Merge pull request #16504 from abpframework/CheckTokenExpiration

Check token expiration.
3 years ago · 73ed5e63b3
5 changed files with 157 additions and 30 deletions
--- a/framework/src/Volo.Abp.AspNetCore.Authentication.OpenIdConnect/Volo.Abp.AspNetCore.Authentication.OpenIdConnect.csproj
+++ b/framework/src/Volo.Abp.AspNetCore.Authentication.OpenIdConnect/Volo.Abp.AspNetCore.Authentication.OpenIdConnect.csproj
@ -8,10 +8,6 @@
        <RootNamespace />
    </PropertyGroup>

-    <ItemGroup>
-      <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="$(MicrosoftAspNetCorePackageVersion)" />
-    </ItemGroup>
-
    <ItemGroup>
      <ProjectReference Include="..\Volo.Abp.AspNetCore.MultiTenancy\Volo.Abp.AspNetCore.MultiTenancy.csproj" />
      <ProjectReference Include="..\Volo.Abp.AspNetCore.Authentication.OAuth\Volo.Abp.AspNetCore.Authentication.OAuth.csproj" />
--- a/framework/src/Volo.Abp.AspNetCore.Components.Server/Microsoft/AspNetCore/Authentication/Cookies/CookieAuthenticationOptionsExtensions.cs
+++ b/framework/src/Volo.Abp.AspNetCore.Components.Server/Microsoft/AspNetCore/Authentication/Cookies/CookieAuthenticationOptionsExtensions.cs
@ -1,7 +1,9 @@
 using System;
+using System.Threading.Tasks;
 using IdentityModel.Client;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;

 namespace Microsoft.AspNetCore.Authentication.Cookies;
@ -16,41 +18,67 @@ public static class CookieAuthenticationOptionsExtensions
    /// <returns></returns>
    public static CookieAuthenticationOptions IntrospectAccessToken(this CookieAuthenticationOptions options, string oidcAuthenticationScheme = "oidc")
    {
-        var originalHandler = options.Events.OnValidatePrincipal;
        options.Events.OnValidatePrincipal = async principalContext =>
        {
-            originalHandler?.Invoke(principalContext);
+            if (principalContext.Principal == null || principalContext.Principal.Identity == null || !principalContext.Principal.Identity.IsAuthenticated)
+            {
+                return;
+            }
+
+            var logger = principalContext.HttpContext.RequestServices.GetRequiredService<ILogger<CookieAuthenticationOptions>>();

-            if (principalContext.Principal != null && principalContext.Principal.Identity != null && principalContext.Principal.Identity.IsAuthenticated)
+            var accessToken = principalContext.Properties.GetTokenValue("access_token");
+            if (!accessToken.IsNullOrWhiteSpace())
            {
-                var accessToken = principalContext.Properties.GetTokenValue("access_token");
-                if (!accessToken.IsNullOrWhiteSpace())
+                var openIdConnectOptions = await GetOpenIdConnectOptions(principalContext, oidcAuthenticationScheme);
+                var response = await openIdConnectOptions.Backchannel.IntrospectTokenAsync(new TokenIntrospectionRequest
+                {
+                    Address = openIdConnectOptions.Configuration?.IntrospectionEndpoint ?? openIdConnectOptions.Authority.EnsureEndsWith('/') + "connect/introspect",
+                    ClientId = openIdConnectOptions.ClientId,
+                    ClientSecret = openIdConnectOptions.ClientSecret,
+                    Token = accessToken
+                });
+
+                if (response.IsError)
                {
-                    var openIdConnectOptions = principalContext.HttpContext.RequestServices.GetRequiredService<IOptionsMonitor<OpenIdConnectOptions>>().Get(oidcAuthenticationScheme);
-                    if (openIdConnectOptions.Configuration == null && openIdConnectOptions.ConfigurationManager != null)
-                    {
-                        openIdConnectOptions.Configuration = await openIdConnectOptions.ConfigurationManager.GetConfigurationAsync(principalContext.HttpContext.RequestAborted);
-                    }
-
-                    var response = await openIdConnectOptions.Backchannel.IntrospectTokenAsync(new TokenIntrospectionRequest
-                    {
-                        Address = openIdConnectOptions.Configuration?.IntrospectionEndpoint ?? openIdConnectOptions.Authority.EnsureEndsWith('/') + "connect/introspect",
-                        ClientId = openIdConnectOptions.ClientId,
-                        ClientSecret = openIdConnectOptions.ClientSecret,
-                        Token = accessToken
-                    });
-
-                    if (response.IsActive)
-                    {
-                        return;
-                    }
+                    logger.LogError(response.Error);
+                    await SignOutAsync(principalContext);
+                    return;
                }

-                principalContext.RejectPrincipal();
-                await principalContext.HttpContext.SignOutAsync(principalContext.Scheme.Name);
+                if (!response.IsActive)
+                {
+                    logger.LogError("The access_token is not active.");
+                    await SignOutAsync(principalContext);
+                    return;
+                }
+
+                logger.LogInformation("The access_token is active.");
+            }
+            else
+            {
+                logger.LogError("The access_token is not found in the cookie properties, Please make sure SaveTokens of OpenIdConnectOptions is set as true.");
+                await SignOutAsync(principalContext);
            }
        };

        return options;
    }
+
+    private async static Task<OpenIdConnectOptions> GetOpenIdConnectOptions(CookieValidatePrincipalContext principalContext, string oidcAuthenticationScheme)
+    {
+        var openIdConnectOptions = principalContext.HttpContext.RequestServices.GetRequiredService<IOptionsMonitor<OpenIdConnectOptions>>().Get(oidcAuthenticationScheme);
+        if (openIdConnectOptions.Configuration == null && openIdConnectOptions.ConfigurationManager != null)
+        {
+            openIdConnectOptions.Configuration = await openIdConnectOptions.ConfigurationManager.GetConfigurationAsync(principalContext.HttpContext.RequestAborted);
+        }
+
+        return openIdConnectOptions;
+    }
+
+    private async static Task SignOutAsync(CookieValidatePrincipalContext principalContext)
+    {
+        principalContext.RejectPrincipal();
+        await principalContext.HttpContext.SignOutAsync(principalContext.Scheme.Name);
+    }
 }
--- a/framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs
+++ b/framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs
@ -0,0 +1,100 @@
+using System;
+using System.Globalization;
+using System.Threading.Tasks;
+using IdentityModel.Client;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace Microsoft.Extensions.DependencyInjection;
+
+public static class CookieAuthenticationOptionsExtensions
+{
+    /// <summary>
+    /// Check the access_token is expired or inactive.
+    /// </summary>
+    public static CookieAuthenticationOptions CheckTokenExpiration(this CookieAuthenticationOptions options, string oidcAuthenticationScheme = "oidc", TimeSpan? advance = null, TimeSpan? validationInterval = null)
+    {
+        advance ??= TimeSpan.FromMinutes(3);
+        validationInterval ??= TimeSpan.FromMinutes(1);
+        options.Events.OnValidatePrincipal = async principalContext =>
+        {
+            if (principalContext.Principal == null || principalContext.Principal.Identity == null || !principalContext.Principal.Identity.IsAuthenticated)
+            {
+                return;
+            }
+
+            var logger = principalContext.HttpContext.RequestServices.GetRequiredService<ILogger<CookieAuthenticationOptions>>();
+
+            var tokenExpiresAt = principalContext.Properties.Items[".Token.expires_at"];
+            if (DateTimeOffset.TryParseExact(tokenExpiresAt, "o", null, DateTimeStyles.RoundtripKind, out var expiresAt) &&
+                expiresAt < DateTimeOffset.UtcNow.Subtract(advance.Value))
+            {
+                logger.LogInformation("The access_token is expired.");
+                await SignOutAsync(principalContext);
+                return;
+            }
+
+            if (principalContext.Properties.IssuedUtc != null && DateTimeOffset.UtcNow.Subtract(principalContext.Properties.IssuedUtc.Value) > validationInterval)
+            {
+                logger.LogInformation($"Check the access_token is active every {validationInterval.Value.TotalSeconds} seconds.");
+                var accessToken = principalContext.Properties.GetTokenValue("access_token");
+                if (!accessToken.IsNullOrWhiteSpace())
+                {
+                    var openIdConnectOptions = await GetOpenIdConnectOptions(principalContext, oidcAuthenticationScheme);
+
+                    var response = await openIdConnectOptions.Backchannel.IntrospectTokenAsync(new TokenIntrospectionRequest
+                    {
+                        Address = openIdConnectOptions.Configuration?.IntrospectionEndpoint ?? openIdConnectOptions.Authority.EnsureEndsWith('/') + "connect/introspect",
+                        ClientId = openIdConnectOptions.ClientId,
+                        ClientSecret = openIdConnectOptions.ClientSecret,
+                        Token = accessToken
+                    });
+
+                    if (response.IsError)
+                    {
+                        logger.LogError(response.Error);
+                        await SignOutAsync(principalContext);
+                        return;
+                    }
+
+                    if (!response.IsActive)
+                    {
+                        logger.LogError("The access_token is not active.");
+                        await SignOutAsync(principalContext);
+                        return;
+                    }
+
+                    logger.LogInformation("The access_token is active.");
+                    principalContext.ShouldRenew = true;
+                }
+                else
+                {
+                    logger.LogError("The access_token is not found in the cookie properties, Please make sure SaveTokens of OpenIdConnectOptions is set as true.");
+                    await SignOutAsync(principalContext);
+                }
+            }
+        };
+
+        return options;
+    }
+
+    private async static Task<OpenIdConnectOptions> GetOpenIdConnectOptions(CookieValidatePrincipalContext principalContext, string oidcAuthenticationScheme)
+    {
+        var openIdConnectOptions = principalContext.HttpContext.RequestServices.GetRequiredService<IOptionsMonitor<OpenIdConnectOptions>>().Get(oidcAuthenticationScheme);
+        if (openIdConnectOptions.Configuration == null && openIdConnectOptions.ConfigurationManager != null)
+        {
+            openIdConnectOptions.Configuration = await openIdConnectOptions.ConfigurationManager.GetConfigurationAsync(principalContext.HttpContext.RequestAborted);
+        }
+
+        return openIdConnectOptions;
+    }
+
+    private async static Task SignOutAsync(CookieValidatePrincipalContext principalContext)
+    {
+        principalContext.RejectPrincipal();
+        await principalContext.HttpContext.SignOutAsync(principalContext.Scheme.Name);
+    }
+}
--- a/framework/src/Volo.Abp.AspNetCore/Volo.Abp.AspNetCore.csproj
+++ b/framework/src/Volo.Abp.AspNetCore/Volo.Abp.AspNetCore.csproj
@ -26,6 +26,8 @@
    <ProjectReference Include="..\Volo.Abp.Uow\Volo.Abp.Uow.csproj" />
    <ProjectReference Include="..\Volo.Abp.Validation\Volo.Abp.Validation.csproj" />
    <ProjectReference Include="..\Volo.Abp.VirtualFileSystem\Volo.Abp.VirtualFileSystem.csproj" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="$(MicrosoftAspNetCorePackageVersion)" />
+    <PackageReference Include="IdentityModel" Version="6.0.0" />
  </ItemGroup>

 </Project>
--- a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web.Host/MyProjectNameWebModule.cs
+++ b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web.Host/MyProjectNameWebModule.cs
@ -145,6 +145,7 @@ public class MyProjectNameWebModule : AbpModule
            .AddCookie("Cookies", options =>
            {
                options.ExpireTimeSpan = TimeSpan.FromDays(365);
+                options.CheckTokenExpiration();
            })
            .AddAbpOpenIdConnect("oidc", options =>
            {
@ -232,7 +233,7 @@ public class MyProjectNameWebModule : AbpModule
            dataProtectionBuilder.PersistKeysToStackExchangeRedis(redis, "MyProjectName-Protection-Keys");
        }
    }
-    
+
    private void ConfigureDistributedLocking(
        ServiceConfigurationContext context,
        IConfiguration configuration)