可以从客户端吊销Azure AD ADAL(ios)刷新令牌吗? [英] Can Azure AD ADAL (ios) refresh token be revoked from the client?
问题描述
我正在尝试在iOS应用中使用 ADALiOS 。我还希望有一个注销按钮,以便在需要时用户可以选择从应用程序注销。我认为最好的方法是撤销刷新令牌(访问令牌是短暂的并且不能被撤销),理想情况下,它也应该撤销令牌并在服务器端进行清理。
I am trying to use ADALiOS in an iOS app. I also want to have a logout button so that, if needed, the user can elect to logout from the app. The best way, I think, would be to revoke the refresh token (the access token is short-lived and can't be revoked), which ideally should also revoke the token and do clean up on the server-side.
我尝试了Azure AD文档,在源代码中进行了搜索(并且通常在其他位置进行了搜索),但是在ADAL中找不到刷新令牌撤销的任何内容。
I tried Azure AD docs, searched in the source code (and in general searched elsewhere), but couldn't find any mention of refresh token revocation in ADAL.
可以在ADAL中吊销刷新令牌吗?退出用户的最佳方法是什么?
Can a refresh token be revoked in ADAL? What is the best way to log a user out?
推荐答案
是。来自 Azure AD中OAuth 2.0的最佳做法 :
刷新令牌没有指定的生存期。通常,刷新令牌的
生命周期相对较长。 但是,在某些
情况下,刷新令牌过期,被吊销或缺少足够的
特权来执行所需的操作。客户端应用程序需要
期望并正确处理令牌发行端点
返回的错误。当您收到带有刷新令牌错误的响应时,
丢弃当前的刷新令牌,并请求新的授权码
或访问令牌。特别是,在
授权代码授予流程中使用刷新令牌时,如果收到带有
interact_required或invalid_grant错误代码的响应,则丢弃刷新
令牌并请求新的授权代码。
Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. The client application needs to expect and handle errors returned by the token issuance endpoint correctly. When you receive a response with a refresh token error, discard the current refresh token and request a new authorization code or access token. In particular, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, discard the refresh token and request a new authorization code.
我还记得维托里奥在他的博客文章中提到过(> $code> ADAL 3没有返回刷新令牌大约5个月了……而没有人注意到 ),但ADAL 3甚至没有返回刷新令牌。我猜一般的建议是不要对应用程序中的刷新令牌有任何依赖性。
Also I remember Vittorio mentioning in his blog post (ADAL 3 didn’t return refresh tokens for ~5 months… and nobody noticed) that ADAL 3 doesn't even return refresh tokens. I guess the general recommendation is not to take any dependency on refresh tokens in your application.
关于注销用户,请参见以下线程: ADAL:W8.1应用程序试图注销用户,尽管此线程是适用于Windows Phone应用。
Regarding logging out the user, please see this thread: ADAL: W8.1 app trying to log user out, though this thread is for Windows Phone app.
这篇关于可以从客户端吊销Azure AD ADAL(ios)刷新令牌吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
