一小时后，具有Azure AD B2C身份验证的Alexa技能将过期 [英] Alexa Skill with Azure AD B2C Auth expires after an hour

问题描述

我目前正在构建由Azure Functions（.NET Core / C＃）和Azure AD B2C支持的Alexa技能以进行身份​​验证。

I am currently building an Alexa skill backed by Azure Functions (.NET Core/C#) and Azure AD B2C for authentication.

对于初始设置，我使用了主要使用此弧线。自从几年前写这篇文章以来，我不得不进行一些更改。最后，我进入了以下配置：

For the initial setup, I used mostly used the instructions found in this arcticle. Since, the article was written a couple of years ago, I had to make a few changes. In the end, I landed on the following configuration:

正如我提到的，正在使用AAD B2C进行身份验证。相关应用程序的用户可以注册和登录React应用程序。想法是通过Alexa意图+话语为所说的用户提供替代界面。

As I mentioned, we are using AAD B2C for authentication. Users of a related application are able to sign-up and sign-in to a React application. The idea is to provide an alternative interface for said users through Alexa intents + utterances.

我在AAD B2C中使用以下设置为Alexa创建了一个应用程序：

I created an application for Alexa in AAD B2C with the following settings:

• Web应用程序/ Web API：是


• 允许隐式流程：是


• 回复URL：我输入了Alexa技能设置提供的值（例如 https://pitangui.amazon.com/api/skil/link/ .. 。）；有三种不同的我还为我的azure函数应用程序添加了一个（这可能是不正确的。这是我在诊断其他早期问题时所做的一部分）；格式为： https://myfuncname.azurewebsites.net/.auth/login / aad / callback （我什至需要这个吗？）


• 应用程序ID URI： https://myorg.onmicrosoft.com/alexa


• 包括本地客户端：否

• Web App / Web API: Yes
• Allow implicit flow: Yes
• Reply URLs: I entered the values provided by the Alexa skill setup (e.g. https://pitangui.amazon.com/api/skil/link/...); there are three different ones. I also added one for my azure function app (this is something that could be incorrect. It was part of what I did while diagnosing other earlier problems); it's in the format: https://myfuncname.azurewebsites.net/.auth/login/aad/callback (Do I even need this???)
• App ID URI: https://myorg.onmicrosoft.com/alexa
• Include native client: No

我生成了一个 App密钥，我将其用作秘密 帐户链接部分。

I generated a single App Key, which I'm using as the Secret in the Account Linking section in the Alexa Developer Console.

许多在线示例都在此处将显式到期日期设置为1或2年;但是，我完全看不到任何选项（即没有到期选项），只有代码。

• 在已发布范围部分中，范围的名称为 user_impersonation 。描述为代表登录用户访问此应用。完整范围的值是： https://myorgsname.onmicrosoft.com/alexa/user_impersonation 。

• In the Published scopes section, the Scope's name is user_impersonation. The description is "Access this app on behalf of the signed-in user". The full scope value is: https://myorgsname.onmicrosoft.com/alexa/user_impersonation.

对于API访问，我必须在此处输入API条目：

For API Access, I have to API entries here:

• 第一个使用上述 user_impersonation 范围。


• 第二个名为访问用户的个人资料，用途：
  
  
  
  
  • 获取用户的id_token（openid）
  
  
  • 获取用户的refresh_token（offline_access）
  
  
  • One that uses the user_impersonation scope mentioned above.
  • The second, titled "Access the user's profile", uses:
    • Acquire an id_token for users (openid)
    • Acquire a refresh_token for users (offline_access)

    我正在使用的用户流允许注册和登录，它使用以下配置：

    The user flow that I'm using allows signing up and signing in, it utilizes the following configuration:

    属性

    其他

    
    
    • 启用JavaScript强制页面布局（预览）：开
    
    

    令牌生存期

    
    
    • 访问和使用ID令牌生存期（分钟）：60
    
    
    • 刷新令牌生存期（天）：14
    
    
    • 刷新令牌滑动窗口生存期：有界。 li>
      
    • 生命周期（天）：90
    
    
    • Access & ID token lifetimes (minutes): 60
    • Refresh token lifetime (days): 14
    • Refresh token sliding window lifetime: "Bounded".
    • Lifetime length (days): 90

    令牌兼容性设置

    
    
    • 签发人（iss）： https：//< domain> /< b2c-tenant-guid>
    
    
    • 主题（子）声明：ObjectID
    
    
    • 代表用户流的声明：tfp
    
    

    会话行为

    
    
    • Web应用程序会话生存期（分钟）：1440
    
    
    • Web应用程序会话超时：滚动
    
    
    • 单点登录配置：租户
    
    
    • 注销请求中需要ID令牌：否
    
    
    • Web app session lifetime (minutes): 1440
    • Web app session timeout: Rolling
    • Single sign-on configuration: Tenant
    • Require ID Token in logout requests: No

    对于Azure函数中的身份验证层，我正在利用上面提到的文章。

    For the authentication layer within the Azure Function, I'm utilizing the method described in the article mentioned above.

    在Alexa方面，我有一个非常简单的技能设置，设置如下：

    On the Alexa side of things, I have a really simple skill setup with the following settings:

    我的终结点使用 HTTPS 选项，默认区域设置为Azure Function App的处理函数的完全合格的HTTPS终结点。

    My endpoint uses the HTTPS option with the default region set to the fully-qualified HTTPS endpoint of my Azure Function App's handler function.

    证书设置为我的开发端点是具有通配符的域的子域...

    The certificate set to "My development endpoint is a sub-domain of a domain that has a wildcard ..."

    帐户链接设置如下所示：

    The account linking settings are as outlined below:

    
    
    • 您是否允许使用创建帐户或链接到...：切换
    
    
    • 允许用户启用技能而无需帐户链接：切换
    
    
    • 允许用户在您的应用程序或网站中将其帐户与您的技能相关联：切换
    
    
    • 验证C ode Grant：上
    
    
    • 授权URI： https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/authorize?p= <登录用户流程策略名称>
    
    
    • 访问令牌URI： https：//myorg.b2clogin。 com / myorg.onmicrosoft.com / oauth2 / v2.0 / token？p =<登录用户流策略名称>
    
    
    • 您的客户ID：AAD B2C应用程序GUID
    
    
    • 您的秘密：在我的Alexa技能应用程序的AAD B2C中的应用程序设置中生成的密钥（在上面的AAD B2C设置信息中提到）。
    
    
    • 您的身份验证方案：HTTP基本
    
    
    • 范围：openid 和 https://myorg.onmicrosoft.com/alexa/user_impersonation
    
    
    • 域列表：login.microsoftonline.com 和 myorg.b2clogin.com 注意：这可能是错误的，因为我不知道在这里放什么。上面的文章根本没有提到此设置
    
    
    • 默认访问令牌到期时间：3600
    
    
    • Do you allow uses to create an account or link to ...: Toggled On
    • Allow users to enable skill without account linking: Toggled On
    • Allow users to link their account to your skill from within your application or website: Toggled Off
    • Auth Code Grant: On
    • Authorization URI: https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/authorize?p=<sign-in-user-flow-policy-name>
    • Access Token URI: https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/token?p=<sign-in-user-flow-policy-name>
    • Your Client ID: AAD B2C App GUID
    • Your Secret: Key generated in App settings in AAD B2C for my Alexa Skill App (mentioned in the AAD B2C setup info above).
    • Your Authentication Scheme: HTTP Basic
    • Scope: openid and https://myorg.onmicrosoft.com/alexa/user_impersonation
    • Domain List: login.microsoftonline.com and myorg.b2clogin.com Note: This is probably wrong as I didn't know what to put here. The article above doesn't mention this setting at all
    • Default Access Token Expiration Time: 3600

    注意：底部的Alexa重定向URL是我在AAD B2C中为答复URL 部分添加的内容。

    Note: The Alexa Redirect URLS at the bottom are what I put in AAD B2C for the Reply URL section.

    现在最重要的部分是问题。一切似乎一开始都可以正常工作...我可以转到alexa.amazon.com并使用链接帐户（该链接将我重定向到AAD B2C驱动的登录屏幕，或从中重定向到该界面）。关联帐户后，我就可以成功利用话语并收到回复。

    Now for the most important part, The Problem. Everything seems to work at first...I'm able to go to alexa.amazon.com and utilize Link Account (which redirects me to and from my AAD B2C-driven login screen). Once I link accounts, I'm able to successfully utilize an utterance and receive a reply.

    问题在我等待一个小时（我相信是一个小时）后就开始了。一个小时后尝试启动Intent会在尝试验证Auth令牌时在Azure Function应用程序方面产生错误。

    The problems starts when I wait an hour (I believe it's an hour). Attempting to initiate the Intent after an hour yields an error on the Azure Function app side of things when it tries to validate the Auth Token.

    有人可以向我提供一些指导吗？可能是我设置不正确或至少应注意的事项？正如我在问题开头提到的那样，我在网上找到的许多参考文献都是过时的，不能涵盖我希望使用的所有设置。

    Can anyone provide me some guidance as to what I may have setup incorrectly or at least some things that I should look into? As I mentioned at the start of this question, many of the references that I'm finding online are out-of-date and do not cover all of the settings that I'm expected to utilize. Many of them are still using microsoftonline.com authority vs. b2clogin.com.

    乍一看，我认为问题在于Alexa技能是一个小时后过期后，令牌刷新失败。我该怎么做才能确保它正确刷新？

    推荐答案

    我认为我有足够的信息至此继续回答我自己的问题。我发现， offline_access 范围对于令牌刷新是必需的。

    I think that I have enough information at this point to go ahead and answer my own question. What I found was that the offline_access scope is necessary for Token Refresh to be possible.

    每个Microsoft， offline_access范围使您的应用可以长时间代表用户访问资源。在同意页面上，该范围显示为保持对您授予其访问权限的数据的访问权限。当用户批准offline_access范围，您的应用可以从Microsoft身份平台令牌终结点接收刷新令牌。刷新令牌是长期存在的。随着旧令牌的过期，您的应用可以获取新的访问令牌。 。

    Per Microsoft, "The offline_access scope gives your app access to resources on behalf of the user for an extended time. On the consent page, this scope appears as the "Maintain access to data you have given it access to" permission. When a user approves the offline_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.".

    您可以详细了解此处。

    要解决此问题，我确保在AAD中可以使用此范围B2C，并将其添加为Alexa开发人员控制台中的引用范围。

    To resolve the issue, I ensured that this scope was available in AAD B2C and added it as a referenced scope in the Alexa developer console.

    这篇关于一小时后，具有Azure AD B2C身份验证的Alexa技能将过期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！