我正在尝试使用Azure Active Directory在我的uwp应用上执行登录功能。这成功发生但是我无法在令牌过期时刷新令牌并始终收到错误“刷新失败并显示403 Forbidden错误。刷新令牌已被撤销或过期。”所以我必须再次打开登录窗口。我使用版本2.1.0和以下代码进行身份验证:
private async Task<bool> AuthenticateAsync(bool forceRelogon = false)
{
//string message;
bool success = false;
// Use the PasswordVault to securely store and access credentials.
PasswordVault vault = new PasswordVault();
PasswordCredential credential = null;
//Set the Auth provider
MobileServiceAuthenticationProvider provider = MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory;
MobileServiceUser user = null;
try
{
// Try to get an existing credential from the vault.
var credentials = vault.FindAllByResource(provider.ToString());
credential = credentials.FirstOrDefault();
}
catch (Exception ex)
{
// When there is no matching resource an error occurs, which we ignore.
Debug.WriteLine(ex);
}
if (credential != null && !forceRelogon)
{
// Create a user from the stored credentials.
user = new MobileServiceUser(credential.UserName);
credential.RetrievePassword();
user.MobileServiceAuthenticationToken = credential.Password;
// Set the user from the stored credentials.
App.MobileService.CurrentUser = user;
//message = string.Format($"Cached credentials for user - {user.UserId}");
// Consider adding a check to determine if the token is
// expired, as shown in this post: http://aka.ms/jww5vp.
if (RedemptionApp.ExtensionMethods.TokenExtension.IsTokenExpired(App.MobileService))
{
try
{
await App.MobileService.RefreshUserAsync();
}
catch (Exception ex)
{
Debug.WriteLine(ex);
}
}
success = true;
}
else
{
try
{
// Login with the identity provider.
user = await App.MobileService
.LoginAsync(provider);
// Create and store the user credentials.
if (credential != null)
vault.Remove(credential);
credential = new PasswordCredential(provider.ToString(),
user.UserId, user.MobileServiceAuthenticationToken);
vault.Add(credential);
success = true;
//message = string.Format($"You are now logged in - {user.UserId}");
}
catch (MobileServiceInvalidOperationException)
{
//message = "You must log in. Login Required";
}
}
//var dialog = new MessageDialog(message);
//dialog.Commands.Add(new UICommand("OK"));
//await dialog.ShowAsync();
return success;
}
任何人都可以看到我在做什么,或者需要在AAD服务提供商内做任何事情?
答案 0 :(得分:1)
通过查看服务器端应用程序日志,您可以获得更准确的信息。令牌刷新失败详细信息将自动记录在那里。有关应用程序日志的更多详细信息,请访问:https://azure.microsoft.com/en-us/documentation/articles/web-sites-enable-diagnostic-log/。我建议将跟踪级别设置为Informational或Verbose。
此外,如果您尚未执行此操作,则Azure AD需要一些额外配置才能启用刷新令牌。具体而言,您需要配置“客户端密钥”并启用OpenID Connect混合流。有关详细信息,请参阅此博文:https://cgillum.tech/2016/03/07/app-service-token-store/(向下滚动至刷新令牌部分,并查看其描述AAD流程的位置。)
答案 1 :(得分:0)
除了有关移动应用程序配置的内容之外,我可以发现这一点。
你有:
// Login with the identity provider.
user = await App.MobileService.LoginAsync(provider);
应该是:
user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,
new Dictionary<string, string>() {{ "response_type", "code id_token" }});
也许这会有所帮助: https://azure.microsoft.com/en-us/blog/mobile-apps-easy-authentication-refresh-token-support/