B2C和刷新令牌的成本 [英] Costs of B2C and Refresh tokens
问题描述
我不确定我是否正确理解了这一点,但是这里有:
I'm not sure I'm understanding this properly, but here goes:
由于MSA和Google令牌每小时都会过期,因此我的应用程序反映用户对MSA和Google网站的权限更改的唯一方法是在大致相同的时间间隔刷新EasyAuth B2C令牌,对吗?如果他们撤消了对我的应用程序的访问权限,那么他们可能不希望数天之久的未到期令牌不断涌现.
Since MSA and Google tokens expire every hour, the only way for my app to reflect changes in the user's permissions on the MSA and Google site would be to refresh the EasyAuth B2C token on roughly the same interval, right? If they revoke access to my app, then they probably don't want unexpired tokens rolling around for days.
每次我需要刷新该令牌时,都会对B2C进行另一个刷新调用,然后再调用身份提供者,对吗?
And each time I need to refresh that token, another refresh call is made to B2C and then on to the identity provider, right?
每次发生时,我都会被收费(基于Azure定价页面上的信息).因此,如果我的应用程序(这是一种具有信用卡功能的金融应用程序)变得流行并且可以扩展,那么收费实际上会很大,因为如果每个人都负责的话,将会有大量的登录/注销和刷新操作.
And each time that happens I'll be charged (based on the info on the Azure pricing page). So if my app (it's a financial app with the ability to charge credit cards) gets popular and scales, the fees will be actually quite large, as there will be tons of logging in/out and refreshing if everyone is responsible.
我有这个权利吗?有什么建议以负责任的方式减轻收费吗?
Do I have this right? Any suggestions for mitigating the fees responsibly?
有人注销时刷新令牌存储区是否被清除?如果是这样,那么我可以假设(我知道-不好的意思),如果他们想禁用对应用程序的访问,他们只是注销.随后将阻止任何后续登录或使用刷新令牌.
Does the refresh token store get purged when someone logs out? If so, then I could just assume (I know - bad word) that if they want to disable access to the app, they just logout. Any subsequent login or use of a refresh token would then be blocked.
推荐答案
由于MSA和Google令牌每小时都会过期,因此我的应用反映用户对MSA和Google网站的权限更改的唯一方法是在大致相同的时间间隔刷新EasyAuth B2C令牌,对吗?
Since MSA and Google tokens expire every hour, the only way for my app to reflect changes in the user's permissions on the MSA and Google site would be to refresh the EasyAuth B2C token on roughly the same interval, right?
根据我的理解,Web应用程序使用id_token对用户进行身份验证. Web应用程序通过身份验证后,它将包含其自己的会话,并且默认Web应用程序会话时间为1440分钟,我们可以对其进行配置.您可以在这里查阅详细信息.
Based on my understanding, web application used the id_token to authenticate the user. After the web application authenticated, it contains its own session and the default web application session time is 1440 minutes, we can config it. You can refer here for the detail.
并且如果您使用OAuth 2.0流授权应用程序访问受Azure AD保护的资源,则由于令牌的生命周期为一小时(如果已过期),我们需要按照您提到的那样更新令牌.
And if you were using the OAuth 2.0 flow to authorize the application to access the resource which protected by Azure AD, since the life time of token is one hour if it is expired we need to renew the token as you mentioned.
每次我需要刷新该令牌时,都会先对B2C进行另一个刷新调用,然后再对身份提供者进行调用,对吗? 并且每次发生时,我都会被收费(基于Azure定价页面上的信息).因此,如果我的应用程序(这是一种具有信用卡收费功能的金融应用程序)变得流行并且可以扩展,那么费用实际上会很大,因为如果每个人都负责的话,将会有大量的登录/注销和刷新操作. 我有这个权利吗?有什么建议以负责任的方式减轻收费吗?
And each time I need to refresh that token, another refresh call is made to B2C and then on to the identity provider, right? And each time that happens I'll be charged (based on the info on the Azure pricing page). So if my app (it's a financial app with the ability to charge credit cards) gets popular and scales, the fees will be actually quite large, as there will be tons of logging in/out and refreshing if everyone is responsible. Do I have this right? Any suggestions for mitigating the fees responsibly?
你是对的. Azure Active Directory(Azure AD)B2C使用量将根据以下两者的总数按月计费:存储的用户,身份验证:为响应用户发起的登录请求而发行的令牌,或者由应用程序代表Token发起的令牌用户(例如令牌刷新,刷新间隔是可配置的).
You were right. Azure Active Directory (Azure AD) B2C usage will be billed monthly based on the total number of both: Stored Users, Authentications: Tokens issued either in response to a sign-in request initiated by a user, or initiated by an application on behalf of a user (e.g. token refresh, where the refresh interval is configurable).
有人注销时刷新令牌存储区是否被清除?如果是这样,那么我可以假设(我知道-不好的意思),如果他们想禁用对应用程序的访问,他们只是注销.随后将阻止任何后续登录或使用刷新令牌.
Does the refresh token store get purged when someone logs out? If so, then I could just assume (I know - bad word) that if they want to disable access to the app, they just logout. Any subsequent login or use of a refresh token would then be blocked.
您的意思是撤销令牌吗?退出网络应用程序不会撤消令牌. Azure AD目前不支持吊销令牌.但是,如果您不希望用户使用令牌,我们可以清除令牌缓存.
Did you mean revoke the token? The log out the web application won’t revoke the token. Azure AD doesn’t support revoking the token at present. However, we can clear the token cache if you doesn’t want users to user the token.
这篇关于B2C和刷新令牌的成本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
