azure移动服务活动目录身份验证X-ZUMO-AUTH令牌在注销后在邮递员中有效 [英] azure mobile service active directory authentication X-ZUMO-AUTH token valid in postman after logout
问题描述
我已经设置了Azure移动服务和AD以进行身份验证.
I have Azure Mobile Service and AD set up for authentication.
退出并通过移动应用程序完美登录.
Log out and login works perfectly through mobile app.
AD应用程序的回复URL为 https://test.azure-mobile.net/signin-aad
AD application reply url is https://test.azure-mobile.net/signin-aad
client = new MobileServiceClient (applicationURL, applicationKey);
var authResult = await client.LoginAsync(this, MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory);
var data = await client.InvokeApiAsync("testAPI", HttpMethod.Get, null); //Works
client.Logout(); // LOGOUT
var data = await client.InvokeApiAsync("testAPI", HttpMethod.Get, null); //Unauthorized Error at mobile side. Request not going to API
这项工作很完美.
但是,如果我在注销后从authResult复制令牌,则可以使用相同的令牌从邮递员调用API.
But if I copy the token from authResult after LOGOUT, I can use same token to call API from postman.
标题:X-ZUMO-AUTH→令牌
Header: X-ZUMO-AUTH → token
我如何验证令牌? Azure移动服务端需要进行任何设置来验证和阻止这种情况吗?
How I can validate the token? Any setting needed at Azure Mobile Service Side to validate and prevent this?
推荐答案
在客户端上注销时,auth令牌已从客户端中删除,但没有任何信息传达给服务器,以表明该令牌现在无效.因此,如果将令牌存储在其他地方并重新使用,则令牌将一直有效直到到期.
When you log out on the client, the auth token is removed from the client but nothing is communicated to the server to indicate that this token is now invalid. So if the token is stored off somewhere else and re-used, it will still be valid until it expires.
我不确定是否有很好的方法可以做到这一点.您可以重置站点的主密钥,但这会使所有其他令牌无效,因此这不是一个切实可行的选择.您可以在服务器上存储无效令牌的列表,并在每个请求中对其进行检查,但这会在每个请求中添加一个查找.
I'm not sure there's a good way to do this. You could reset the site's master key but that invalidates all other tokens, so that's not really a viable option. You could store a list of invalid tokens on the server and check them with each request, but that adds a lookup with each request.
这是另一个具有类似答案和几个其他链接的问题:注销/使JWT失效
Here's another question with a similar answer and a couple other links: Logout/invalidate a JWT
这篇关于azure移动服务活动目录身份验证X-ZUMO-AUTH令牌在注销后在邮递员中有效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
