問題描述

我正在使用 Thinktecture AuthorizationServer (AS)，它運行良好.

I am using Thinktecture AuthorizationServer (AS) and it is working great.

我想寫一個可以直接調用 WebAPI 的原生 javascript 單頁應用，但是隱式流不提供刷新令牌.

I would like to write a native javascript single page app which can call a WebAPI directly, however implicit flow does not provide a refresh token.

如果進行 AJAX 調用，如果令牌已過期，API 將發送重定向到登錄頁面，因為數據使用動態彈出窗口，這將中斷用戶.

If an AJAX call is made, if the token has expired the API will send a redirect to the login page, since the data is using dynamic popups it will this will interrupt the user.

Facebook 或 Stackoverflow 如何做到這一點，并且仍然允許頁面上運行的 javascript 調用 API?

How does Facebook or Stackoverflow do this and still allow the javascript running on the page to call the APIs?

建議的解決方案

下面的場景聽起來合理嗎(假設這可以通過 iframe 完成):

Does the below scenario sound sensible (assuming this can be done with iframes):

我的 SPA 將我定向到 AS，我通過隱式流獲得了一個令牌.在 AS 我點擊允許 Read data 范圍，然后點擊 Remember decision，然后點擊 Allow 按鈕.

My SPA directs me to the AS and I obtain a token by Implicit Flow. Within AS I click allow Read data scope, and click Remember decision, then Allow button.

由于我點擊了 Remember decision 按鈕，每當我點擊 AS 獲取令牌時，都會自動傳回一個新令牌，而無需我登錄(我可以看到 FedAuth cookie 正在記住我的決定并相信這使它能夠正常工作).

Since I have clicked Remember decision button, whenever I hit AS for a token, a new token is passed back automatically without me needing to sign in ( I can see FedAuth cookie which is remembering my decision and believe this is enabling this to just work).

使用我的 SPA(不受信任的應用程序)，我沒有刷新令牌，只有訪問令牌.所以我改為:

With my SPA (untrusted app), I don't have a refresh-token only an access token. So instead I:

1. 確保用戶已登錄并點擊記住決定(否則 iframe 將無法工作)
2. 調用 WebAPI，如果 401 響應嘗試通過以下步驟獲取新令牌...
3. 在頁面上有一個隱藏的 iframe，我將設置 URL 以從授權服務器獲取新的訪問令牌.
4. 從 iframe 的哈希片段中獲取新令牌，然后將其存儲在 SPA 中并用于所有未來的 WebAPI 請求.

如果 FedAuth cookie 被盜，我想我仍然會遇到麻煩.

I guess I would still be in trouble if the FedAuth cookie is stolen.

上述場景有什么標準或推薦的方法嗎?

Any standard or recommended way for the above scenario?

推薦答案

在 Google o-Auth 中，訪問令牌的有效期只有 1 小時，因此您需要每隔一小時以編程方式更新您的訪問令牌，簡單您可以創建web api來做到這一點，你需要一個刷新令牌，并且刷新令牌不會過期，使用c#代碼，我已經做到了.

In Google o-Auth , the access token will only be valid for 1 hour, so you need to programmatically update your access token in each one hour, simple you can create web api to do so,you need to have a refresh token, and also that refresh token will not be expired , using c# code, I have done this.

 if (dateTimeDiff > 55)
            {
                var request = (HttpWebRequest)WebRequest.Create("https://www.googleapis.com/oauth2/v3/token");
                var postData = "refresh_token=your refresh token";
                postData += "&client_id=your client id";
                postData += "&client_secret=your client secrent";
                postData += "&grant_type=refresh_token";

                var data = Encoding.ASCII.GetBytes(postData);            
                request.Method = "POST";
                request.ContentType = "application/x-www-form-urlencoded";
                request.ContentLength = data.Length;
                request.UseDefaultCredentials = true;

                using (var stream = request.GetRequestStream())
                {
                    stream.Write(data, 0, data.Length);
                }
                var response = (HttpWebResponse)request.GetResponse();
                string responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();

            }

您需要將訪問令牌的最后更新日期時間保存在某處(例如在數據庫中)，這樣，每當您必須發出請求時，您可以用當前日期時間減去它，如果它超過 60分鐘，你需要調用webapi來獲取新的token.

you need to save the last updated date time of the access token somewhere(say in database), so that , whenever you have to make a request , so you can subtract that with current date time , if it is more than 60 minutes , you need to call the webapi to get new token .

這篇關于具有單頁應用刷新訪問令牌的 Oauth2 隱式流的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！