I am using the code from the MVC tutorial.
If I Use the attribute [Authorize] to decorate my Home controller and visit my website, I will be redirected to IdentityServer. Then I use my username and password to log in. Then I use some custom code and authenticate. I get an AccessToken , And then I can access the Home controller.
My client settings are as follows:
new Client {
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
ClientSecrets = new List{new Secret("secret".Sha256())},
RequireConsent = false,
AccessTokenLifetime = 1,
// where to redirect to after login
RedirectUris = new List{"http://localhost:5002/signin -oidc"},
// where to redirect to after logout
PostLogoutRedirectUris = new List{"http://localhost:5002"},
AllowedScopes = new List
{
StandardScopes.OpenId.Name,
StandardScopes.Profile.Name,
StandardScopes.OfflineAccess.Name,
}
}
My The access token is
{
"nbf": 1474697839,
"exp": 1474697840,
"iss": "http: //localhost:5000",
"aud": "http://localhost:5000/resources",
"client_id": "mvc",
"scope": [
"openid",
"profile"
],
"sub": "26296",
"auth_time": 1474697838,
"idp": " local",
"amr": [
"pwd"
]
}
When I set AccessTokenLifetime to 1, my token is in It will be invalidated when it is sent to call the API etc. But I can still access the website.
What is the best way to let the MVC website confirm that my token has not expired? This may be where the refresh token comes in.
Note that
AccessTokenLifetime is set to 1 for testing only, so I can test quickly.
var user = HttpContext.Current.User.Identity;
if (!user.IsAuthenticated)
I am new to Identity Server, and I am missing a key concept in my understanding.
I am using the code of the MVC tutorial.
If I decorate me with the attribute [Authorize] Home controller and visit my website, I will be redirected to IdentityServer. Then I log in with my username and password. Then I use some custom code and authenticate. I get an AccessToken and then I can access the Home control
My client settings are as follows:
new Client {
ClientId = "mvc",
ClientName = " MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
ClientSecrets = new List{new Secret("secret".Sha256())},
RequireConsent = false,
AccessTokenLifetime = 1,
// where to redirect to after login
RedirectUris = new List{"http://localhost:5002/signin-oidc"},
// where to redirect to after logout
PostLogoutRedirectUris = new List{"http://localhost:5002"},
AllowedScopes = new List
{
StandardScopes.OpenId.Name,
StandardScopes.Profile.Name,
StandardScopes.OfflineAccess.Name,
}
}
My access token is
{
"nbf": 1474697839,
"exp": 1474697840,
"iss": "http://localhost:5000",
"aud": "http://localhost:5000/resources",
"client_id": "mvc",
"scope": [
"openid",
"profile"
],
"sub": "26296",
"auth_time": 1474697838,
"idp": "local",
"amr": [
"pwd"
]
}
When I set AccessTokenLifetime to 1, my token will be invalid when it is sent to call API etc. But I can still Visit the website.
What is the best way to let the MVC website confirm that my token has not expired? This may be where the refresh token comes in.
Note
AccessTokenLifetime is set to 1 for testing only, so I can test quickly.
Maybe so?
var user = HttpContext.Current.User.Identity;
if (!user.IsAuthenticated)