各个模式的accesstoken续期详解

Posted 2020-12-05 jianjialin

一些预备知识

jwt的时间格式

转换为时间可以用js, 

new Date(1531841745*1000)
==>Tue Jul 17 2018 23:35:45 GMT+0800 (中国标准时间)

 

关于Refresh token

refreshtoken仅仅在hybrid, authorization和ResourceOwnPassword三种模式中支持

通常在IdentityServer中,

如果客户端是.net程序, 我们使用hybrid和ResourceOwnPassword授权

如果客户端是纯js程序, 那么使用implicit授权.

需要加上offline_access的scope权限

如何理解offline_access

 

参考https://stackoverflow.com/questions/42162769/identity-server-4-angular-2-token-expiration

5down voteaccepted

I can recommend the library for managing token for the javascript application:https://github.com/IdentityModel/oidc-client-js

You‘ve correctly used the implicit flow for SPA - here is the description about which flow is right one - https://leastprivilege.com/2016/01/17/which-openid-connectoauth-2-o-flow-is-the-right-one/

Oidc-client provides great feature called automaticSilentRenew - check the docs. There is the timer on the background and handle an event before token expiration and using hidden iframe for getting new access token.(看起来好像是这个js框架会自动使用iframe在授权到期的时候自己去idsv刷新token)

Example for Angular2 and oidc-client: https://github.com/jmurphzyo/Angular2OidcClient

Video with overview for authentication and authorization in JavaScript web applications using IdentityServer - https://vimeo.com/131636653

 

实战一, mvc客户端使用ResourceOwnPassword, 如何管理accesstoken续期

 

 

实战二, js客户端的续期

 

 

实战三, mvc客户端使用hybrid, 如何管理续期