Azure Active Directory令牌+刷新令牌
问题描述:
我正在使用Active Directory用户访问我们的应用程序(我创建了一个应用程序并在AD中注册它),但无法从令牌响应获取刷新令牌。Azure Active Directory令牌+刷新令牌
在Startup.cs我定义公开识别连接选项:
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
SlidingExpiration = true
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = ApiConstants.AAD_WebClientId,
Authority = Authority,
TokenValidationParameters = new TokenValidationParameters { SaveSigninToken = true, },
Notifications = new OpenIdConnectAuthenticationNotifications()
{
RedirectToIdentityProvider = context =>
{
if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
{
// ensure https before redirecting to Azure
if (!context.Request.IsSecure)
{
context.Response.Redirect(
$"https://{context.Request.Uri.Authority}{context.Request.Uri.AbsolutePath}");
context.HandleResponse();
return Task.FromResult(0);
}
}
return Task.FromResult(0);
},
// If there is a code in the OpenID Connect response,
// redeem it for an access token and refresh token, and store those away.
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
AuthenticationFailed = OnAuthenticationFailed
}
});
我OnAuthorizationCodeReceived方法是:
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
ClientCredential credential = new ClientCredential(ApiConstants.AAD_WebClientId, ApiConstants.AAD_CertWeb);
AuthenticationContext authContext = new AuthenticationContext(Authority);
// If you create the redirectUri this way, it will contain a trailing slash.
// Make sure you've registered the same exact Uri in the Azure Portal (including the slash).
var builder = new UriBuilder(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
builder.Scheme = "https";
if (builder.Uri.IsDefaultPort)
{
builder.Port = -1;
}
//n.AuthenticationTicket.Properties.RedirectUri = builder.ToString();
// this doesn't return a refresh token???
AuthenticationResult result =
await
authContext.AcquireTokenByAuthorizationCodeAsync(code, builder.Uri, credential,
ApiConstants.AAD_Audience);
}
问题是,返回的令牌不具有一个刷新令牌,也不它是否滑动,因此我们每小时都会注销。有什么我可以在Active Directory或我的应用程序中打开/接收刷新令牌?
还是我正在接收刷新标记,但AuthenticationResult
类没有将此属性公开给我?
答
只是在调查同一问题时偶然发现了这一点。
如果使用像Fiddler这样的工具监视网络流量,您将看到refresh_token确实返回,它只是未公开。
以下链接提供了更多信息。
这里有一个很好的解释太 https://dzimchuk.net/adal-distributed-token-cache-in-asp-net-core/ – DavidReid