通过 ADAL JavaScript Ajax 和 KnockoutJs 的 MVC AD Azure 刷新令牌 [英] MVC AD Azure Refresh Token via ADAL JavaScript Ajax and KnockoutJs
问题描述
我构建的 MVC 应用程序类型存在固有的设计缺陷,我相信我不是第一个意识到这一点的人.
There is an inherent design flaw in the type of MVC application I have built and I believe I'm not the first to realize.
我有一个使用 AD Azure 身份验证的 MVC 4 应用程序,它通过以下方式引入应用程序
I have an MVC 4 Application that utilises AD Azure Authentication that was introduced to the application in the following way
开发中带有 Azure Active Directory 的 ASP.NET 应用程序
一旦用户通过身份验证并加载 Home.cshtml,KnockoutJs 将用于执行 JavaScript AJAX POST 和 GET 请求以读取和写入数据.
Once as User is Authenticated and Home.cshtml loads, KnockoutJs is used to perform JavaScript AJAX POST and GET requests to read and write data.
因此不完全是单页应用程序,而是混合了用于身份验证和服务资产的传统回发以及通过 AJAX 进行的读/写操作.
So not exactly a Single Page App, but rather, a mix of traditional postbacks for Authentication and Serving Assets and Read/Write operations through AJAX.
在 AJAX 请求期间,身份验证令牌过期,AD 无法通过 JavaScript 刷新令牌.
During AJAX requests, the authentication token expires and AD is not able to refresh the token through JavaScript.
观察到以下浏览器错误
XMLHttpRequest 无法加载 https://login.windows.net/xxx.请求的资源上不存在Access-Control-Allow-Origin"标头.因此,Origin 'xxx' 不允许访问.
XMLHttpRequest cannot load https://login.windows.net/xxx. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'xxx' is therefore not allowed access.
我研究了 adal.js 和以下帖子,但不确定 adal.js 是否适合我的应用类型或如何最好地结合它以使其适用于我的应用程序类型.
I have researched adal.js and the following posts but not sure if adal.js is the solution to my type of application or how best to incorporate it to make it work with my type of application.
到目前为止我的理解:
我没有使用 AngularJS.
I am not using AngularJS.
我没有开始通过 JavaScript 进行身份验证,而且我的身份验证不是 JavaScript 驱动的以便能够从 adal.js 中受益.
I do not start out authenticating via JavaScript and I my authentication is not JavaScript driven to be able to benefit from adal.js.
身份验证在服务器端完成,随后的 OAuth2 刷新令牌机制需要整页回发.
Authentication is done server-side and the subsequent OAuth2 refresh token mechanism requires full page postbacks.
我偶然发现了 Vittorio Bertocci 的各种相关帖子,但没有一篇涉及此类 MVC 应用程序设计的特殊性.
I've stumbled on various releated posts by Vittorio Bertocci but none address the particularities of this type of MVC application design.
ADAL、Windows Azure AD 和多资源刷新令牌
AngularJS + ADAL.JS 设置资源 ID(受众)
推荐答案
您的设置问题是您使用 cookie 来验证 AJAX 调用.Cookie 并不是很适合这种情况,当您需要在域外进行调用和/或 cookie 过期时,通常会出现这种方法的限制.事实上,它是一种常见的方法,主要是作为一个进化步骤,因为有一段时间没有适当的 SPA 支持对身份验证可用,但这并不是一个好的方法.你可以自由地坚持你目前的方法,但这会带来一些痛苦.没有从 JS 触发会话 cookie 更新的既定机制.虽然这可以一起破解,但我们没有示例 - 主要是因为它是一个破解 :) 基本案例似乎很容易,但是一旦您开始考虑所有可能的案例(如果您的应用会话过期会发生什么,用户退出 Azure AD 并使用其他帐户登录?).最万无一失的方法是放弃混合方法.如果您想成为一个 JS 应用程序,您可以消除所有服务器驱动的登录,这样做仍然保留执行服务器端流程的能力(通过代表授权,例如 https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet).如果您不想,您甚至不需要转换为角度,请参阅 https://github.com/AzureADSamples/SinglePageApp-jQuery-DotNet.如果你想成为一个基于回发的应用程序,你可以放弃 JS 部分(虽然这听起来很痛苦).
The issue with your setup is that you are using cookies for authenticating AJAX calls. Cookies aren't really well suited for that, and the limits of the approach typically emerge when you need to make calls outside of your domain and/or when the cookie expires. The fact that it is a common approach, largely as an evolutionary step due to the fact that proper SPA support for auth wasn't available for some time, does not make it a good approach. You are free to stick with your current approach, but that will cause some pain. There is no established mechanism for triggering a session cookie renew from JS. Although that can be hacked together, we don't have samples for that - mostly because it's a hack :) the basic case seems easy enough, but as soon as you start considering all possible cases (what happens if while your app session expired, the user signed out of Azure AD and signed in with a different account?). The most foolproof approach would be to abandon the hybrid approach. If you want to be a JS app, you can eliminate all the server-driven login do so and still retain the ability of doing server side flows (via onbehalf of grants, like https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet). You don;t even need to convert to angular if you don't want to, see https://github.com/AzureADSamples/SinglePageApp-jQuery-DotNet. And if you want to be a postback based app, you can drop the JS part (though that sounds painful).
TL;DR:通过 cookie 保护 AJAX 调用不是一个干净的解决方案,您一定会感到有些痛苦.您的选择是使用临时黑客修补问题,还是重构为更规范的方法.很抱歉这个坏消息:(
TL;DR: securing AJAX calls via cookies is not a clean solution and you are bound to feel some pain. Your choices are between patching the issues with ad hoc hacks, or refactor toward a more canonical approach. Sorry for the bad news :(
这篇关于通过 ADAL JavaScript Ajax 和 KnockoutJs 的 MVC AD Azure 刷新令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
