令牌注销只针对引用令牌(reference token),官方翻译叫令牌撤销端点。
和自检端点一样,下面列出关键点:
URL方法:
POST /connect/revocation HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic xxxyyy token=<token>& token_type_hint=refresh_token //可选,固定值:access_token或refresh_token
这里的关键点: Basic xxxyyy 是怎么来的
与自检端点有点小区别
Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Format("{0}:{1}", ClientId, ClientSecret)));
Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Format("{0}:{1}", "roclient.reference", "secret"))); 参考自检端点文章的设置
postman方式:
编程方式:
var disco = await _cache.GetAsync(); if (disco.IsError) throw new Exception(disco.Error); var client = new HttpClient(); var result = await client.RevokeTokenAsync(new TokenRevocationRequest { Address = disco.RevocationEndpoint, ClientId = "roclient.reference", ClientSecret = "secret", Token = accessToken }); if (result.IsError) { Console.WriteLine(result.Error); } else { Console.WriteLine(result.HttpErrorReason); }
注销端点可以重复发,都会返回200,实际上令牌已经注销,使用令牌自检端点可以查看到令牌已经注销了
参考地址:
https://identityserver4.readthedocs.io/en/latest/endpoints/revocation.html
https://identitymodel.readthedocs.io/en/latest/client/revocation.html