撤消Azure AD B2c用户的登录会话不适用于本机应用程序 [英] Revoking the signin session for Azure AD B2c users is not working for Native applications
问题描述
我有一个具有移动(android&Ios)和Web UI(SPA)的解决方案,它们都与通用api进行通信.我们正在使用AD B2C对用户进行身份验证.我们有一个业务需求,系统管理员需要删除用户.我们正在使用图api删除后端服务中的用户.这是分两个步骤完成的.
I have a solution which has mobile(android & Ios) and web UIs(SPA), both talks to common apis. We are using the AD B2C for authenticating the users. We have a business need where system administrators deletes the users. We are using the graph api to delete the users in the backend services. This is being done in two steps.
1) revoke the sign in session to kill the active sessions. Document(https://docs.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http)
2) Deleting the user account from b2c using graph api.
一旦访问令牌的生存期到期,则已删除的用户将从Web ui(SPA)中注销,而不是从移动应用程序中注销.
Once the lifetime of the accesstoken is expired the deleted user is getting signed out from the web ui(SPA), but not from the mobile application.
对于移动应用程序,我们使用MSALandroid 0.2.2,对于SPA,我们使用MSAL angular 0.1.4.还尝试过在ad b2c中为移动和网络应用程序配置单个和两个不同的应用程序.
for the mobile application we are using MSALandroid 0.2.2 and for SPA we are using MSAL angular 0.1.4. Also tried with configuring single and two different applications in ad b2c for mobile and web application.
我缺少任何移动应用程序吗?如何也撤消移动应用中的会话?
Am I missing anything mobile application. how to revoke the session from mobile apps as well?
推荐答案
要使用户令牌无效,您需要执行以下操作:
In order to invalidate a user token you need to do things :
-
对用户调用无效的刷新令牌"自定义操作.对该端点的调用将更新"refreshTokensValidFromDateTime".属性为dateTimeNow(UTC)
Call 'invalidate refresh Token' custom action on the user. The call to this endpoint updates the "refreshTokensValidFromDateTime" property to dateTimeNow(UTC)
更新您的自定义策略,以在使用刷新令牌获取新的access/idToken时查看此字段
Update your custom policies to look at this field when the refresh token is used to get a new access/idToken
这些更改检查"refreshTokensValidFromDateTime"是否为比refreshToken发布的tim更新.如果是,则意味着旧的刷新令牌已失效.
These changes checks if the "refreshTokensValidFromDateTime" is newer than the refreshToken issued tim. If it is then it means that the old refresh token has been invalidated.
要使用户的刷新令牌无效,您需要在图形中调用此端点 https://graph.windows.net/contoso.onmicrosoft.com/users/3ff8bee2-d1dc-445a-bca1-64101d478f43/invalidateAllRefreshTokens?api-version=1.6
To invalidate a refresh token for a user you need to call this endpoint in graph
https://graph.windows.net/contoso.onmicrosoft.com/users/3ff8bee2-d1dc-445a-bca1-64101d478f43/invalidateAllRefreshTokens?api-version=1.6
时钟偏斜
有一个时钟偏斜来说明创建刷新令牌的服务器(Azure AD B2C服务)与在用户对象上标记 refreshTokenValidFromDateTime 值的服务器之间观察到的时间的潜在差异(图服务).当前设置为300000毫秒(或5分钟)
Clock Skew
There is a clock skew to account for the potential difference in observed time between the server that created the refresh token (Azure AD B2C service) and the server that stamps the refreshTokenValidFromDateTime value on the user object (the Graph service). It is currently set to 300000 milliseconds (or 5 minutes)
要解决时钟偏差,您可以更新 ClaimsTransformtion = AssertRefreshTokenIssuedLaterThanValidFromDate 这个值
To account for Clock Skew you can update the ClaimsTransformtion = AssertRefreshTokenIssuedLaterThanValidFromDate
with this value
<InputParameter Id="TreatAsEqualIfWithinMillseconds" DataType="int" Value="10000" />
刷新令牌无效可由应用程序调用即席(adhoc),或者您可以在密码重置过程中编写一个调用图的API,或者在需要时按需调用它.在这种情况下,经历密码重置过程的用户将看到他们的会话已结束,并且将在所有其他设备上提示该用户.
Refresh Token invalidation can be called adhoc by the app or you can write an API in your password reset journey that calls graph, or call it on demand when required. The user that goes through password reset journey in that case will see their session being ended and the user will be prompted on all other devices.
需要更改
对于自定义策略,需要添加以下技术资料(TP),声明转换(CT)和声明提供者(CP),以便该策略检查刷新令牌是否无效.
For custom policies the following Technical Profile (TP), Claims Transformation (CT), and Claims Provider (CP) needs to be added in order for the policy to check if the refresh token was invalidated.
<ClaimsTransformation Id="AssertRefreshTokenIssuedLaterThanValidFromDate" TransformationMethod="AssertDateTimeIsGreaterThan">
<InputClaims>
<InputClaim ClaimTypeReferenceId="refreshTokenIssuedOnDateTime" TransformationClaimType="leftOperand" />
<InputClaim ClaimTypeReferenceId="refreshTokensValidFromDateTime" TransformationClaimType="rightOperand" />
</InputClaims>
<InputParameters>
<InputParameter Id="AssertIfEqualTo" DataType="boolean" Value="false" />
<InputParameter Id="AssertIfRightOperandIsNotPresent" DataType="boolean" Value="true" />
<InputParameter Id="TreatAsEqualIfWithinMillseconds" DataType="int" Value="10000" />
</InputParameters>
</ClaimsTransformation>
...
<ClaimsProvider>
<DisplayName>Token Issuer</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="JwtIssuer">
<DisplayName>JWT Issuer</DisplayName>
<Protocol Name="None" />
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="client_id">{service:te}</Item>
<Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
<Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
<Item Key="RefreshTokenUserJourneyId">RedeemRefreshTokenV1</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
<Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
</CryptographicKeys>
<InputClaims />
<OutputClaims />
</TechnicalProfile>
...
<TechnicalProfile Id="TpEngine_RefreshTokenReadAndSetup">
<DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>
<Protocol Name="None" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="refreshTokenIssuedOnDateTime" />
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
...
<TechnicalProfile Id="AAD-UserReadUsingObjectId-CheckRefreshTokenDate">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="refreshTokensValidFromDateTime" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="AssertRefreshTokenIssuedLaterThanValidFromDate" />
</OutputClaimsTransformations>
<IncludeTechnicalProfile ReferenceId="AAD-UserReadUsingObjectId" />
</TechnicalProfile>
...
<UserJourney Id="RedeemRefreshTokenV1">
<AssuranceLevel>LOA1</AssuranceLevel>
<PreserveOriginalAssertion>false</PreserveOriginalAssertion>
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="RefreshTokenSetupExchange" TechnicalProfileReferenceId="TpEngine_RefreshTokenReadAndSetup" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="CheckRefreshTokenDateFromAadExchange" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId-CheckRefreshTokenDate" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
使用刷新令牌"时将调用此旅程,并实际上检查在Graph API调用中更新的 refreshTokenLastValidFrom 时间戳.
This journey will get called when using the Refresh Token, and actually check for the refreshTokenLastValidFrom timestamp that was updated in the Graph API call.
这篇关于撤消Azure AD B2c用户的登录会话不适用于本机应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
