我正在使用Vue.js SPA。该网站在一台主机web.xxxx.com上运行,而api在另一台主机api.xxxx.com上运行。 API调用是安全的,我们使用ADAL登录,注销,并向API提供登录用户的令牌。在Vue中,我们按如下方式设置拦截器(getToken是acquireToken的包装器,它返回一个promise):
Vue.http.interceptors.push((request, next) => {
// if this is a call to API, then set up auth
Vue.http.options.xhr = {withCredentials: true};
getToken()
.then((token) => {
request.headers.set('Authorization', `Bearer ${token}`);
next();
})
.catch((err) => {
throw new Error(err);
});
});
这按预期工作;无论何时启动HTTP请求,拦截器都会设置其他标头并关闭它。
然而,adal.js并未更新令牌。一小时后,我的登录用户不再登录,尽管与API交互。我甚至尝试过这样做,以确保令牌不被刷新:
// ping every minute...
window.setInterval(() => {
getToken().then((token) => { window.Logging.log('GOT IT!!!', token); });
}, 60 * 1000);
55分钟后,这些条目将显示在客户端日志中。我编辑了任何可能敏感的内容,应该注意这需要很长时间,因为我手动单步执行调试器中的所有调用:
Fri, 21 Apr 2017 22:11:32 GMT:1.0.14-VERBOSE: renewing idtoken
Fri, 21 Apr 2017 22:11:45 GMT:1.0.14-INFO: renewIdToken is called
Fri, 21 Apr 2017 22:12:08 GMT:1.0.14-INFO: Add adal frame to document:adalIdTokenFrame
Fri, 21 Apr 2017 22:13:26 GMT:1.0.14-VERBOSE: Renew Idtoken Expected state: <REDACTED>
Fri, 21 Apr 2017 22:13:36 GMT:1.0.14-INFO: Navigate url:https://login.microsoftonline.com/<REDACTED>&x-client-SKU=Js&x-client-Ver=1.0.14
Fri, 21 Apr 2017 22:14:06 GMT:1.0.14-VERBOSE: Navigate to:https://login.microsoftonline.com/<REDACTED>
Fri, 21 Apr 2017 22:14:14 GMT:1.0.14-VERBOSE: Set loading state to pending for: <REDACTED>
Fri, 21 Apr 2017 22:14:14 GMT:1.0.14-INFO: LoadFrame: adalIdTokenFrame
Fri, 21 Apr 2017 22:14:53 GMT:1.0.14-INFO: Add adal frame to document:adalIdTokenFrame
Fri, 21 Apr 2017 22:15:01 GMT:1.0.14-INFO: LoadFrame: adalIdTokenFrame
Fri, 21 Apr 2017 22:15:06 GMT:1.0.14-INFO: Add adal frame to document:adalIdTokenFrame
2017-04-21 18:15:07.866 vue.common.js:6183 You are running Vue in development mode.
Make sure to turn on production mode when deploying for production.
See more tips at https://vuejs.org/guide/deployment.html
Fri, 21 Apr 2017 22:15:10 GMT:1.0.14-VERBOSE: State: <REDACTED>
Fri, 21 Apr 2017 22:15:10 GMT:1.0.14-INFO: Returned from redirect url
Fri, 21 Apr 2017 22:15:10 GMT:1.0.14-INFO: State status:false; Request type:UNKNOWN
Fri, 21 Apr 2017 22:15:10 GMT:1.0.14-INFO: Error :login_required; Error description:AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com).
Trace ID: <REDACTED>
Correlation ID: <REDACTED>
Timestamp: 2017-04-21 22:15:01Z
非常感谢您对此的持续帮助,非常感谢。
EDITED ...添加了日志输出。