Azure Active Directory令牌+刷新令牌

时间:2017-06-01 21:44:20

标签: c# authentication active-directory refresh-token

我使用Active Directory访问我们的应用程序(我已经创建了一个应用并在AD中注册了它),但是无法从令牌响应中获取刷新令牌。

在Startup.cs中我定义了Open Id Connect选项:

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            SlidingExpiration = true
        });

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = ApiConstants.AAD_WebClientId,
                Authority = Authority,
                TokenValidationParameters = new TokenValidationParameters { SaveSigninToken = true,  },
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    RedirectToIdentityProvider = context =>
                    {
                        if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
                        {
                            // ensure https before redirecting to Azure
                            if (!context.Request.IsSecure)
                            {
                                context.Response.Redirect(
                                    $"https://{context.Request.Uri.Authority}{context.Request.Uri.AbsolutePath}");
                                context.HandleResponse();
                                return Task.FromResult(0);
                            }
                        }

                        return Task.FromResult(0);
                    },

                    // If there is a code in the OpenID Connect response, 
                    // redeem it for an access token and refresh token, and store those away.
                    AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                    AuthenticationFailed = OnAuthenticationFailed
                }
            });

我的OnAuthorizationCodeReceived方法是:

private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
    {
        var code = context.Code;

        ClientCredential credential = new ClientCredential(ApiConstants.AAD_WebClientId, ApiConstants.AAD_CertWeb);
        AuthenticationContext authContext = new AuthenticationContext(Authority);

        // If you create the redirectUri this way, it will contain a trailing slash.  
        // Make sure you've registered the same exact Uri in the Azure Portal (including the slash).
        var builder = new UriBuilder(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
        builder.Scheme = "https";
        if (builder.Uri.IsDefaultPort)
        {
            builder.Port = -1;
        }
        //n.AuthenticationTicket.Properties.RedirectUri = builder.ToString();

        // this doesn't return a refresh token???
        AuthenticationResult result =
            await
                authContext.AcquireTokenByAuthorizationCodeAsync(code, builder.Uri, credential,
                    ApiConstants.AAD_Audience);
    }

问题是,返回的令牌没有刷新令牌,也没有滑动所以我们每小时都会被注销。我可以在Active Directory或我的应用程序中执行任何操作来打开/接收刷新令牌吗?

或者我是否收到刷新令牌,但AuthenticationResult班并未将此属性公开给我?

1 个答案:

答案 0 :(得分:0)

在调查同一问题时偶然发现了这一点。

如果您使用像Fiddler这样的工具监控网络流量,您会看到确实返回了refresh_token,它只是没有公开。

以下链接提供了更多信息。

http://www.cloudidentity.com/blog/2015/08/13/adal-3-didnt-return-refresh-tokens-for-5-months-and-nobody-noticed/