通过调用Aspnet核心(API层)的Identity server 4的RevokeAccessTokenAsync(param: accesstoken)方法,我可以很容易地获得登录用户的访问令牌,因为我可以从HttpContext.GetTokenAsync("accesstoken")中获得它。然而,这个方法对刷新令牌不起作用,因此我没有办法让用户再次获得访问令牌。刷新令牌存储在Identity服务器数据库中,我不想访问它,因为我想从API层调用撤销访问令牌。
这让我得到访问令牌: access token = await HttpContext.GetTokenAsync("access_token")。
这个返回一个空字符串:refreshtoken = await HttpContext.GetTokenAsync("refresh_token")。
尝试了一些东西,解决了我的问题。覆盖RevokeRefreshTokenAsync并假设传递的令牌是访问令牌,现在使用访问令牌撤销所有的刷新令牌。
public class CustomTokenRevocationResponseGenerator : TokenRevocationResponseGenerator, ITokenRevocationResponseGenerator
{
/// <summary>
/// Revoke refresh token only if it belongs to client doing the request
/// </summary>
protected override async Task<bool> RevokeRefreshTokenAsync(TokenRevocationRequestValidationResult validationResult)
{
Logger.LogInformation("Revoking refresh token");
//assume the token is access token instead of refresh token
var token = await ReferenceTokenStore.GetReferenceTokenAsync(validationResult.Token);
if (token != null)
{
Logger.LogInformation($"Revoking refresh token for clientId {token.ClientId} ");
if (token.ClientId == validationResult.Client.ClientId)
{
Logger.LogDebug("Refresh token revoked");
await RefreshTokenStore.RemoveRefreshTokensAsync(token.SubjectId, token.ClientId);
await ReferenceTokenStore.RemoveReferenceTokensAsync(token.SubjectId, token.ClientId);
}
else
{
Logger.LogWarning("Client {clientId} tried to revoke a refresh token belonging to a different client: {clientId}", validationResult.Client.ClientId, token.ClientId);
}
return true;
}
return false;
}
public CustomTokenRevocationResponseGenerator(IReferenceTokenStore referenceTokenStore, IRefreshTokenStore refreshTokenStore, ILogger<TokenRevocationResponseGenerator> logger) : base(referenceTokenStore, refreshTokenStore, logger)
{
}
}