ADB2C刷新令牌挑战在Chrome Android上不起作用 [英] ADB2C refresh token challenge not working on Chrome Android
问题描述
我正在使用标准的OIDC .NET库向ADB2C发出质询请求.据我了解,这会自动尝试使用缓存中的刷新令牌登录并获得授权,而无需重新索取凭据.
这似乎绝对可以正常工作,但只能在1个浏览器上使用-Android上的Chrome.无论我如何尝试,该浏览器似乎都丢失了刷新令牌,因此大约1小时后,它开始再次要求提供凭据.我已经在Chrome web/mac,edge,IE,safari,FF上进行了交叉检查,它们的行为均符合预期,可保持恒定的登录状态.
有什么想法吗?这应该与我所了解的浏览器无关,但是也许我错过了一个窍门?
更新
即使访问受AD保护的Web应用程序,这似乎也是类似的行为.同样,Chrome无法刷新,但其他浏览器也可以.
更新
在令牌过期后尝试访问网站时,我在Fiddler中看到了这一点
Chrome
Set-Cookie:x-ms-cpim-csrf = XXX;domain = auth.mywebsite.com;路径=/;SameSite = None;安全的;HttpOnly
Edge
Set-Cookie:x-ms-cpim-sso:mytenant.onmicrosoft.com_0 = XXX;domain = auth.mywebsite.com;路径=/;SameSite = None;安全的;HttpOnly
是的,有区别,但是为什么以及如何解决?
Chrome中的SameSite cookie可能会导致该cookie无法按预期发送.以下是一些可以帮助您的提示:
-
I am using the standard OIDC .NET library to make a challenge request to ADB2C. From my understanding, this automagically attempts the sign in with the refresh token in cache and gains an authorization without re-asking for credentials.
This seems to work absolutely fine, except on 1 browser - Chrome on Android. No matter what I try, this browser seems to to lose the refresh token, so after around 1 hr, it starts asking for credentials again. I have cross checked this on Chrome web/mac, edge, IE, safari, FF and they all behave as expected to maintain a constant logged in state.
Any ideas? This should be browser independent from what I understand, but maybe I'm missing a trick?
Update
This seems to be similar behaviour even when accessing a web app protected by AD. Again, Chrome loses the refresh, but other browsers are fine.
Update
I see this in Fiddler when trying to access the site after the expired token
Chrome
Set-Cookie: x-ms-cpim-csrf=XXX; domain=auth.mywebsite.com; path=/; SameSite=None; secure; HttpOnly
Edge
Set-Cookie: x-ms-cpim-sso:mytenant.onmicrosoft.com_0=XXX; domain=auth.mywebsite.com; path=/; SameSite=None; secure; HttpOnly
So yes there is a difference, but why and how to fix?
解决方案It could be the issue with SameSite cookies in Chrome that causes he cookies to not be sent as you expect. Here's a few pointers to help you out:
- How To Prepare Your IdentityServer For Chrome's SameSite Cookie Changes - And How To Deal With Safari, Nevertheless
- Upcoming Browser Behavior Changes: What Developers Need to Know
But I think first of all you should verify if this is a SameSite issue, by using a tool like Fiddler to capture the traffic and verify that the cookies are indeed lost. Do compare in Fiddler your different browsers and see if there's some differences.
Do try to login using a incognito mode, so that you start with no cookies in the browser. Then you should see the cookies being set both by your identity provider and your application.
In Fiddler you can under the Filter tab enable the first item in the picture to flag responses that set cookies, to make it even easier to detect when cookies are set.
这篇关于ADB2C刷新令牌挑战在Chrome Android上不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
