如何配置 Azure AD 访问令牌的过期时间(使用 ADAL)? [英] How can I configure the expiration time of an Azure AD access token (using ADAL)?
问题描述
我们使用 Azure AD 通过用户的 Office 365 帐户对我们的 WPF 应用程序中的用户进行身份验证.这是使用 Active Directory 身份验证库 (ADAL) 完成的.
We use Azure AD to authenticate users into our WPF application, using their Office 365 accounts. This is done using the Active Directory Authentication Library (ADAL).
目前,每次打开应用程序时都会提示他们登录.我们想要更改它以允许通过缓存的令牌登录到应用程序.这可行,但我们希望将令牌的到期时间缩短到 24 小时或更短,在该时间过去后需要再次登录.
Currently, they are prompted to log in every time they open the app. We want to change this to allow logging in to the app via a cached token. This works but we want to shorten the expiration time of the token to 24 hours or less, requiring another sign in after that time has passed.
我看不到在代码中操纵访问令牌过期的方法.这是需要在 Azure AD 中完成的事情吗?
I don't see a way to manipulate the expiration of an Access Token in code. Is this something that needs to be done within Azure AD?
推荐答案
总结
您不能使用 ADAL 来配置令牌的到期时间.ADAL 是一个身份验证库,可帮助您与令牌服务交互,但您可以在服务主体、应用程序或租户上设置令牌生命周期配置.
Summary
You cannot use ADAL to configure the expiration time of tokens. ADAL is an authentication library that helps you interact with the token service, but you can set the token lifetime configuration on your Service Principal, Application, or Tenant.
您需要使用 Powershell 创建描述所需行为的策略,并将其链接到您的服务主体、租户或应用程序.请记住,如果您正在构建多租户应用程序,租户的所有者可以覆盖您的策略.
You'll need to use Powershell to create a policy describing the behavior you want, and link it to your service principal, tenant, or application. Keep in mind, if you're building a multi-tenant app, the owner of the tenant can overwrite your policy.
tl;dr: 不要依赖应用中的令牌生命周期,因为它随时可能发生变化.
tl;dr: Don't rely on the token lifetime in your app as it can change at any time.
您可以使用 Azure AD Powershell 命令 设置这些属性.然后运行以下命令来设置访问令牌的生命周期:
You can set these properties using Azure AD Powershell Commands. Then run the following commands to set an access token lifetime:
- 登录到 Powershell.
Connect-AzureAD -Confirm
- 创建一个新策略,将访问令牌有效期设置为 2 小时.您可以将其更改为 10 分钟到 1 天之间.
New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxAgeSessionSingleFactor":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
- 获取政策的 ObjectId.
Get-AzureAdPolicy
- 将新政策与您的应用相关联.您可以使用 GraphExplorer 获取应用的 objectId.
- Link the new policy to your application. You can get the objectId of your app using the GraphExplorer.
Add-AzureADApplicationPolicy -Id <应用程序的ObjectId>-RefObjectId <策略的ObjectId>
有关更多示例和完整文档,请查看 Azure AD 可配置令牌生命周期.
For more examples and the full documentation, check out Azure AD Configurable Token Lifetime.
这篇关于如何配置 Azure AD 访问令牌的过期时间(使用 ADAL)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
