刷新令牌后,Azure AD B2C访问令牌声明不会更新 [英] Azure AD B2C Access token claims do not update after refreshing token
问题描述
我们正在将Azure AD B2C与我们的应用程序一起使用.我们使用API授权用户
We are using Azure AD B2C with our application. We authorize user using the API
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?client_id=<client-id-uuid>
&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Findex.html
&scope=openid%20offline_access%20https%3A%2F%2F{tenant}.onmicrosoft.com%2F<client-id-uuid>%2FUser.all
&response_type=code&prompt=login
使用上面的代码获取授权码.
using above we fetch the authorization_code.
此身份验证代码用于通过应用程序对用户进行身份验证,并使用
This auth code is being used to authenticate the user with the application and fetch the access_token , refresh_token and id_token using
POST /{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token HTTP/1.1
Host: {tenant}.b2clogin.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
grant_type=authorization_code&code={auth code received in previous step}
&scope=openid%20offline_access%20https%3A%2F%2F{tenant}.onmicrosoft.com%2F<client-id-uuid>%2FUser.all
&client_id={client id}&redirect_uri=localhost%253A4200%252Flogin.html%3A
经过身份验证后,该代码用于访问各种端点和Azure功能.在此过程中,我们需要用户在唱歌时输入的用户属性,例如电子邮件,显示名称,国家/地区等信息.除了默认属性外,我们还有一些自定义属性,例如 team_name ,它们特定于我们的Web应用程序用例.这些属性会随着时间而改变.
after authentication the code is used for accessing various endpoints and azure functions.
In hte process we need user attributes like email, display_name, country, etc information that user had input while singing up.
Along with default attributes we have some custom attributes like team_name which is specific to our Web application use case. These attributes change over time.
例如:某人可以更换团队.因此,我们使用Graph API在用户属性中对其进行了修改.因此在这种情况下,如果属性 team_name ='Team ABC'现在更改为 team_name ='Team XYZ'
For eg: person may switch team. thus we modify that in the user attribute using Graph APIs.
so in that case if attribute team_name = 'Team ABC' now changes to team_name = 'Team XYZ'
但是,更改属性后,属性不会反映 access_token / refresh_token 或 id_token 中的新值.有没有一种方法可以在不重新授权用户的情况下获取令牌中的刷新值?
But after the attributes are changed, the attributes do not reflect the new values in the access_token / refresh_token or id_token. Is there a way we can get the refreshed values in the tokens without re authorizing the user?
当前,我们从Graph API中获取用户属性,但是如果我们在令牌中获取了刷新的值,它会更快,更方便.
currently we fetch the user attributes from the Graph APIs but its faster and more convenient if we get refreshed values in the token.
推荐答案
自定义策略没有公开记录的机制来获取刷新令牌流中的新访问令牌声明.所以您所观察到的是预期的
Custom policy doesn't have a mechanism publicly documented to get new access token claims in refresh token flow. So what You have observe is expected
这篇关于刷新令牌后,Azure AD B2C访问令牌声明不会更新的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
