撤销 Azure AD B2c 用户的登录会话不适用于本机应用程序 [英] Revoking the signin session for Azure AD B2c users is not working for Native applications
问题描述
我有一个解决方案,它具有移动(android 和 Ios)和 Web UI(SPA),两者都与通用 api 对话.我们正在使用 AD B2C 对用户进行身份验证.我们有系统管理员删除用户的业务需求.我们正在使用图形 api 删除后端服务中的用户.这分两步完成.
I have a solution which has mobile(android & Ios) and web UIs(SPA), both talks to common apis. We are using the AD B2C for authenticating the users. We have a business need where system administrators deletes the users. We are using the graph api to delete the users in the backend services. This is being done in two steps.
1) revoke the sign in session to kill the active sessions. Document(https://docs.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http)
2) Deleting the user account from b2c using graph api.
一旦访问令牌的生命周期到期,被删除的用户将从 Web ui(SPA) 中退出,但不会从移动应用程序中退出.
Once the lifetime of the accesstoken is expired the deleted user is getting signed out from the web ui(SPA), but not from the mobile application.
对于移动应用程序,我们使用 MSALandroid 0.2.2,对于 SPA,我们使用 MSAL angular 0.1.4.还尝试在 ad b2c 中为移动和 Web 应用程序配置单个和两个不同的应用程序.
for the mobile application we are using MSALandroid 0.2.2 and for SPA we are using MSAL angular 0.1.4. Also tried with configuring single and two different applications in ad b2c for mobile and web application.
我是否缺少任何移动应用程序.如何也从移动应用中撤消会话?
Am I missing anything mobile application. how to revoke the session from mobile apps as well?
推荐答案
为了使用户令牌无效,您需要做一些事情:
In order to invalidate a user token you need to do things :
对用户调用无效刷新令牌"自定义操作.对该端点的调用会更新refreshTokensValidFromDateTime".属性到 dateTimeNow(UTC)
Call 'invalidate refresh Token' custom action on the user. The call to this endpoint updates the "refreshTokensValidFromDateTime" property to dateTimeNow(UTC)
更新您的自定义策略以在使用刷新令牌获取新的 access/idToken 时查看此字段
Update your custom policies to look at this field when the refresh token is used to get a new access/idToken
这些更改会检查refreshTokensValidFromDateTime"是否符合要求.比发布的 refreshToken 更新.如果是则表示旧的刷新令牌已失效.
These changes checks if the "refreshTokensValidFromDateTime" is newer than the refreshToken issued tim. If it is then it means that the old refresh token has been invalidated.
要使用户的刷新令牌无效,您需要在图中调用此端点https://graph.windows.net/contoso.onmicrosoft.com/users/3ff8bee2-d1dc-445a-bca1-64101d478f43/invalidateAllRefreshTokens?api-version=1.6
To invalidate a refresh token for a user you need to call this endpoint in graph
https://graph.windows.net/contoso.onmicrosoft.com/users/3ff8bee2-d1dc-445a-bca1-64101d478f43/invalidateAllRefreshTokens?api-version=1.6
时钟偏差
在创建刷新令牌(Azure AD B2C 服务)的服务器和在用户对象上标记 refreshTokenValidFromDateTime 值的服务器(Graph服务).当前设置为 300000 毫秒(或 5 分钟)
Clock Skew
There is a clock skew to account for the potential difference in observed time between the server that created the refresh token (Azure AD B2C service) and the server that stamps the refreshTokenValidFromDateTime value on the user object (the Graph service). It is currently set to 300000 milliseconds (or 5 minutes)
要解决时钟偏差,您可以更新 ClaimsTransformtion = AssertRefreshTokenIssuedLaterThanValidFromDate用这个值
To account for Clock Skew you can update the ClaimsTransformtion = AssertRefreshTokenIssuedLaterThanValidFromDate
with this value
<InputParameter Id="TreatAsEqualIfWithinMillseconds" DataType="int" Value="10000" />
应用程序可以临时调用刷新令牌失效,或者您可以在密码重置过程中编写一个调用图形的 API,或在需要时按需调用它.在这种情况下,经历密码重置过程的用户将看到他们的会话已结束,并且将在所有其他设备上提示用户.
Refresh Token invalidation can be called adhoc by the app or you can write an API in your password reset journey that calls graph, or call it on demand when required. The user that goes through password reset journey in that case will see their session being ended and the user will be prompted on all other devices.
需要更改
对于自定义策略,需要添加以下技术配置文件 (TP)、声明转换 (CT) 和声明提供者 (CP),以便策略检查刷新令牌是否无效.
For custom policies the following Technical Profile (TP), Claims Transformation (CT), and Claims Provider (CP) needs to be added in order for the policy to check if the refresh token was invalidated.
<ClaimsTransformation Id="AssertRefreshTokenIssuedLaterThanValidFromDate" TransformationMethod="AssertDateTimeIsGreaterThan">
<InputClaims>
<InputClaim ClaimTypeReferenceId="refreshTokenIssuedOnDateTime" TransformationClaimType="leftOperand" />
<InputClaim ClaimTypeReferenceId="refreshTokensValidFromDateTime" TransformationClaimType="rightOperand" />
</InputClaims>
<InputParameters>
<InputParameter Id="AssertIfEqualTo" DataType="boolean" Value="false" />
<InputParameter Id="AssertIfRightOperandIsNotPresent" DataType="boolean" Value="true" />
<InputParameter Id="TreatAsEqualIfWithinMillseconds" DataType="int" Value="10000" />
</InputParameters>
</ClaimsTransformation>
...
<ClaimsProvider>
<DisplayName>Token Issuer</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="JwtIssuer">
<DisplayName>JWT Issuer</DisplayName>
<Protocol Name="None" />
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="client_id">{service:te}</Item>
<Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
<Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
<Item Key="RefreshTokenUserJourneyId">RedeemRefreshTokenV1</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
<Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
</CryptographicKeys>
<InputClaims />
<OutputClaims />
</TechnicalProfile>
...
<TechnicalProfile Id="TpEngine_RefreshTokenReadAndSetup">
<DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>
<Protocol Name="None" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="refreshTokenIssuedOnDateTime" />
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
...
<TechnicalProfile Id="AAD-UserReadUsingObjectId-CheckRefreshTokenDate">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="refreshTokensValidFromDateTime" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="AssertRefreshTokenIssuedLaterThanValidFromDate" />
</OutputClaimsTransformations>
<IncludeTechnicalProfile ReferenceId="AAD-UserReadUsingObjectId" />
</TechnicalProfile>
...
<UserJourney Id="RedeemRefreshTokenV1">
<AssuranceLevel>LOA1</AssuranceLevel>
<PreserveOriginalAssertion>false</PreserveOriginalAssertion>
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="RefreshTokenSetupExchange" TechnicalProfileReferenceId="TpEngine_RefreshTokenReadAndSetup" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="CheckRefreshTokenDateFromAadExchange" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId-CheckRefreshTokenDate" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
使用 Refresh Token 时将调用此旅程,并实际检查在 Graph API 调用中更新的 refreshTokenLastValidFrom 时间戳.
This journey will get called when using the Refresh Token, and actually check for the refreshTokenLastValidFrom timestamp that was updated in the Graph API call.
这篇关于撤销 Azure AD B2c 用户的登录会话不适用于本机应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
