在IdentityServer4中测试刷新令牌

问题描述 投票:0回答:1

我们使用IdentityServer4来保护我们的API,使用EntityFrameworkCore来存储配置和操作数据。这是我们的客户数据:

public static IEnumerable<Client> GetClients()
    {
        return new List<Client>
         {
         new Client
        {
        ClientId = "client",

        // no interactive user, use the clientid/secret for authentication
            AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

        // secret for authentication
            ClientSecrets =
            {
            new Secret("secret".Sha256())
            },

        // scopes that client has access to
            AllowedScopes = { "api1" },

            AllowOfflineAccess=true
    },
          new Client
        {
        ClientId = "client2",

        // no interactive user, use the clientid/secret for authentication
            AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

        // secret for authentication
            ClientSecrets =
            {
            new Secret("secret".Sha256())
            },

        // scopes that client has access to
            AllowedScopes = { "sup_api" },

            AllowOfflineAccess=true
    }

};
    }

我们发布了连接/令牌端点的请求,其中包含以“x-www-form-urlencoded”格式的数据

client_id:client2
client_secret:secret
grant_type:client_credentials
scope:sup_api

我们得到以下回应:

{
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjM2ZWE2MGZlNGY2NDZkYjIxZjI0Y2ExNjEzZTBmMTgyIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1MTk4OTM1MTYsImV4cCI6MTUxOTg5MzU2NiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjpbImh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJzdXBfYXBpIl0sImNsaWVudF9pZCI6ImNsaWVudDIiLCJzY29wZSI6WyJzdXBfYXBpIl19.cOznF6F6AL8onLZvvJaSX137P19k6doNa2BoJJTs6WY1LL47UOWoPhR7xIffQVSKyxGp4r-Z02kZrABjjyXzcdTaCR4538Pexep2sjlPobmKI0rfjR2apBSaMBVFXqDW-3VLTnMPyqicIBYjll5iS8YFGpUh0jZwq4rzNvYR4OooHssijQtkhpWxGzuokjKj8ZK1conySqEqorlaFJevY2x4jNlP3v0wpJ_6p77H4Lh12XENw4laGlrejtOkilnRaT7V8CclRGNsgPc81NLJhQZEp89cl37iQ1vLH74hCSs4MllO_eAZ_3Rmdan6QWUM1_zbcCEjGbXJM0QQ2qCpHw",
"expires_in": 3600,
"token_type": "Bearer"

}

但是现在,我们如何测试刷新令牌?

identityserver4
1个回答
0
投票

一种方法是检查用户在访问令牌到期时间后是否仍具有访问权限。

EG

在高层次上,这就是它的样子

  • 将访问令牌生存期设置为1分钟
  • 在6分钟标记处对API运行访问测试(当实际使令牌到期时存在内置延迟)
  • 你应该声明401将返回,如果它然后通过
  • 激活离线令牌
  • 6分钟后运行访问测试
  • 断言您得到非401响应,如果是,则传递

它更多的测试

© www.soinside.com 2019 - 2024. All rights reserved.