使用MSAL访问令牌/刷新令牌 [英] access token / refresh token with MSAL
问题描述
我对OAuth2以及AccessToken和RefreshToken的概念有一定的了解.
I'm moderately familiar with OAuth2 and the concepts of the AccessToken and RefreshToken.
当使用ClientApplicationBase.AcquireTokenSilentAsync()时,MSAL似乎正在为我们做一些工作.
It looks like MSAL is doing some work for us when using ClientApplicationBase.AcquireTokenSilentAsync().
我不清楚它是否将始终检查当前AccessToken的到期并在方法调用时自动刷新(使用RefreshToken).
I'm not clear as to whether it will always check the expiration of the current AccessToken and automatically refresh it (using the RefreshToken) on method call.
无论如何,我们应该多久调用一次AcquireTokenSilentAsync()的最佳实践"?我们是否应该自己跟踪到期并调用此方法来更新我们的承载身份验证标头?我们应该在每个请求上调用AcquireTokenSilentAsync()吗? (半信半疑)
Regardless, is there a "best practice" for how often we should call AcquireTokenSilentAsync() ? Should we keep track of the expiration ourselves and call this method to update our bearer authentication header? Should we be calling AcquireTokenSilentAsync() on every Request? (doubtful)
我看不到使用DelegateAuthenticationProvider的GraphServiceClient(切线主题,我知道)如何做任何有助于WRT刷新的事情.当令牌即将到期时,我们是否需要扩展该类并执行我们自己的刷新?我觉得这应该已经在SDK中.
I can't see how the GraphServiceClient (tangent topic, I know) using the DelegateAuthenticationProvider will do anything helpful WRT refreshing. Do we need to extend that class and perform our own refresh when the token is nearing expiration? I feel like this would/should be already in the SDK.
感谢任何提示. -AJ
Thanks for any tips. -AJ
推荐答案
目前尚不清楚它是否将始终检查当前AccessToken的到期并在方法调用时自动刷新(使用RefreshToken).
如果提供了offline_access范围,如果我正确理解了此答案,则会自动提供刷新令牌
A refresh token is automatically supplied when the offline_access scope is provided, if I understand this answer correctly
...您已请求
offline_access范围,因此您的应用会收到刷新令牌.
...you've requested the
offline_accessscope so your app receives a Refresh Token.
说明AcquireTokenSilentAsync的a>表示提供刷新令牌时,它将检查令牌上的到期日期,并在令牌过期或接近到期时获得一个新令牌.
The description of AcquireTokenSilentAsync implies that when an refresh token is provided, it will check the expiration date on the token, and get a new one if it's expired or close to expiring.
如果访问令牌已过期或即将到期(5分钟内) 窗口),然后使用刷新令牌(如果有)来获取新 通过拨打网络电话访问令牌.
If access token is expired or close to expiration (within 5 minute window), then refresh token (if available) is used to acquire a new access token by making a network call.
它将重复此行为,直到刷新令牌过期为止. (可选)您可以通过利用 AcquireTokenSilentAsync
It will repeat this behavior until the refresh token is expired. Optionally you can force a refresh of the access token via the refresh token by utilizing the forceRefresh parameter on AcquireTokenSilentAsync
最后,我要引用关于SO的答案,因为它提供了有关MSAL和令牌的很好的见识
Lastly, I am going to quote this answer on SO since it gives a nice insight about MSAL and tokens
仅作一点说明,MSAL实际上并不发行令牌 或决定令牌到期,而是获取获得令牌 从Azure AD STS中获取.
Just to make a small clarification, MSAL doesn't actually issue tokens or decide a token expiration, but rather ingests an acquires token from the Azure AD STS.
到期后,MSAL将自动刷新您的访问令牌 调用AcquireTokenSilentAsync时. ....默认令牌 现在到期的是:
MSAL will automatically refresh your access token after expiration when calling AcquireTokenSilentAsync. .... The default token expirations right now are:
访问令牌:1小时
刷新令牌:90天,14天无效的滑动窗口
Refresh Tokens: 90 days, 14 day inactive sliding window
(17年6月13日)
无论如何,我们应该多久致电一次最佳实践" AcquireTokenSilentAsync()吗?我们应该跟踪到期时间吗 自己并调用此方法以更新我们的承载身份验证 标头?我们是否应该在每个上调用AcquireTokenSilentAsync() 请求?
Regardless, is there a "best practice" for how often we should call AcquireTokenSilentAsync() ? Should we keep track of the expiration ourselves and call this method to update our bearer authentication header? Should we be calling AcquireTokenSilentAsync() on every Request?
文档还列出了用于调用AcquireTokenSilentAsync的推荐的呼叫模式".文档也提到
The documentation also lists a 'Recommended call pattern' for calling the AcquireTokenSilentAsync. The documentation also mentions that
对于公共客户端应用程序和机密客户端应用程序,MSAL.NET都维护令牌缓存(对于机密客户端应用程序,则维护两个缓存),并且应用程序应尝试先从缓存中获取令牌,然后再采取其他任何方法.
For both Public client and confidential client applications, MSAL.NET maintains a token cache (or two caches in the case of confidential client applications), and applications should try to get a token from the cache first before any other means.
基于我所看到的示例,包括文档中推荐的调用模式,我认为您可以简单地调用AcquireTokenSilentAsync并捕获MsalUiRequiredException,以表明令牌已过期并且用户必须登录再次进入.
Based on examples I've seen, including the recommended call pattern from the documentation, I would argue you could simply call AcquireTokenSilentAsyncand catch the MsalUiRequiredException as an indication that the token has expired and the user has to log in again.
我看不到使用DelegateAuthenticationProvider的GraphServiceClient(切线主题,我知道)如何做任何有助于刷新WRT的事情.当令牌即将到期时,我们是否需要扩展该类并执行我们自己的刷新?我觉得这应该已经在SDK中.
如果我正确理解了DelegateAuthenticationProvider,它所做的就是在将requestMessage传递给Graph之前对其进行修改.我们要做的就是为访问令牌提供请求的授权标头.我们已经知道,当我们获取访问令牌时,它是有效的,因此我们只需添加它即可.
If I understand the DelegateAuthenticationProvider correctly, what it does is modify the requestMessage before we pass it to Graph. All we got to do is provide our access token with an authorization header for the request. We already know that when we fetch our access token, it is valid, so we can just add it.
new DelegateAuthenticationProvider(async (requestMessage) =>
{
ConfidentialClientApplication cca = new ConfidentialClientApplication(_ClientId, _Authority, _RedirectUri, new ClientCredential(_ClientSecret), _UserTokenSessionCache.GetTokenCache(identifier, httpContext), _ApplicationTokenCache.GetTokenCache());
AuthenticationResult result = await cca.AcquireTokenSilentAsync();
requestMessage.Headers.Add("Authorization", result.CreateAuthorizationHeader());
//OR
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", result.AccessToken);
});
(有我一直走这条路,这对我有用.我强烈建议您阅读他们的文档,因为它确实对如何实现MSAL.Net提供了很好的见识.
I've been down this path and this does the trick for me. I highly advise reading their documentation, because it does gives a good insight in how to implement MSAL.Net.
我还没有时间来玩令牌的期限.如果没有提供刷新令牌(即使有可能的话)也没有这种行为
I haven't had time yet to play around with the token durations yet. Nor the behavior if no refresh token is provided (if that's even possible)
我希望这会有所帮助!
这篇关于使用MSAL访问令牌/刷新令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
