B2B 静默认证 [英] B2B silent authentication

问题描述

Our application is using the Adal SDK for both Android and IOS platforms. We want to add the support in B2B and shared data between tenants. Assuming the user from the Home tenants was already invited to a different tenant.

I wanted to know what is the API to get a Token to the inviting tenant assuming the user already signed-in before to the home tenant ? what is the way to silently acquire a token to the inviting tenant ?

I tried and managed to get a token using interactive sign-in (by providing the specific inviting tenant id instead of using common) but i am not sure how to perform silent sign-in to the inviting tenant (when the user has a token for the home tenant)

What I managed to do is to silently acquire a token to the home tenant and then use the refresh token i got in order to get a token to the inviting tenant by calling the acquireTokenByRefreshToken function (and using two AuthenticationContext - one with common authority and the second with the specific tenant id) but then i noticed that in the Android SDK the acquireTokenByRefreshToken is marked as deprecated and in the IOS SDK it seems this function is private so we can't really use it.

So what i wanted to know is what is the right API to get a token to the inviting tenant using a token of the home tenant and the id of the inviting tenant ?

解决方案

Guest access in ADAL for Android is supported by versions 1.14.x+ (released Feb, 2018) - a link to the latest releases can be found here. They are available for download on Maven Central.

For guest scenarios, the AuthenticationContext can be reconstructed with an authority URL containing the tenant id -- acquireTokenSilent calls can then be made using the UserInfo.userId acquired from the AuthenticationResult of a previous acquireToken or acquireTokenSilent call.

Please note, as of Oct 2018 (the time of this answer's writing) there are some limitations to be aware of as to how x-tenant refresh tokens are supported:

If you are trying to execute the flow where...

1. You acquire a token (using UI and asking user to enter credentials) for the home tenant and...
2. Then you acquire a token silently for the guest tenant

Then this will work only in the case where the device has been joined (registered) to the home tenant. In every other case the following is the supported flow...

1. You acquire a token (interactively, using UI to enter creds) for the home tenant and...
2. Then you acquire a token silently for the home tenant
3. You acquire a token (interactively, using UI to enter creds) for the guest tenant and...
4. Then you acquire a token silently for the guest tenant

这篇关于B2B 静默认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！