即使用户正在积极使用应用程序，Azure AD Easy Auth也会过期 [英] Azure AD Easy Auth expires even when users are actively using application

问题描述

我们有一个使用Azure Active Directory轻松身份验证"的单页应用程序(SPA)，例如，无代码解决方案.当用户第一次打开应用程序时，这似乎可以正常工作.它们将被重定向到Microsoft登录页面，并且可以进行身份​​验证，然后访问该应用程序.

We have a Single Page App (SPA) that uses Azure Active Directory "Easy Auth", e.g., the code-less solution. This seems to work ok when users first open the the application. They are redirected to the Microsoft login page and they can authenticate and then access the application.

然后，由于其具有SPA，用户将四处导航，仅触发Ajax请求.当会话cookie过期约24小时后，问题就会出现.用户可能仍会打开相同的浏览器选项卡，并且不执行整页刷新.然后他们可能正在处理记录，并且在某个时候他们的下一个Ajax PUT请求失败并显示重定向HTTP状态，因此他们会松开工作.

Then, because its an SPA, users will navigate around and only fire Ajax requests. The problems come approximately 24 hours later when the session cookie expires. Users likely still have the same browser tab open and do not perform a full page refresh. Then they may be working on a record and at some point their next Ajax PUT request fails with a Redirect HTTP status and they loose their work.

所以他们的关键问题是:

So they key question is:

我们如何使SPA Ajax请求扩展当前用户的会话，以使他们的会话在活跃使用该应用程序时不会过期?

How can we make SPA Ajax requests extend a current user's session so that their session will not expire when they are actively using the application?

Azure AD Easy Auth服务似乎没有荣誉"用户活动，这使我们相信会话cookie永远不会得到更新.

It seems like the Azure AD Easy Auth service does not "honor" activity on the part of the user, which leads us to believe that the session cookie never gets updated.

注意:我们最近对/.auth/refresh端点进行了一些测试，但这也不能解决问题.

Note: We've recently done some testing with the /.auth/refresh endpoint and this does not solve the problem either.

推荐答案

有几种方法可以解决此问题.我想到的是一些:

There are several ways you can possibly solve this. Here are a few that I can think of:

1. 使用本地存储:您提到的问题是用户由于重定向而失去了工作.如果将正在进行的状态保留在本地存储中，以便在将它们重定向回页面时可用，则可以解决丢失工作的问题.
2. 切换为使用令牌:使用AAD时，/.auth/refresh端点不刷新AppServiceAuthSession，因为AAD不支持刷新用户信息.相反，您可以使用x-zumo-auth令牌与后端进行身份验证. /.auth/refresh端点将正确刷新这些令牌.如果要使用/.auth/login/aad明确登录用户，则可以将session_mode=token添加为查询字符串参数.如果您使用

1. Use local storage: The problem you mentioned is that user's lose their work due to the redirects. The problem of losing work can be solved if you persist the in-progress state in local storage so that it's available when they are redirected back to the page.
2. Switch to using tokens: The /.auth/refresh endpoint doesn't refresh the AppServiceAuthSession when using AAD because AAD doesn't support refreshing the user information. What you can do instead is authenticate with your backend using the x-zumo-auth tokens. The /.auth/refresh endpoint will correctly refresh these tokens. If you're explicitly logging in users using /.auth/login/aad, then you can add the session_mode=token as a query string parameter. This is done for you if you use the Mobile Apps JavaScript SDK. If login is automatic, then you'll need to add session_mode=token in the additionalLoginParams setting of your auth config. You can then parse the authentication token from the #token fragment which is added to the URL after the login completes.
3. Use hidden iframes: I haven't tried this myself, but if you can get it working it might require the least amount of code change. The idea is that you use a hidden iframe to re-login the user periodically when you detect they are active. The iframe would need to point to something like ./auth/login/aad?prompt=none&domain_hint={userdomain.com} where {userdomain.com} is the last part of the user's email address - e.g. contoso.com. These parameters get passed to the AAD login page, and the login should complete automatically without any user interaction. Test it manually a few times in a browser window to make sure it works correctly. The result should be an updated auth cookie with a fresh expiration.

如果您对这些选项有任何疑问或疑问，请在评论中告诉我.

Let me know in the comments if you have any questions or issues with any of these options.

这篇关于即使用户正在积极使用应用程序，Azure AD Easy Auth也会过期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！