会话超时时，Azure AD身份验证中断HTTP发布操作 [英] Azure AD Authentication Breaking HTTP Post Actions When Session Times Out

问题描述

我最近使用大致开箱即用"的代码从Windows身份验证更改为Azure AD；

I recently changed from windows authentication to Azure AD using roughly the "out of the box" code;

    public void ConfigureAuth(IAppBuilder app)
    {

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseKentorOwinCookieSaver();
        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = Authority,
                PostLogoutRedirectUri = postLogoutRedirectUri,

                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
                    AuthorizationCodeReceived = (context) =>
                    {
                        var code = context.Code;
                        ClientCredential credential = new ClientCredential(clientId, appKey);
                        string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
                        //AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));
                        AuthenticationContext authContext = new AuthenticationContext(Authority);
                        return authContext.AcquireTokenByAuthorizationCodeAsync(
                           code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
                    }
                }
            });
    }

我们的用户在尝试提交某些表格时已开始出现间歇性404错误.我认为我已经设法通过删除cookie来重新创建该问题，因此我怀疑它与会话自然超时有关.

Our users have started to get intermittent 404 errors when trying to submit certain forms. I think I have managed to recreate the issue by deleting cookies, so I suspect it's tied to when the session naturally times out.

如果我查看带有HTTP GET请求的流，则它看起来像;

If I look at the flow with a HTTP GET request it looks like;

• HTTP GET https://myappurl/page?param1 = value& param2 = value
• HTTP 302响应，并重定向到 https://login.microsoftonline.com (包括各种参数；状态，client_id等)
• HTTP 200响应(不太清楚其知道重定向的方式/原因)
• HTTP GET https://myappurl/
• HTTP 302响应，重定向到原始URL https://myappurl/page?param1 = value& ; param2 = value
• HTTP GET https://myappurl/page?param1 = value& param2 = value
• HTTP 200响应

• HTTP GET https://myappurl/page?param1=value&param2=value
• HTTP 302 response with redirect to https://login.microsoftonline.com (including various params; state, client_id etc)
• HTTP 200 response (not quite sure how/why it then knows to redirect)
• HTTP GET https://myappurl/
• HTTP 302 response with redirect to original URL https://myappurl/page?param1=value&param2=value
• HTTP GET https://myappurl/page?param1=value&param2=value
• HTTP 200 response

一切正常……

但是对于HTTP POST；

For a HTTP POST however;

• HTTP POST到 https://myappurl/another_page
• HTTP 302响应，并重定向到 https://login.microsoftonline.com (包括各种参数；状态，client_id等)
• HTTP 200响应(不太清楚其知道重定向的方式/原因)
• HTTP GET https://myappurl/
• 带有重定向到原始URL的HTTP 302响应 https://myappurl/another_page
• HTTP GET https://myappurl/another_page
• HTTP 404响应

• HTTP POST to https://myappurl/another_page
• HTTP 302 response with redirect to https://login.microsoftonline.com (including various params; state, client_id etc)
• HTTP 200 response (not quite sure how/why it then knows to redirect)
• HTTP GET https://myappurl/
• HTTP 302 response with redirect to original URL https://myappurl/another_page
• HTTP GET https://myappurl/another_page
• HTTP 404 response

失败，因为端点仅接受HTTP POST请求.

Fails because the endpoint only accepts HTTP POST requests.

是否知道如何/如何解决此问题?我本以为内置的状态跟踪或其所执行的任何操作都会存储原始请求，并继续在中断的地方继续进行，无论...

Any idea if/how I can fix this? I would have thought the built in state tracking or whatever it is doing would store the original request and continue where it left off regardless...

推荐答案

您似乎没有使用令牌缓存.这意味着用户的会话将在他们登录到应用程序后约一个小时后过期.

It looks like you are not using the token cache. What this means is that a user's session will expire after about an hour after they sign into the application.

要解决此问题，只要应用程序需要访问令牌，就应该使用AcquireTokenSilentAsync.此方法将使用其内存中缓存为您自动刷新令牌.有关更多详细信息，请参见 https: //github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/AcquireTokenSilentAsync-using-a-cached-token

To address this issue you should use AcquireTokenSilentAsync whenever the application needs an access token. This method will automatically refresh the token for you using it's In Memory cache. For more details see https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/AcquireTokenSilentAsync-using-a-cached-token

这篇关于会话超时时，Azure AD身份验证中断HTTP发布操作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！