尽管使用了机密客户端,Azure刷新令牌也会过期 [英] Azure refresh token expires despite using a confidential client
问题描述
我正在将Web App/API天蓝色应用程序用于Web应用程序,并使用带有client_id和client_secret的授权授予流来获取访问/刷新令牌(使用rest API),一切正常,除了具有90天后过期.期望有一个Azure_Documents中所述的,永不过期(除非明确吊销)的refresh_token.
I'm using a Web App/API azure application for a web application and used authorization grant flow with client_id and client_secret to get the access/refresh tokens (using rest API), everything worked fine, except the refresh token that has expired after 90 days. The expectation is to have a refresh_token that never expires (unless explicitly revoked) as stated in azure documentation.
这是Microsoft AzureAD文档所说的:( https://docs.microsoft.com/zh-CN/azure/active-directory/develop/active-directory-configurable-token-lifetimes#refresh-tokens )
This is what Microsoft AzureAD documentation says : (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#refresh-tokens)
使用机密客户端刷新令牌的令牌生存期机密客户端是可以安全存储客户端密码的应用程序(秘密).他们可以证明请求来自受保护的客户端应用程序,而不是来自恶意行为者.例如,一个网站该应用是机密客户端,因为它可以在以下位置存储客户端机密Web服务器.它没有暴露.因为这些流量更多安全的,发布到这些流的刷新令牌的默认生存期直到被吊销,无法通过使用策略进行更改,也不会撤销了自愿密码重置.
Token lifetimes with confidential client refresh tokens Confidential clients are applications that can securely store a client password (secret). They can prove that requests are coming from the secured client application and not from a malicious actor. For example, a web app is a confidential client because it can store a client secret on the web server. It is not exposed. Because these flows are more secure, the default lifetimes of refresh tokens issued to these flows is until-revoked, cannot be changed by using policy, and will not be revoked on voluntary password resets.
这是基于RFC6749的机密客户端的定义:( https://tools.ietf.org/html/rfc6749#section-2.1)
This the definition of confidential clients based on RFC6749: (https://tools.ietf.org/html/rfc6749#section-2.1)
能够维护其机密性的客户凭据(例如,在具有以下内容的安全服务器上实现的客户端限制访问客户端凭据),或具有安全性使用其他方式进行客户端身份验证.
Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.
我现在在刷新令牌请求上遇到的错误: AADSTS700082:由于不活动,刷新令牌已过期.该令牌于2018年10月19日T17:26:59.8511467Z发行,在90.00:00:00处于无效状态.
The error I'm getting now on refresh token request :
AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2018-10-19T17:26:59.8511467Z and was inactive for 90.00:00:00.
推荐答案
您不会用新的令牌替换旧的刷新令牌,每当您调用以使用刷新令牌获取新的Access令牌时,都会提供该刷新令牌.
You are not replacing the old refresh token with a fresh one, which is also provided whenever you make a call to get a new Access token using a refresh token.
The Refreshing the access tokens page explains this as follows.
刷新令牌没有指定的生存期.通常,刷新令牌的生命周期相对较长.但是,在某些情况下情况,刷新令牌到期,被吊销或缺少足够的令牌所需操作的特权.您的应用程序需要期待并正确处理令牌发行端点返回的错误.
Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. Your application needs to expect and handle errors returned by the token issuance endpoint correctly.
当您收到带有刷新令牌错误的响应时,请丢弃当前的刷新令牌并请求新的授权码或访问权限令牌.特别是在授权中使用刷新令牌时代码授予流程,如果您收到带有以下内容的回复:interact_required或invalid_grant错误代码,请放弃刷新令牌并请求新的授权码.
When you receive a response with a refresh token error, discard the current refresh token and request a new authorization code or access token. In particular, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, discard the refresh token and request a new authorization code.
这篇关于尽管使用了机密客户端,Azure刷新令牌也会过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
