使用Azure AD B2C的多路访问令牌 [英] Multiple access tokens with Azure AD B2C
问题描述
我们有一个Web应用程序,需要对多个Web API进行身份验证访问.我们正在使用Azure AD B2C进行身份验证,除了一个非常令人沮丧且非常局限的问题,我们可以正常工作:我们一次只能获取一个有效的访问令牌,而我们需要多个.
We have a web application which needs authenticated access to several Web APIs. We are using Azure AD B2C for authentication, which we have working okay except for one very frustrating and very limiting issue: we can only ever get back one valid access token at a time, yet we need several.
下面的代码段显示了关注的领域.
The snippet below shows the area of concern.
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
await GetAccessToken(notification, TaskScopes);
await GetAccessToken(notification, UserScopes);
}
private async Task<AuthenticationResult> GetAccessToken(AuthorizationCodeReceivedNotification notification, string[] scopes)
{
string signedInUserID = notification.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
TokenCache userTokenCache = new MSALSessionCache(signedInUserID, notification.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase).GetMsalCacheInstance();
ConfidentialClientApplication cca = new ConfidentialClientApplication(ClientId, Authority, RedirectUri, new ClientCredential(ClientSecret), userTokenCache, null);
try
{
return await cca.AcquireTokenByAuthorizationCodeAsync(notification.Code, scopes);
}
catch (Exception ex)
{
//TODO: Handle
throw;
}
}
在从Azure AD B2C收到身份验证令牌后,显示的代码段称为 .如图所示执行此代码时,将返回两个访问令牌中的第一个,并且完全有效.但是,第二个具有 access_token:null 和 first 令牌的作用域.
The code snippets shown are called after the authentication token is received from Azure AD B2C. When this code is executed as shown, the first of the two access tokens is returned and is fully valid. However, the second one has access_token: null and the scopes from the first token.
此外,如果我们简单地注释掉对 GetAccessToken 的两个调用中的任何一个,则其余调用将按预期工作,无论这是哪个.这似乎表明我们所有的配置都是正确的,因此我不会在此处发布这些配置进行审核.
Further, if we simply comment out either of the two calls to GetAccessToken, the remaining call works as expected, no matter which of the two it is. That would seem to indicate that all of our configurations are correct, so I won't post those here for review.
我见过的所有示例代码都只显示了一个访问令牌.同样,当我们隔离两个调用中的任何一个时,它都可以完美地工作.仅当我们尝试同时获取两个令牌时,无论顺序如何,它总是在两个令牌中的第二个令牌上失败.另外,发生这种情况时,我们也不会遇到任何异常.
All of the sample code I've seen only ever shows one access token being acquired. And again, when we isolate either of the two calls, it works flawlessly. It only fails if we try to acquire both tokens, and always on the second of the two, no matter the order. Also, we are not encountering any exceptions when this happens.
任何人都可以提供有关这里发生情况的任何线索吗?感谢您的帮助.
Can anyone provide any clues as to what may be going on here? Thanks for your help.
推荐答案
基本问题是,按照OAuth标准,您不应多次尝试使用相同的授权代码.
The fundamental problem is that by the OAuth standard, you shouldn't attempt to use the same authorization code more than once.
来自 https://tools.ietf.org/html/rfc6749#section-10.5
授权码必须短暂且只能使用一次.如果授权服务器观察到多次尝试为访问令牌交换授权代码,则授权服务器应尝试基于功能受限的授权代码撤回所有已授予的访问令牌.
Authorization codes MUST be short lived and single-use. If the authorization server observes multiple attempts to exchange an authorization code for an access token, the authorization server SHOULD attempt to revoke all access tokens already granted based on the conmpromnised authorization code.
因此,由于您不能在单个访问令牌中请求多个访问者和范围,因此Azure AD B2C暂时不支持您的用例.
So, Azure AD B2C just can't support your use-case at this time since you can't request multiple audiences and scopes in a single access token.
如果您可以控制这几个API,并且可以使它们共享,从而使它们共享一个受众,但也许有自己的作用域,则可以对它们全部使用一个访问令牌.
If you're in control of those several APIs and can make them so that they share a single audience, but maybe have their own scopes, you could use a single access token for them all.
这篇关于使用Azure AD B2C的多路访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
