我有一个MVC应用程序,由identityserver管理授权.当我第一次访问我的网站时,它会重定向到身份服务器登录页面,然后我再次被重定向到我的网站.
我的问题是,如果我注销身份服务器,当我再次访问我的网站(使用身份服务器授权)时,我被重定向到身份服务器,但登录自动完成,让我访问我的网站,而无需将用户/密码放入身份服务器.
我认为这是因为cookie在客户端仍然存在(如果我在浏览器中手动删除所有cookie,则需要用户/传递).
如何禁用自动登录(强制始终需要用户/通行证)?
我的启动客户端配置如下:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
LoginPath = new PathString("/Home/Logged/"),
AuthenticationType = "Cookies",
ExpireTimeSpan = TimeSpan.FromDays(2),
SlidingExpiration = true,
CookieName = ".AspNet.MyApp"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "MyApp",
Authority = IS_URL,
RedirectUri = localHostURL + "/Home/Logged/",
PostLogoutRedirectUri = localHostURL + "/Account/Login/",
ResponseType = "code id_token token",
Scope = "openid profile read write sampleApi",
SignInAsAuthenticationType = "Cookies",
UseTokenLifetime = true,
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = async n =>
{
var nid = new ClaimsIdentity(
n.AuthenticationTicket.Identity.AuthenticationType,
"given_name",
"role");
// get userinfo data
var userInfoClient = new UserInfoClient(
new System.Uri(n.Options.Authority + "/connect/userinfo"),
n.ProtocolMessage.AccessToken);
var userInfo = await userInfoClient.GetAsync();
userInfo.Claims.ToList().ForEach(ui => nid.AddClaim(new Claim(ui.Item1, ui.Item2)));
//keep the id_token for logout
nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
// add access token for sample API
nid.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken));
// keep track of access token expiration
nid.AddClaim(new Claim("expires_at", TimeSpan.FromDays(2).ToString()));
// add some other app specific claim
nid.AddClaim(new Claim("app_specific", "some data"));
n.AuthenticationTicket = new AuthenticationTicket(
nid,
n.AuthenticationTicket.Properties);
},
RedirectToIdentityProvider = n =>
{
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
}
});
提前致谢!
最佳答案 要从identityserver注销,您需要重定向到结束会话端点.
通常/连接/结束.只有这样才能清除认证会话cookie.
看规范:
https://openid.net/specs/openid-connect-session-1_0.html#RPLogout