使用OAuth和永久刷新令牌的ADFS 3.0 [英] ADFS 3.0 using OAuth and Persistent Refresh Tokens
问题描述
问题1
我们当前正在使用ADFS和OAuth(将Windows Server 2012 R2与ADFS 3.0一起使用).我们的测试应用程序(WPF和移动应用程序)都可以成功进行身份验证,并获得访问令牌和刷新令牌.之后,我们可以继续使用访问令牌直到它过期,然后再使用刷新令牌来获取新的访问令牌.到目前为止,还不错,但是问题是当刷新令牌过期时,我们需要强制用户再次输入其凭据.我们的目标是让用户仅输入一次其凭据,然后为访问令牌使用较短的生存期,为刷新令牌使用一个永久生存期(或实际上是非常长的生存期).
We are currently using ADFS and OAuth (using Windows Server 2012 R2 with ADFS 3.0). Our test applications (both WPF and mobile apps) can successfully authenticate and get an Access Token and a Refresh Token. We can after that continue to use the Access Token until it expires and after that use the Refresh Token to get a new Access Token. So far so good, but the problem is when the Refresh Token expires, we need to force the user to enter their credentials again. Our aim is to have the user to only enter their credentials once and then use a short lifetime for Access Token and a Persistent lifetime (or really really long) for Refresh Tokens.
根据一些使用刷新令牌"的博客文章,您应该获得一个新的访问令牌,有时还应该获得一个新的刷新令牌",但是在我们的案例中,我们从未获得过一个新的刷新令牌,因此一个最终失效.
According to some blog posts when using a Refresh Token you should get a new Access Token and sometimes also a new Refresh Token, but in our case we never get a new refresh token, so that one eventually expires.
使用ADFS 3.0和OAuth拥有持久的刷新令牌,这甚至可能吗?还是不时获取新的刷新令牌,以便用户不必再次输入其凭据?或者刷新令牌的寿命可能很长.
Is this even possible using ADFS 3.0 and OAuth to have a persistent Refresh Token? or get new refresh tokens from time to time so that the user doesn't have to enter their credentials again? or is it possible to have a really long lifetime for refresh tokens.
问题2
您不确定在ADFS中可以设置很多不同的属性
There is also a lot of different properties you can set in ADFS that we are not sure of
- TokenLifetime-这是访问令牌的生存期?什么是最大值?
- SsoTokenLifetime-这是刷新令牌的生存期吗?什么是最大值?
- PersistentSsoLifetimeMins-这是什么?
- PersistentSsoEnabled-我想应该设置为true才能使刷新令牌正常工作
推荐答案
This post describes a semi-official answer. Here's an example of setting the required values -
Set-AdfsRelyingPartyTrust -TargetName "RPT Name" -IssueOAuthRefreshTokensTo AllDevices
Set-AdfsRelyingPartyTrust -TargetName "RPT Name" -TokenLifetime 10
Set-AdfsProperties -SSOLifetime 480
对于指定的RPT,这将发出寿命为10分钟的访问令牌,并为寿命为8小时的所有客户端刷新令牌.
For the specified RPT, this would issue access tokens with a lifetime of 10 minutes and refresh tokens to all clients with a lifetime of 8 hours.
这篇关于使用OAuth和永久刷新令牌的ADFS 3.0的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
