Azure ADAL 刷新 id_token [英] Azure ADAL Refresh id_token
问题描述
我们正在开发一个多租户 Web 应用程序.我们的租户将使用 Windows Azure Active Directory 进行身份验证.我们正在使用 OWIN OpenIdConnect 中间件对用户进行身份验证.我们在认证过程后收到的响应有 id_token 和授权码.
We are developing a multi-tenant web application. Our tenants will be using Windows Azure Active Directory for authentication. We are using OWIN OpenIdConnect middleware to authenticate users. The response we receive after authentication process has id_token and authorization code.
我们还想获取刷新令牌,以便在 id_token 过期后获取新令牌.因此,在 AuthorizationCodeReceived 处理程序中,我们使用 ADAL 库中的 AcquireTokenByAuthorizationCode 方法来获取刷新令牌.响应包含 id_token、access_token 和 refresh_token.
We also want to get the refresh token so that we can acquire new tokens once the id_token expires. Therefore in AuthorizationCodeReceived handler we use AcquireTokenByAuthorizationCode method in ADAL library to acquire the refresh token. The response contains id_token, access_token and refresh_token.
然后我们随后使用 referh_token 来获取新的 id_token,但是响应只包含更新的 access_token 而不是更新的 id_token.是否可以刷新 id_token 或者我们只能刷新 access_token?授权码接收处理程序的代码如下所示.
We then subsequently use refersh_token to get the new id_token however the response contain only renewed access_token but not a renewed id_token. Is it possible to refresh id_token or we can only refresh access_token? The code snipped for Authorization code received handler is shown as below.
AuthorizationCodeReceived = (context) =>
{
string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + "/";
var code = context.Code;
string clientSecret = ConfigurationManager.AppSettings["ida:Password"];
ClientCredential credential = new ClientCredential(clientId, clientSecret);
string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
MAuthenticationContext authContext = new MAuthenticationContext(string.Format("https://login.windows.net/{0}", tenantID), null);
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
code, new Uri(appBaseUrl), credential, "https://graph.windows.net");
AuthenticationResult refreshTokenResult = authContext.AcquireTokenByRefreshToken(result.RefreshToken, credential);
return Task.FromResult(0);
},
推荐答案
一般情况下,您不能使用 refresh_token 来更新 id_token,因为 id_token 代表用户身份验证,在没有用户在场的情况下无法刷新的信息.刷新 id_token 的方式在 OpenID Connect 的 Session Management 草案中有描述(http://openid.net/specs/openid-connect-session-1_0.html) 即通过身份验证请求再次将用户(代理)发送到授权端点,如果您使用可能包含prompt=none"的身份验证请求不希望用户交互,只需与 OP 确认现有的 SSO 会话.
In general you cannot use a refresh_token to renew an id_token because an id_token represents user authentication, information that cannot be refreshed without the user present. The way to refresh an id_token is described in the Session Management draft of OpenID Connect (http://openid.net/specs/openid-connect-session-1_0.html) i.e. by sending the user (agent) off to the authorization endpoint again with an authentication request that may include "prompt=none" if you want no user interaction but just check with the OP for an existing SSO session.
Azure AD 支持草案规范中描述的会话管理功能.如果您想将 OP 会话与您的应用程序会话同步,那就是要走的路.OTOH,您可以选择拥有一个独立于 OP 会话的应用程序会话,使用它自己的会话超时和持续时间,在这种情况下,没有理由刷新 id_token.然后 id_token 仅用于引导应用程序会话,该会话随后独立存在.
The Session Management capability as described in the draft spec is supported by Azure AD. If you want to synchronize the OP session with your application session that is the way to go. OTOH you may choose to have an application session that independent of the OP session, using it's own session timeout and duration, in which case there's no reason to refresh the id_token. The id_token is then only use to bootstrap the application session which then lives on it's own.
这篇关于Azure ADAL 刷新 id_token的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
