IdentityServer4中ResourceOwnerPassword模式获取accecc_token，并使用refresh_token刷新accecc_token

一、IS4服务端配置

1、配置Client

new Client
{
    ClientId = "xamarin",
    ClientSecrets = { new Secret("secret".Sha256()) },
    AccessTokenLifetime = 1800,//设置AccessToken过期时间
    AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
    RefreshTokenExpiration = TokenExpiration.Absolute,
    AbsoluteRefreshTokenLifetime = 3600,
    AllowOfflineAccess = true,//如果要获取refresh_tokens ,必须把AllowOfflineAccess设置为true
    AllowedScopes = new List<string>
    {
        "api",
        StandardScopes.OfflineAccess, //如果要获取refresh_tokens ,必须在scopes中加上OfflineAccess
        StandardScopes.OpenId,//如果要获取id_token,必须在scopes中加上OpenId和Profile，id_token需要通过refresh_tokens获取AccessToken的时候才能拿到（还未找到原因）
        StandardScopes.Profile//如果要获取id_token,必须在scopes中加上OpenId和Profile
    }
}

 2、实现IResourceOwnerPasswordValidator接口，自定义用户登录

public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
{
    public Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
    {
        //根据context.UserName和context.Password与数据库的数据做校验，判断是否合法
        if (context.UserName == "test" && context.Password == "test")
        {
            context.Result = new GrantValidationResult(
                subject: context.UserName,
                authenticationMethod: OidcConstants.AuthenticationMethods.Password);
        }
        else
        {
            //验证失败
            context.Result = new GrantValidationResult(
                TokenRequestErrors.InvalidGrant,
                "invalid custom credential"
                );
        }
        return Task.FromResult(0);
    }
}

3、在Startup中加入如下配置

services.AddIdentityServer()
    .AddDeveloperSigningCredential()
    .AddInMemoryApiResources(Config.GetApis())
    .AddInMemoryIdentityResources(Config.GetIdentityResources())
    .AddInMemoryClients(Config.GetClients())
    .AddProfileService<ProfileService>()
    .AddResourceOwnerValidator<ResourceOwnerPasswordValidatorService>();//注入自定义用户登录验证

二、客户端获取access_token+refresh_token

如果是后台代码需要获取access_token+refresh_token，则可以参考官方Samples，https://github.com/IdentityServer/IdentityServer4.Samples/tree/release/Clients/src/ConsoleResourceOwnerFlowRefreshToken

如果是前端需要获取access_token+refresh_token，则可以通过 http://localhost:5000/connect/token 接口获取

1、获取access_token+refresh_token

获取access_token+refresh_token的参数配置如下，Content-Type的值是 application/x-www-form-urlencoded

 

 

 2、通过第一步获取到的refresh_token去刷新access_token

注意：

• grant_type改为refresh_token，表明刷新token
• username与password不需要带了
• 添加参数refresh_token，值为获取accecc_token时的refresh_token值

 

 

原文地址：https://www.wandouip.com/t5i43236/