即使用户正在积极使用应用程序，Azure AD Easy Auth 也会过期 [英] Azure AD Easy Auth expires even when users are actively using application

问题描述

我们有一个使用 Azure Active DirectoryEasy Auth"的单页应用程序 (SPA)，例如，无代码解决方案.当用户第一次打开应用程序时，这似乎工作正常.他们被重定向到 Microsoft 登录页面，他们可以进行身份​​验证，然后访问应用程序.

We have a Single Page App (SPA) that uses Azure Active Directory "Easy Auth", e.g., the code-less solution. This seems to work ok when users first open the the application. They are redirected to the Microsoft login page and they can authenticate and then access the application.

然后，因为它是一个 SPA，所以用户将四处导航并且只触发 Ajax 请求.大约 24 小时后，当会话 cookie 过期时，问题就会出现.用户可能仍然打开相同的浏览器选项卡并且不执行整页刷新.然后他们可能正在处理记录，并且在某些时候他们的下一个 Ajax PUT 请求失败并显示重定向 HTTP 状态并且他们失去了他们的工作.

Then, because its an SPA, users will navigate around and only fire Ajax requests. The problems come approximately 24 hours later when the session cookie expires. Users likely still have the same browser tab open and do not perform a full page refresh. Then they may be working on a record and at some point their next Ajax PUT request fails with a Redirect HTTP status and they loose their work.

所以他们的关键问题是:

So they key question is:

我们如何使 SPA Ajax 请求扩展当前用户的会话，以便他们的会话在他们积极使用应用程序时不会过期?

How can we make SPA Ajax requests extend a current user's session so that their session will not expire when they are actively using the application?

Azure AD Easy Auth 服务似乎没有尊重"用户的活动，这使我们相信会话 cookie 永远不会更新.

It seems like the Azure AD Easy Auth service does not "honor" activity on the part of the user, which leads us to believe that the session cookie never gets updated.

注意:我们最近对/.auth/refresh 端点进行了一些测试，但这也不能解决问题.

Note: We've recently done some testing with the /.auth/refresh endpoint and this does not solve the problem either.

推荐答案

有几种方法可以解决这个问题.以下是我能想到的一些:

There are several ways you can possibly solve this. Here are a few that I can think of:

1. 使用本地存储:您提到的问题是用户由于重定向而丢失了他们的工作.如果您将正在进行的状态保留在本地存储中，以便在重定向回页面时可用，则可以解决丢失工作的问题.
2. 切换到使用令牌:/.auth/refresh 端点在使用 AAD 时不会刷新 AppServiceAuthSession，因为 AAD 不支持刷新用户信息.您可以做的是使用 x-zumo-auth 令牌对您的后端进行身份验证./.auth/refresh 端点将正确刷新这些令牌.如果您使用 /.auth/login/aad 显式登录用户，则可以将 session_mode=token 添加为查询字符串参数.如果您使用 移动应用 JavaScript SDK.如果登录是自动的，那么您需要在身份验证配置的 additionalLoginParams 设置中添加 session_mode=token.然后，您可以从登录完成后添加到 URL 的 #token 片段中解析身份验证令牌.
3. 使用隐藏的 iframe:我自己没有尝试过，但如果你能让它工作，它可能需要最少的代码更改.这个想法是，当您检测到用户处于活动状态时，您会使用隐藏的 iframe 定期重新登录用户.iframe 需要指向类似 ./auth/login/aad?prompt=none&domain_hint={userdomain.com} 的东西，其中 {userdomain.com} 是用户电子邮件地址的最后一部分 - 例如contoso.com.这些参数被传递到 AAD 登录页面，登录应该自动完成，无需任何用户交互.在浏览器窗口中手动测试几次以确保其正常工作.结果应该是更新的身份验证 cookie，具有新的过期时间.

1. Use local storage: The problem you mentioned is that user's lose their work due to the redirects. The problem of losing work can be solved if you persist the in-progress state in local storage so that it's available when they are redirected back to the page.
2. Switch to using tokens: The /.auth/refresh endpoint doesn't refresh the AppServiceAuthSession when using AAD because AAD doesn't support refreshing the user information. What you can do instead is authenticate with your backend using the x-zumo-auth tokens. The /.auth/refresh endpoint will correctly refresh these tokens. If you're explicitly logging in users using /.auth/login/aad, then you can add the session_mode=token as a query string parameter. This is done for you if you use the Mobile Apps JavaScript SDK. If login is automatic, then you'll need to add session_mode=token in the additionalLoginParams setting of your auth config. You can then parse the authentication token from the #token fragment which is added to the URL after the login completes.
3. Use hidden iframes: I haven't tried this myself, but if you can get it working it might require the least amount of code change. The idea is that you use a hidden iframe to re-login the user periodically when you detect they are active. The iframe would need to point to something like ./auth/login/aad?prompt=none&domain_hint={userdomain.com} where {userdomain.com} is the last part of the user's email address - e.g. contoso.com. These parameters get passed to the AAD login page, and the login should complete automatically without any user interaction. Test it manually a few times in a browser window to make sure it works correctly. The result should be an updated auth cookie with a fresh expiration.

如果您对这些选项有任何疑问或问题，请在评论中告诉我.

Let me know in the comments if you have any questions or issues with any of these options.

这篇关于即使用户正在积极使用应用程序，Azure AD Easy Auth 也会过期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！