通过ADAL的JavaScript和Ajax的MVC KnockoutJs Azure的AD刷新令牌 [英] MVC AD Azure Refresh Token via ADAL JavaScript Ajax and KnockoutJs
问题描述
有在MVC应用程序的类型固有的设计缺陷我已经建立,我相信我不是第一个认识到。
There is an inherent design flaw in the type of MVC application I have built and I believe I'm not the first to realize.
我有利用了引入以下列方式
I have an MVC 4 Application that utilises AD Azure Authentication that was introduced to the application in the following way
<一个href=\"http://www.asp.net/identity/overview/getting-started/developing-aspnet-apps-with-windows-azure-active-directory\"相对=nofollow>天青与Active Directory的开发ASP.NET应用程序
Developing ASP.NET Apps with Azure Active Directory
在为用户进行身份验证和 Home.cshtml 负载,KnockoutJs用于执行JavaScript的AJAX POST和GET请求来读取和写入数据。
Once as User is Authenticated and Home.cshtml loads, KnockoutJs is used to perform JavaScript AJAX POST and GET requests to read and write data.
所以不完全是一个单页应用程序,而是通过AJAX身份验证的传统回传和服务资产和读/写操作的混合体。
So not exactly a Single Page App, but rather, a mix of traditional postbacks for Authentication and Serving Assets and Read/Write operations through AJAX.
在AJAX请求,身份验证令牌过期和AD是不能够通过JavaScript刷新令牌。
During AJAX requests, the authentication token expires and AD is not able to refresh the token through JavaScript.
观察以下浏览器错误
XMLHtt prequest无法加载 https://login.windows.net/xxx 。
无访问控制允许来源标头的请求的资源present。
因此,原产地'XXX'是不允许访问。
XMLHttpRequest cannot load https://login.windows.net/xxx. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'xxx' is therefore not allowed access.
我已经研究adal.js及以下职位,但不能肯定是否adal.js是解决我的应用程序类型
或如何最好地融入它,使之与我的应用程序类型的工作。
I have researched adal.js and the following posts but not sure if adal.js is the solution to my type of application or how best to incorporate it to make it work with my type of application.
我的理解至今:
我不使用AngularJS。
I am not using AngularJS.
我不开始就通过JavaScript验证和我我的身份验证是不是JavaScript的驱动能够从adal.js受益。
I do not start out authenticating via JavaScript and I my authentication is not JavaScript driven to be able to benefit from adal.js.
进行身份认证服务器端和随后的OAuth2刷新令牌机制要求整页回发。
Authentication is done server-side and the subsequent OAuth2 refresh token mechanism requires full page postbacks.
我无意中发现维托里奥Bertocci各相关型号的职位,但没有地址这种类型的MVC应用程序设计的特殊性。
I've stumbled on various releated posts by Vittorio Bertocci but none address the particularities of this type of MVC application design.
<一个href=\"http://www.cloudidentity.com/blog/2013/10/14/adal-windows-azure-ad-and-multi-resource-refresh-tokens/\"相对=nofollow> ADAL,Windows Azure的AD和多资源刷新令牌
<一个href=\"http://stackoverflow.com/questions/27412651/waad-doesnt-refresh-access-token-from-javascript\">WAAD不刷新从JavaScript访问令牌
<一个href=\"http://stackoverflow.com/questions/31288193/angularjs-adal-js-set-resource-id-audience\">AngularJS + ADAL.JS集资源ID(受众)
推荐答案
您的设置的问题是,你正在使用的cookie进行身份验证AJAX调用。 Cookies是不是真的适合那些和方法的限制通常,当你需要让你的域和/或当Cookie过期的外线电话出现。它是一种常见的做法,主要是作为一种革命性的一步,由于这样的事实,这是面向auth适当的SPA支持是不是有一段时间了这一事实,并没有使它成为一个很好的办法。
你可以自由地坚持你目前的做法,但是这会造成一定的痛苦。有触发一个会话cookie从JS续约没有既定机制。虽然这可以被砍死在一起,我们不必为样本 - 主要是因为它是一个黑客:)的基本情况似乎很容易,但只要你开始考虑所有可能的情况下(会发生什么如果在你的应用程序会话过期,用户登出Azure的广告上,使用不同的帐户登录?)。
最万无一失的方法是放弃混合的方法。如果你想成为一个JS应用程序,就可以消除所有的服务器驱动的登录通过这样做,仍然保留在做服务器端的流量(能力系代表补助,像的 https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet )。你不;吨甚至需要转变为角,如果你不想要,请参见 https://开头github.com/AzureADSamples/SinglePageApp-jQuery-DotNet 。
如果你想成为一个回传基于应用程序,你可以删除JS部分(尽管这听起来很痛苦)。
The issue with your setup is that you are using cookies for authenticating AJAX calls. Cookies aren't really well suited for that, and the limits of the approach typically emerge when you need to make calls outside of your domain and/or when the cookie expires. The fact that it is a common approach, largely as an evolutionary step due to the fact that proper SPA support for auth wasn't available for some time, does not make it a good approach. You are free to stick with your current approach, but that will cause some pain. There is no established mechanism for triggering a session cookie renew from JS. Although that can be hacked together, we don't have samples for that - mostly because it's a hack :) the basic case seems easy enough, but as soon as you start considering all possible cases (what happens if while your app session expired, the user signed out of Azure AD and signed in with a different account?). The most foolproof approach would be to abandon the hybrid approach. If you want to be a JS app, you can eliminate all the server-driven login do so and still retain the ability of doing server side flows (via onbehalf of grants, like https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet). You don;t even need to convert to angular if you don't want to, see https://github.com/AzureADSamples/SinglePageApp-jQuery-DotNet. And if you want to be a postback based app, you can drop the JS part (though that sounds painful).
TL; DR:确保通过AJAX调用的cookie是不是一个干净的解决方案,你一定会感到有些疼痛。您的选择是与特设黑客补丁的问题之间,或向更规范的方式重构。很抱歉的坏消息:(
TL;DR: securing AJAX calls via cookies is not a clean solution and you are bound to feel some pain. Your choices are between patching the issues with ad hoc hacks, or refactor toward a more canonical approach. Sorry for the bad news :(
这篇关于通过ADAL的JavaScript和Ajax的MVC KnockoutJs Azure的AD刷新令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
