MVC AD Azure 刷新令牌通过 ADAL JavaScript Ajax 和 KnockoutJs [英] MVC AD Azure Refresh Token via ADAL JavaScript Ajax and KnockoutJs
问题描述
我构建的 MVC 应用程序类型存在固有的设计缺陷,我相信我不是第一个意识到这一点的人.
我有一个使用 AD Azure 身份验证的 MVC 4 应用程序,该应用程序通过以下方式引入应用程序
开发带有 Azure Active Directory 的 ASP.NET 应用
一旦用户通过身份验证并加载Home.cshtml,KnockoutJs 将用于执行 JavaScript AJAX POST 和 GET 请求以读取和写入数据.
所以不完全是单页应用程序,而是通过 AJAX 进行身份验证和服务资产以及读/写操作的传统回发的混合.
在 AJAX 请求期间,身份验证令牌过期并且 AD 无法通过 JavaScript 刷新令牌.
观察到以下浏览器错误
XMLHttpRequest 无法加载 https://login.windows.net/xxx.请求的资源上不存在Access-Control-Allow-Origin"标头.因此,不允许访问源xxx".
我研究了 adal.js 和以下帖子,但不确定 adal.js 是否适合我的应用程序类型或者如何最好地合并它以使其适用于我的应用程序类型.
我目前的理解:
我没有使用 AngularJS.
我一开始不是通过 JavaScript 进行身份验证,我的身份验证也不是 JavaScript 驱动的,以便能够从 adal.js 中受益.
身份验证在服务器端完成,后续的 OAuth2 刷新令牌机制需要整页回发.
我偶然发现了 Vittorio Bertocci 的各种相关帖子,但没有一个涉及此类 MVC 应用程序设计的特殊性.
ADAL、Windows Azure AD 和多资源刷新令牌
AngularJS + ADAL.JS 设置资源 ID(受众)
您的设置问题在于您使用 cookie 来验证 AJAX 调用.Cookie 不太适合这种情况,当您需要在域外进行调用和/或 cookie 过期时,该方法的局限性通常会出现.事实上,它是一种常见的方法,主要是作为一个进化步骤,因为有一段时间没有适当的 SPA 支持身份验证,这并不使它成为一个好方法.你可以自由地坚持你目前的方法,但这会引起一些痛苦.没有用于从 JS 触发会话 cookie 更新的既定机制.虽然可以一起破解,但我们没有样本 - 主要是因为它是一个 hack :) 基本情况似乎很容易,但是一旦您开始考虑所有可能的情况(如果您的应用会话过期会发生什么,用户从 Azure AD 注销并使用其他帐户登录?).最简单的方法是放弃混合方法.如果你想成为一个 JS 应用程序,你可以消除所有服务器驱动的登录,但仍然保留执行服务器端流程的能力(通过代表授权,如 https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet).如果您不想,您甚至不需要转换为角度,请参阅 https://github.com/AzureADSamples/SinglePageApp-jQuery-DotNet.如果你想成为一个基于回发的应用,你可以放弃 JS 部分(虽然这听起来很痛苦).
TL;DR:通过 cookie 保护 AJAX 调用并不是一个干净的解决方案,您一定会感到一些痛苦.您的选择是在使用临时黑客修补问题或重构为更规范的方法之间.对不起,坏消息:(
There is an inherent design flaw in the type of MVC application I have built and I believe I'm not the first to realize.
I have an MVC 4 Application that utilises AD Azure Authentication that was introduced to the application in the following way
Developing ASP.NET Apps with Azure Active Directory
Once as User is Authenticated and Home.cshtml loads, KnockoutJs is used to perform JavaScript AJAX POST and GET requests to read and write data.
So not exactly a Single Page App, but rather, a mix of traditional postbacks for Authentication and Serving Assets and Read/Write operations through AJAX.
During AJAX requests, the authentication token expires and AD is not able to refresh the token through JavaScript.
The following browser error is observed
XMLHttpRequest cannot load https://login.windows.net/xxx. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'xxx' is therefore not allowed access.
I have researched adal.js and the following posts but not sure if adal.js is the solution to my type of application or how best to incorporate it to make it work with my type of application.
My understanding so far:
I am not using AngularJS.
I do not start out authenticating via JavaScript and I my authentication is not JavaScript driven to be able to benefit from adal.js.
Authentication is done server-side and the subsequent OAuth2 refresh token mechanism requires full page postbacks.
I've stumbled on various releated posts by Vittorio Bertocci but none address the particularities of this type of MVC application design.
ADAL, Windows Azure AD and Multi-Resource Refresh Tokens
WAAD doesn't refresh access token from javascript
Combining ADAL.Net and ADAL.js
AngularJS + ADAL.JS set Resource ID (Audience)
The issue with your setup is that you are using cookies for authenticating AJAX calls. Cookies aren't really well suited for that, and the limits of the approach typically emerge when you need to make calls outside of your domain and/or when the cookie expires. The fact that it is a common approach, largely as an evolutionary step due to the fact that proper SPA support for auth wasn't available for some time, does not make it a good approach. You are free to stick with your current approach, but that will cause some pain. There is no established mechanism for triggering a session cookie renew from JS. Although that can be hacked together, we don't have samples for that - mostly because it's a hack :) the basic case seems easy enough, but as soon as you start considering all possible cases (what happens if while your app session expired, the user signed out of Azure AD and signed in with a different account?). The most foolproof approach would be to abandon the hybrid approach. If you want to be a JS app, you can eliminate all the server-driven login do so and still retain the ability of doing server side flows (via onbehalf of grants, like https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet). You don;t even need to convert to angular if you don't want to, see https://github.com/AzureADSamples/SinglePageApp-jQuery-DotNet. And if you want to be a postback based app, you can drop the JS part (though that sounds painful).
TL;DR: securing AJAX calls via cookies is not a clean solution and you are bound to feel some pain. Your choices are between patching the issues with ad hoc hacks, or refactor toward a more canonical approach. Sorry for the bad news :(
这篇关于MVC AD Azure 刷新令牌通过 ADAL JavaScript Ajax 和 KnockoutJs的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
