis 服務器中刪除緩存的詳細信息.

In this sample, it is implemented using an MVC 6 controller, where you're - of course - free to add custom logic to remove cached details from your Redis server.

[HttpPost("~/connect/logout")]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout() {
    // When invoked, the logout endpoint might receive an unauthenticated request if the server cookie has expired.
    // When the client application sends an id_token_hint parameter, the corresponding identity can be retrieved using AuthenticateAsync.
    var identity = await HttpContext.Authentication.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme);

    // Remove the cached details here. If you need to determine
    // who's the authenticated user, you can use the identity variable.

    // Remove the authentication cookie and return the user to the client application.
    return SignOut("ServerCookie", OpenIdConnectServerDefaults.AuthenticationScheme);
}

您也可以直接從 LogoutEndpoint 事件執行類似操作.不要忘記調用 context.HandleResponse() 以確保請求不會被其他中間件攔截.

You can also do something similar directly from the LogoutEndpoint event. Don't forget to call context.HandleResponse() to make sure the request is not intercepted by another middleware.

這篇關于使用 AspNet.Security.OpenIdConnect.Server (ASP.NET vNext) 注銷的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！