Question

我正在使用Azure AD OpenID连接框架为基于Web的Java应用程序开发身份验证服务。我指的是adal4j-1.2.0.jar 根据行为进行身份验证。我收到JWT索赔并能够验证它。

但是当发生60分钟的会话超时并且我试图使用刷新令牌获取新的令牌声明时，新的令牌不是签名的JWT。他们是普通的JWT。

我正在使用以下调用来使用我正在缓存的初始刷新令牌获取令牌。

acquireTokenByRrefreshToken(refreshtoken, credential,null,null)

对于令牌的验证，我使用的代码如下

IDtokenValidator validator =  new IDTokenValidator(issuer,clientID, JWSAlgo,URL)
validator.validate(idToken, exoectedNoounce); //this line throws badjwtexception signed ID token expected

任何人都可以帮助我了解如何兑换刷新令牌以获取新的签名令牌。或者在兑换令牌后，新令牌始终是Plain JWT。

Answer 1

我相信，您正在使用隐式授权流来获取令牌。您正在从授权终点获取令牌。在此流程中，您将无法获得刷新令牌。您需要在会话到期后获取新令牌或创建隐藏在会话到期之前可以获得令牌的框架。

Answer 2

您可以access token引用official doc获取refresh token和code grant flow {/ 1}}。

实际上，adal4j中的方法是通过HTTP REST API实现的，因此您可以参考下面的代码来请求AuthorizationCode。

public static void getAuthorizationCode() throws IOException {

        String encoding = "UTF-8";
        String params = "client_id=" + clientId 
                + "&response_type=" + reponseType
                + "&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F"
                + "&response_mode=query"
                + "&resource=https%3A%2F%2Fgraph.windows.net"
                + "&state=12345";
        String path = "https://login.microsoftonline.com/" + tenantId + "/oauth2/authorize";
        byte[] data = params.getBytes(encoding);
        URL url = new URL(path);
        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
        conn.setRequestMethod("POST");
        conn.setDoOutput(true);
        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        conn.setRequestProperty("Content-Length", String.valueOf(data.length));
        conn.setConnectTimeout(5 * 1000);
        OutputStream outStream = conn.getOutputStream();
        outStream.write(data);
        outStream.flush();
        outStream.close();
        System.out.println(conn.getResponseCode());
        System.out.println(conn.getResponseMessage());

        BufferedReader br = null;
        if (conn.getResponseCode() != 200) {
            br = new BufferedReader(new InputStreamReader((conn.getErrorStream())));
        } else {
            br = new BufferedReader(new InputStreamReader((conn.getInputStream())));
        }
        System.out.println("Response body : " + br.readLine());
    }

然后您可以使用您获得的access token获取AuthorizationCode并使用以下代码获取刷新代码。

public static void getToken(String refreshToken) throws IOException {

        String encoding = "UTF-8";
        String params = "client_id=" + clientId + "&refresh_token=" + refreshToken
                + "&grant_type=refresh_token&resource=https%3A%2F%2Fgraph.windows.net";
        String path = "https://login.microsoftonline.com/" + tenantId + "/oauth2/token";
        byte[] data = params.getBytes(encoding);
        URL url = new URL(path);
        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
        conn.setRequestMethod("POST");
        conn.setDoOutput(true);
        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        conn.setRequestProperty("Content-Length", String.valueOf(data.length));
        conn.setConnectTimeout(5 * 1000);
        OutputStream outStream = conn.getOutputStream();
        outStream.write(data);
        outStream.flush();
        outStream.close();
        System.out.println(conn.getResponseCode());
        System.out.println(conn.getResponseMessage());

        BufferedReader br = null;
        if (conn.getResponseCode() != 200) {
            br = new BufferedReader(new InputStreamReader((conn.getErrorStream())));
        } else {
            br = new BufferedReader(new InputStreamReader((conn.getInputStream())));
        }
        System.out.println("Response body : " + br.readLine());
    }

希望它对你有所帮助。

刷新令牌未签名后收到Azure AD Adal4j令牌JWT

2 个答案: