具有Azure Active Directory身份验证票证寿命的Microsoft.Owin.Security.OpenIdConnect [英] Microsoft.Owin.Security.OpenIdConnect with Azure Active Directory authentication ticket lifetime

查看:80
本文介绍了具有Azure Active Directory身份验证票证寿命的Microsoft.Owin.Security.OpenIdConnect的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在构建一个多租户Web应用程序,该应用程序使用 Microsoft.Owin.Security.OpenIdConnect,Version = 3.0.0.0 和使用 Microsoft.IdentityModel.Clients的Azure Active Directory连接Office 365服务.ActiveDirectory,版本= 2.19.0.0 ,紧随此示例.

I am building a multi tenant web app that connects Office 365 services using Microsoft.Owin.Security.OpenIdConnect, Version=3.0.0.0 and Azure Active Directory with Microsoft.IdentityModel.Clients.ActiveDirectory, Version=2.19.0.0 following this sample.

我们的Web应用程序客户端(用户代理)使用asp.NET cookie验证到我们的服务器,而我们的服务器与授权服务器(此处为Azure AD)之间的验证是通过OpenID授权代码流进行的.

Our web app client (user agent) is authenticated to our server using an asp.NET cookie while the authentication between our server and authority server (Azure AD here) is made with OpenID Authorization Code Flow.

我们为Asp.NET Cookie设置了30天的滑动到期期限.但是,即使设置 UseTokenLifetime = true (这应该与两种身份验证机制的生存期都匹配),我们仍然无法从Authority Server获得短暂的AuthenticationTicket.

We set for the Asp.NET cookie a 30 days sliding expiration for its lifetime. However we still have a short lived AuthenticationTicket from the Authority Server even when setting UseTokenLifetime= true which is supposed to match the lifetime of the two authentication mechanisms.

我们遇到的问题是:我们的最终用户必须经常重新登录(少于一小时).然后的问题是,我们如何在这种开放的openidconnect中间件中增加/更改身份验证票证的寿命?

The problem we have is: our end-users must relog frequently (less than hour). The question is then, how do we increase/change the lifetime of the authentication ticket in this owin openidconnect middleware?

备注:我还在问题上发布了一个问题.在ADAL中使用刷新令牌. 据我们了解,该问题仅与身份验证有关.由ActiveDirectory客户端管理的授权问题 access_token refresh_token 的生存期与此问题无关.如果我错了,请纠正我.

REMARK: I also posted a question on the usage of refresh tokens with ADAL. From what we have understood, this problem is only related to authentication. The lifetimes of the access_token and refresh_token which is an authorization concern managed by ActiveDirectory client are independent of this problem. Correct me if I am wrong.

Startup.Auth.cs 

public partial class Startup
{
  public const string CookieName = ".AspNet.MyName";
  public const int DayExpireCookie = 30;

  public void ConfigureAuth(IAppBuilder app)
  {
   app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

   var cookieAuthenticationOptions = new CookieAuthenticationOptions()
   {
       CookieName = CookieName,
       ExpireTimeSpan = TimeSpan.FromDays(DayExpireCookie),
       AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
       SlidingExpiration = true,
   };

   app.UseCookieAuthentication(cookieAuthenticationOptions);

   app.UseOpenIdConnectAuthentication(
       new OpenIdConnectAuthenticationOptions
       {
           ClientId = SettingsHelper.ClientId,
           Authority = SettingsHelper.Authority,
           ClientSecret = SettingsHelper.AppKey,
           UseTokenLifetime = true,
           TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
           {
               ValidateIssuer = false
           },

           Notifications = new OpenIdConnectAuthenticationNotifications()
           {
               // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away. 
               AuthorizationCodeReceived = (context) =>
               {
                   var code = context.Code;
                   string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
                   string signInUserId = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
                   AuthenticationContext authContext = new AuthenticationContext(string.Format("{0}/{1}", SettingsHelper.AuthorizationUri, tenantID), new ADALTokenCache(signInUserId));
                   ClientCredential credential = new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey);
                   // Get the access token for AAD Graph. Doing this will also initialize the token cache associated with the authentication context
                   // In theory, you could acquire token for any service your application has access to here so that you can initialize the token cache
                   Uri redirectUri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
                   AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(code, redirectUri, credential, SettingsHelper.AADGraphResourceId);
                   return Task.FromResult(0);
               },

               RedirectToIdentityProvider = (RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context) =>
               {
                   string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;
                   context.ProtocolMessage.RedirectUri = appBaseUrl + SettingsHelper.LoginRedirectRelativeUri;
                   context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl + SettingsHelper.LogoutRedirectRelativeUri;
                   return Task.FromResult(0);
               },
               AuthenticationFailed = (context) =>
               {
                   context.HandleResponse();
                   return Task.FromResult(0);
               }
           }
       });
  }
}

帐户控制器 

public class AccountController : Controller
{

     public void SignIn()
     {
         var dateTimeOffset = DateTimeOffset.UtcNow;
         var authenticationProperties = new AuthenticationProperties
         {
             AllowRefresh = true,
             IssuedUtc = dateTimeOffset,
             ExpiresUtc = dateTimeOffset.AddDays(Startup.DayExpireCookie -1),
             RedirectUri = SettingsHelper.LoginRedirectRelativeUri, IsPersistent = true
         };
         HttpContext.GetOwinContext()
             .Authentication.Challenge(authenticationProperties,OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
     }

     public void SignOut()
     {
         HttpContext.GetOwinContext().Authentication.SignOut(
             new AuthenticationProperties { RedirectUri = SettingsHelper.LogoutRedirectRelativeUri,  },
             OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
     }
 }

推荐答案

实际上, 我需要设置UseTokenLifetime = false. 实际上,UseTokenLifetime = true会将Asp.NET cookie中的内部票证更改为默认的生存期access_token,即一小时. @Tratcher的评论是真实的,但误导了我...是的access_token生命周期是由Azure AD控制的,对此我无能为力.但是,我们使用ADAL.NET实现了refresh_token管理,因此可以将Microsoft Identity Server的身份验证/授权保留一个多小时.设置UseTokenLifetTime = false并使用cookie身份验证,并且客户端应用程序和服务器之间的有效期有15天的有效期递减.

Actually, I needed to set UseTokenLifetime = false. Indeed, UseTokenLifetime = true changes the internal ticket in the Asp.NET cookie to the default lifetime of access_token which is one hour. The comments from @Tratcher were true but mislead me... Yes the access_token lifetime is controlled by Azure AD and there is nothing that I can do about it. But, we implemented the refresh_token management with ADAL.NET so there is a possibility to keep authentication/authorization with Microsoft Identity server for more than one hour. Setting UseTokenLifetTime = false and use cookie authentication with 15 days sliding expiry time between my client app and my server works like a charm now.

这篇关于具有Azure Active Directory身份验证票证寿命的Microsoft.Owin.Security.OpenIdConnect的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆