当调用AcquireTokenByRefreshToken与Microsoft.IdentityModel.Clients.ActiveDirectory的AuthenticationContext实例? [英] When calling AcquireTokenByRefreshToken on the AuthenticationContext instance with Microsoft.IdentityModel.Clients.ActiveDirectory?
问题描述
我开发我的Azure AD注册的多租户应用程序消耗的Office 365的API,API图形等。
我跟着此Microsoft样本打造我的工作,它使用.NET ADAL库, OpenIdConnect: Microsoft.IdentityModel.Clients.ActiveDirectory,版本= 2.19.0.0 的
在ADAL.NET,我们使用的 AuthenticationContext 的实例为 TokenCache 的(见<一个自定义的类继承href=\"https://github.com/OfficeDev/O365-WebApp-MultiTenant/blob/master/O365-WebApp-MultiTenant/O365-WebApp-MultiTenant/Models/ADALTokenCache.cs\"相对=nofollow> code样品code这里)。
对于每个请求到授权的资源,根据不同的API,我们调用这些方法之一(见code以下),以获得的的auth_token 的当局将在请求的承载的参数。它是做了正确的方法是什么?
我们从不使用该方法的 AcquireTokenByRefreshTokenAsync 的,这是否意味着我们的应用程序从来没有使用过的 refresh_token 的?这是否意味着我们的用户将有一小时后再次登录?我们应该落实在catch语句的 AcquireTokenByRefreshTokenAsync 的一种耳目一新的程序?是否可以不提示任何最终用户做?
备注:我张贴有关问题<一href=\"http://stackoverflow.com/questions/35016906/microsoft-owin-security-openidconnect-with-azure-active-directory-authentication\">OpenIdConnect身份验证票证寿命。对我来说,这两个问题是无关的,但他们可能。
字符串signInUserId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).value的;
串userObjectId = ClaimsPrincipal.Current.FindFirst(\"http://schemas.microsoft.com/identity/claims/objectidentifier\").Value;
字符串tenantId = ClaimsPrincipal.Current.FindFirst(http://schemas.microsoft.com/identity/claims/tenantid).value的;
公共异步任务&LT;串GT; AcquireOutlook365TokenAsync()
{
AuthenticationContext authContext =新AuthenticationContext(的String.Format({0} / {1},SettingsHelper.AuthorizationUri,tenantId),新ADALTokenCache(signInUserId));
尝试
{
VAR的结果=等待authContext.AcquireTokenSilentAsync(@https://outlook.office365.com/
新ClientCredential(SettingsHelper.ClientId,SettingsHelper.AppKey)
新UserIdentifier的(userObjectId,UserIdentifierType.UniqueId));
返回result.AccessToken;
}
赶上(AdalException除外)
{
//处理令牌获取失败
如果(exception.Error code == AdalError.FailedToAcquireTokenSilently)
{
authContext.TokenCache.Clear();
}
抛出新的Htt presponseException(新的Htt presponseMessage(的HTTPStatus code.Unauthorized));
}
} 公共异步任务&LT;串GT; AcquireAzureGraphTokenAsync()
{
AuthenticationContext authContext =新AuthenticationContext(的String.Format({0} / {1},SettingsHelper.AuthorizationUri,tenantId),新ADALTokenCache(signInUserId));
尝试
{
VAR的结果=等待authContext.AcquireTokenSilentAsync(@https://graph.windows.net/
新ClientCredential(SettingsHelper.ClientId,SettingsHelper.AppKey)
新UserIdentifier的(userObjectId,UserIdentifierType.UniqueId));
返回result.AccessToken;
}
赶上(AdalException除外)
{
//同其他方法
}
}
ADAL使用存储的自动刷新令牌和透明的,您不需要执行任何显式操作。 AcquireTOkenByRefreshToken位于旧原因ADAL表面,并从版本3.x已被删除在更多的背景<一个href=\"http://www.cloudidentity.com/blog/2015/08/13/adal-3-didnt-return-refresh-tokens-for-5-months-and-nobody-noticed/\" rel=\"nofollow\">http://www.cloudidentity.com/blog/2015/08/13/adal-3-didnt-return-refresh-tokens-for-5-months-and-nobody-noticed/
I am developing a multi-tenant application registered on my Azure AD that consumes Office 365 apis, Graph API etc.
I followed this Microsoft sample to build my work which uses ADAL .NET library and OpenIdConnect: Microsoft.IdentityModel.Clients.ActiveDirectory, Version=2.19.0.0
In ADAL.NET, we use an AuthenticationContext instance with a custom inherited class for the TokenCache (see code the sample code here).
For each request to the authorized resources, depending on the API, we invoke one of these methods (see code below) to get the auth_token that will be put in the request Bearer parameter. Is it the correct way to do it?
We never make use of the method AcquireTokenByRefreshTokenAsync, does it mean that our application never uses the refresh_token? Does it mean that our user will have to relog after one hour? Should we implement a kind of refreshing procedure with AcquireTokenByRefreshTokenAsync in the catch statement? Can it be made without prompting anything to the end-user?
REMARK: I posted a question regarding OpenIdConnect authentication ticket lifetime. To me these two questions are unrelated but they may be.
string signInUserId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
string userObjectId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
string tenantId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
public async Task<string> AcquireOutlook365TokenAsync()
{
AuthenticationContext authContext = new AuthenticationContext(string.Format("{0}/{1}", SettingsHelper.AuthorizationUri, tenantId), new ADALTokenCache(signInUserId));
try
{
var result = await authContext.AcquireTokenSilentAsync(@"https://outlook.office365.com/",
new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey),
new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));
return result.AccessToken;
}
catch (AdalException exception)
{
//handle token acquisition failure
if (exception.ErrorCode == AdalError.FailedToAcquireTokenSilently)
{
authContext.TokenCache.Clear();
}
throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.Unauthorized));
}
}
public async Task<string> AcquireAzureGraphTokenAsync()
{
AuthenticationContext authContext = new AuthenticationContext(string.Format("{0}/{1}", SettingsHelper.AuthorizationUri, tenantId), new ADALTokenCache(signInUserId));
try
{
var result = await authContext.AcquireTokenSilentAsync(@"https://graph.windows.net/",
new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey),
new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));
return result.AccessToken;
}
catch (AdalException exception)
{
//Same as other method
}
}
ADAL uses the stored refresh tokens automatically and transparently, you aren't required to perform any explicit action. AcquireTOkenByRefreshToken is in the ADAL surface for legacy reasons, and has been removed from version 3.x. More background at http://www.cloudidentity.com/blog/2015/08/13/adal-3-didnt-return-refresh-tokens-for-5-months-and-nobody-noticed/
这篇关于当调用AcquireTokenByRefreshToken与Microsoft.IdentityModel.Clients.ActiveDirectory的AuthenticationContext实例?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
