AD B2C移动客户端-仅登录一次 [英] AD B2C Mobile Client - Login only once

问题描述

我们对移动应用程序AD B2C客户端有要求，用户只需要登录一次，登录会话就永远不会过期.

We have requirements for a Mobile Application AD B2C client that the user should only need to login once and the login session should never expire.

使用AD B2C可以吗?从安全角度来看是否需要?

Is this possible with AD B2C? Is it from security perspective desired?

到目前为止，我的发现:

My findings so far:

我检查了配置，最大刷新tokem寿命为90天.这意味着如果该应用程序在90天内没有使用，则该会话结束.因此，我的理解是，没有到期日就保存刷新令牌是不安全的. 否则，保持登录状态"功能可能会有所帮助，但这可能还具有最大会话长度.

I checked the configs and the maximum refresh tokem lifetime is 90 days. Which means if the App is not used for 90 days, the session ends. So my understanding is, it is not secure to keep a refresh token without expiry date. Otherwise the "Keep Me Signed In" functionality could help, but that has probably also a maximum session length.

推荐答案

由于刷新令牌最多具有90天的有效期，因此今天无法实现这一目标.这意味着用户需要每90天至少使用一次该应用程序.

It is not possible today to achieve this due to the refresh token having at most a rolling 90 day expiration. Which means that the user needs to consume the application at least once every 90 days.

保持登录状态"最长为68年，但是您需要使用基于Web的重定向，而不是使用资源所有者密码凭据流，才能利用它.在刷新令牌已过期的情况下，应用程序将重定向用户以再次登录，其中cookie将为用户提供SSO，而不提示输入任何凭据.

Keep Me Signed In has a maximum length of 68 years, but you would need to be using web based redirects rather than the resource owner password credential flow to take advantage of that. In such a case where the refresh token has expired, the app would redirect the user to login again, where the cookies would give the user SSO, and not prompt for any credentials.

如果您使用的是嵌入式Webview样式登录，则KMSI将为您提供帮助. 如果您使用的是基于API的登录(ROPC)，则KMSI将无济于事，并且您至少每90天依赖该应用程序的用户一次.

If you are using am embedded webview style login, then KMSI will help. if you are using API based logins (ROPC), then KMSI will not help, and you are reliant on the user using the app at least once per 90 days.

这篇关于AD B2C移动客户端-仅登录一次的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！