lsm/openiddict-documentation
1
0
Fork 0
mirror of https://gitee.com/dcren/openiddict-documentation.git synced 2025-07-15 23:13:34 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
0d4088aac0
openiddict-documentation/configuration/token-storage.html
OpenIddict Bot a9643a903c Update the documentation pages
2022-01-07 17:58:08 +00:00

165 lines
8.8 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<!--[if IE]><![endif]-->
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Token storage </title>
<meta name="viewport" content="width=device-width">
<meta name="title" content="Token storage ">
<meta name="generator" content="docfx 2.56.7.0">
<link rel="shortcut icon" href="../images/favicon.ico">
<link href="https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500;700&display=swap" rel="stylesheet">
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/styles/night-owl.min.css">
<link rel="stylesheet" href="../styles/colors.css">
<link rel="stylesheet" href="../styles/discord.css">
<link rel="stylesheet" href="../styles/main.css">
<meta property="docfx:navrel" content="../toc.html">
<meta property="docfx:tocrel" content="toc.html">
</head>
<body>
<div class="top-navbar">
<a href="javascript:void(0);" class="burger-icon" onclick="toggleMenu()">
<svg name="Hamburger" style="vertical-align: middle;" width="24" height="24" viewbox="0 0 24 24"><path fill="currentColor" fill-rule="evenodd" clip-rule="evenodd" d="M20 6H4V9H20V6ZM4 10.999H20V13.999H4V10.999ZM4 15.999H20V18.999H4V15.999Z"></path></svg>
</a>
<a class="brand" href="../index.html">
<img src="../images/logo.png" alt="OpenIddict" class="logomark">
<span class="brand-title">OpenIddict</span>
</a>
</div>
<div class="body-content">
<div id="blackout" class="blackout" onclick="toggleMenu()"></div>
<nav id="sidebar" role="navigation">
<div class="sidebar">
<div>
<a class="brand" href="../index.html">
<img src="../images/logo.png" alt="OpenIddict" class="logomark">
<span class="brand-title">OpenIddict</span>
</a>
<div id="navbar">
</div>
</div>
<div class="sidebar-item-separator"></div>
<div id="sidetoggle">
<div id="sidetoc"></div>
</div>
</div>
<div class="footer">
<span>Generated by <strong>DocFX</strong></span>
</div>
</nav>
<main class="main-panel">
<div role="main" class="hide-when-search">
<div class="subnav navbar navbar-default">
<div class="container hide-when-search" id="breadcrumb">
<ul class="breadcrumb">
<li></li>
</ul>
</div>
</div>
<article class="content wrap" id="_content" data-uid="">
<h1 id="token-storage">Token storage</h1>
<p>To keep track of all the tokens produced by its server services, OpenIddict 3.0 creates a token entry in the database for each generated token.
A token entry contains metadata like the subject of the token, the client identifier of the application it was issued to or its creation and expiration dates.</p>
<p>By default, the token payload generated using either the
<a href="https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/">Azure Active Directory IdentityModel Extensions for .NET library</a> for JWT tokens or
<a href="https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/introduction">ASP.NET Core Data Protection</a> for Data Protection tokens is never stored in the database,
except for authorization codes (that are short-lived), device and user codes (exclusively used in the device code flow).</p>
<p>Such tokens called reference tokens are not returned as-is to the caller: instead, their payload is stored in the database entry and a crypto-secure random 256-bit identifier
called reference identifier is returned as a base64url-encoded string and serves as the &quot;final&quot; token used by the client application when communicating with OpenIddict&#39;s endpoints
or with resource servers (if reference access tokens are enabled in the server options).</p>
<div class="NOTE"><h5>Note</h5><p>In OpenIddict 3.0, the ability to revoke a token is not tied to the token format and doesn&#39;t require enabling reference tokens:
regular JWT or ASP.NET Core Data Protection tokens can be revoked as long as token storage is not explicitly disabled in the server options.</p>
</div>
<h2 id="enabling-reference-access-andor-refresh-tokens">Enabling reference access and/or refresh tokens</h2>
<p>Reference access and refresh tokens can be manually enabled in the server options for developers who prefer returning
shorter access and/or refresh tokens or need to deal with limits that would prevent sending large tokens over the wire.</p>
<div class="CAUTION"><h5>Caution</h5><p>When enabling reference access and/or refresh tokens support, it is STRONGLY recommended to either:</p>
<ul>
<li>Use the ASP.NET Core Data Protection format for access and refresh tokens, as they benefit from additional security measures that would prevent them from being sent as-is if
they were stolen from the database. For more information on how to enable ASP.NET Core Data Protection, read <a href="token-formats.html">Token formats</a>.</li>
<li>Enable column encryption/data at rest encryption to protect the <code>Payload</code> column of token entries.</li>
</ul>
</div>
<pre><code class="lang-csharp">services.AddOpenIddict()
.AddServer(options =&gt;
{
options.UseReferenceAccessTokens()
.UseReferenceRefreshTokens();
});
</code></pre><h2 id="enabling-token-entry-validation-at-the-api-level">Enabling token entry validation at the API level</h2>
<p><strong>For performance reasons, OpenIddict 3.0 doesn&#39;t check, by default, the status of a token entry when receiving an API request</strong>: access tokens are considered valid until they expire.
For scenarios that require immediate access token revocation, the OpenIddict validation handler can be configured to enforce token entry validation for each API request:</p>
<div class="NOTE"><h5>Note</h5><p>Enabling token entry validation requires that the OpenIddict validation handler have a direct access to the server database where tokens are stored, which makes it
better suited for APIs located in the same application as the authorization server. For external applications, consider using introspection instead of local validation.</p>
<p>In both cases, additional latency caused by the additional DB request and the HTTP call for introspection is expected.</p>
</div>
<pre><code class="lang-csharp">services.AddOpenIddict()
.AddValidation(options =&gt;
{
options.EnableTokenEntryValidation();
});
</code></pre><h2 id="disabling-token-storage">Disabling token storage</h2>
<p>While STRONGLY discouraged, token storage can be disabled in the server options:</p>
<pre><code class="lang-csharp">services.AddOpenIddict()
.AddServer(options =&gt;
{
options.DisableTokenStorage();
});
</code></pre><div class="WARNING"><h5>Warning</h5><p>Disabling token storage prevents reference access or refresh tokens support from being enabled, as this requires storing the tokens in the database.</p>
</div>
</article>
</div>
</main>
</div>
<script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js" integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/js/bootstrap.min.js" integrity="sha384-OgVRvuATP1z7JjHLkuOU7Xw704+h835Lr+6QL9UvYjZE3Ipu6Tp75j7Bh/kR0JKI" crossorigin="anonymous"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/highlight.min.js"></script>
<script type="text/javascript" src="../styles/jquery.twbsPagination.js"></script>
<script type="text/javascript" src="../styles/url.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/anchor-js/anchor.min.js"></script>
<script type="text/javascript" src="../styles/docfx.js"></script>
<script type="text/javascript" src="../styles/main.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink