在LogOut上使Azure AD承载令牌无效 [英] Invalidating Azure AD Bearer Token on LogOut
问题描述
应用程序实现细节 - 我的应用程序结构如下:
Application Implementation Details - My application is structured as follows:
-
在Azure Web App上托管的MVC Web应用程序。 -
Angular JS用于与Web应用程序集成的客户端。 -
服务托管在Azure Service Fabric Cluster上。 -
使用Azure AD进行身份验证。
服务Fabric API从角度js文件中命中如下 -
Service Fabric APIs are hit from angular js files as follows -
-
从Azure AD进行身份验证后,将收到承载访问令牌。 -
此标记作为AJES请求中的授权标头从js添加。 -
从API中的标头中检索令牌并进行验证。
由于上述实现,可以从浏览器中的开发人员工具中检索承载访问令牌。使用此令牌,可以从Postman等工具对API进行未经授权的请求。此令牌的有效期为60分钟。
Due to the above implementation, the bearer access token is retrievable from the developer tool in browsers. And using this token, unauthorized requests can be made to the APIs from tools like Postman etc. The default expiry of this token is 60 mins.
问题陈述 - 我需要在用户退出应用程序后使令牌无效。
这是为了防止未经授权访问API。
Problem Statement - I need to invalidate the token once the user logs out of the application. This is to prevent unauthorized access to the APIs.
问题 - 需要输入如何使此令牌无效或过期?还是有其他
方法可用于解决此问题?
Question - Need input on how to invalidate or expire this token? Or is there any other approach which can be used to solve this problem?
推荐答案
遗憾的是我们目前没有可用的特定撤销API。但是,您可以根据您的要求设置访问令牌生存期。请参阅此文档 -
Azure Active Directory v2.0令牌引用。
您还可以向上投票
Azure反馈 关于使JWT令牌失效。这将允许产品团队进一步优先考虑并纳入他们的计划。
Unfortunately we don't have a specific revocation API available currently. However, you can set access token lifetime based on your requirement. Please refer to this document for the same - Azure Active Directory v2.0 tokens reference.
You can also up-vote Azure Feedback regarding Invalidate JWT Token. This will allow the product team to further prioritize it and include into their plans.
这篇关于在LogOut上使Azure AD承载令牌无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
