Cookie不会因Azure AD身份验证过期 [英] Cookie not expiring for Azure AD auth
问题描述
我正在将Azure AD身份验证添加到ASP.NET Core应用程序中.该应用程序已在Azure AD中注册,并在清单中设置了自定义角色.这些角色用于应用程序内的授权策略.用户登录后一切正常,他们被重定向到Azure登录并返回包含其声明的Cookie.
I am adding Azure AD Authentication to an ASP.NET Core application. The Application is registered in Azure AD and has custom roles setup in the manifest. These roles are used for Authorization policies within the app. Everything is working when users log in, they get redirected to sign in to Azure and come back with a Cookie containing their Claims.
我的问题是,除非在浏览器中删除Cookie,否则这些声明将持续存在,并且在Azure中的角色更改时不会刷新.例如,如果用户登录,然后我从角色中将其删除,则应用程序仍会将其视为该角色.
My issue is that unless the Cookie is deleted in the browser, these Claims persist and aren't refreshed when Roles in Azure change. For example if a User signs in, then I remove them from a Role, they will still be seen as in that Role by the application.
我尝试设置Cookie的有效期为1分钟,但它没有影响,并且仍然存在相同的问题.这是在Startup中配置身份验证的方式. (AddAzureAd()来自以下示例: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/blob/master/Extensions/AzureAdAuthenticationBuilderExtensions.cs ):
I tried setting a 1 minute expiration to the Cookie, but it doesn't have an impact and I still have the same issue. Here is how the auth is configured in Startup. (AddAzureAd() comes from this example: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/blob/master/Extensions/AzureAdAuthenticationBuilderExtensions.cs):
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddAzureAd(options =>
{
options.ClientId = azureAdOptions.ClientId;
options.ClientSecret = azureAdOptions.ClientSecret;
options.Instance = azureAdOptions.Instance;
options.Domain = azureAdOptions.Domain;
options.TenantId = azureAdOptions.TenantId;
options.CallbackPath = azureAdOptions.CallbackPath;
})
.AddCookie(options =>
{
options.Cookie.Expiration = TimeSpan.FromMinutes(1);
options.ExpireTimeSpan = TimeSpan.FromMinutes(1);
});
更新:在Cookie配置中将Expires更改为MaxAge可以为浏览器遵守的浏览器中的Cookie设置最长期限",并且可以正常工作.但是为什么ExpireTimeSpan不做任何事情并且接受超过1分钟的Cookies?
Update: Changing Expires to MaxAge in the Cookie configuration sets a Max Age for the Cookie in the browser that the browser respects, and works as it should. But why does ExpireTimeSpan not do anything and accept Cookies older than 1 minute?
Cookie选项已更新为此:
Cookie options updated to this:
.AddCookie(options =>
{
options.Events.OnSignedIn = async e =>
{
e.Properties.IsPersistent = true;
e.Properties.ExpiresUtc = DateTime.UtcNow.AddMinutes(1);
};
});
但是它仍然接受更老的Cookies.如果我登录,请在页面上停留5分钟,然后使用相同的Cookie对其进行身份验证以刷新它.角色等未更新.
But it still is accepting Cookies much older. If I sign in, remain on a page for 5 minutes, then refresh it authenticates using the same cookie. Roles, etc. are not updated.
推荐答案
如果要控制身份验证票证的生存期,可以使用:
If you want to control the authentication ticket lifetime , you can use :
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.UseTokenLifetime = false;
...
});
services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme, options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(1);
...
});
因此,在1分钟后,票证将过期,在页面中进行请求时,它将向AAD发送授权请求,如果AAD用户处于活动状态,它将自动再次登录以获取新令牌并映射到用户声明
So that after 1 minutes , the ticket expires , when requesting in a page , it will send authorize request to AAD , if AAD user is active , it will automatically sign-in again to get the new tokens and map to user claims .
这篇关于Cookie不会因Azure AD身份验证过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
