通过 GoDaddy 购买的 Office365 帐户未返回刷新令牌 [英] Refresh token not returned for Office365 accounts purchased through GoDaddy
问题描述
我们有一项功能可以使用 Office365 REST api 在我们的应用程序和 Office365 之间同步日历条目和联系人 此处.我们正在使用 API 的版本 1.对于授权,我们通过 Azure AD 执行授权,如大纲 此处.
We have a feature that syncs calendar entries and contacts between our application and Office365, using the Office365 REST apis outlined here. We are using Version 1 of the API. For authorization we are performing authorization via Azure AD as outline here.
在正常情况下(使用直接从 Microsoft 购买的 Office365 帐户时),我们的系统按预期工作:我们能够在用户令牌过期时刷新它们,并返回一个新的访问和刷新令牌作为交换.
In the normal case (when using Office365 accounts purchased directly from Microsoft), our system works as expected: we are able to refresh the user's tokens when they expire and are returned a new access and refresh token in exchange.
在第二种情况下,当使用 Office365 帐户通过 GoDaddy 购买进行测试时,我们遇到可以在这一系列步骤中概述的阻塞问题:1. 用户从我们的应用程序发送 -> Office365 登录页面.2. 用户输入电子邮件地址3. 用户被重定向到 GoDaddy Office365 登录页面.4. 用户完成授权,并通过响应中的访问代码重定向回我们的应用程序.5. 应用程序从Office365 交换access_token 和refresh_token 的访问代码.6.一段时间过去了,access_token过期了7.App使用refresh_token刷新用户的access_token
In the second case, when testing with Office365 accounts purchased via GoDaddy, we encounter a blocking issue that can be outlined in this series of steps: 1. User is sent from our app -> Office365 Login page. 2. User enters email address 3. User is redirected to GoDaddy Office365 login page. 4. User completes authorization, and is redirected back to our app with an access code in the response. 5. App exchanges access code for an access_token and refresh_token from Office365. 6. Some time goes by, and access_token expires 7. App refreshes the user's access_token using the refresh_token
此时我们期望收到一个新的 access_token 和一个新的 refresh_token,就像我们在使用普通 Office365 帐户时所做的那样
At this point we are expecting to receive a new access_token as well as a new refresh_token, as we do when using a regular Office365 account
仅对于通过 GoDaddy 购买的帐户,我们在第一次刷新后不会在响应中收到新的刷新令牌.
Only for accounts purchased via GoDaddy, we do not receive a new refresh token in the response after refreshing for the first time.
显然,当打算进行长时间运行的同步时,这是一个破坏性案例,因为在此之后用户将无法再刷新其令牌.
Obviously when intending to have a long-running sync, this is a breaking case as the user will no longer be able to have their tokens refreshed beyond this point.
Postman traces(可以保存为 .json 并导入 Postman 进行调试https://gist.github.com/drunkel/7ec66ed33f66d0070148694651699d 已删除(ID0)和秘密ID0
Postman traces (can save as .json and import to Postman for debugging https://gist.github.com/drunkel/7ec66ed33f66d0070148694651699d03 (IDs and secrets have been removed)
- 这是一个已知问题吗?
- 有解决方法吗?
推荐答案
我是 GoDaddy 的软件工程师,可以确认此问题已得到解决.现代身份验证 是因为这些是联合用户,正如您在问题中提到的,刷新令牌没有被返回.这是由 AAD 用户未正确更新.
I am a Software Engineer at GoDaddy and can confirm that this issue has been resolved. The reason for more frequent login requests under Modern Authentication is that as these are federated users and as you mentioned in your question, the refresh token was not being returned. This was caused by the StsRefreshTokensValidFrom attribute on the AAD user not being updated properly.
这篇关于通过 GoDaddy 购买的 Office365 帐户未返回刷新令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
