B2C令牌生命周期不起作用,新的访问令牌无法通过APIM。

huangapple go评论89阅读模式
英文:

B2C token lifetime does not work and new access token cannot pass APIM

问题

我有我的ReactJS单页应用程序,我的Web API托管在Azure虚拟机上。我将APIM放在虚拟机前面,APIM根据B2C验证令牌进行授权。

在B2C用户流中,我将令牌的生存期设置为5分钟;

在SPA中,当我第一次登录时,它运行良好,我可以调用Web API而没有问题。但是,稍后我遇到了2个问题:

  1. 即使我将令牌的生存期设置为5分钟,但在5分钟后令牌仍然有效;它直到大约13或14分钟后才变为无效;太奇怪了;

  2. 在令牌刷新后,新的访问令牌无法通过APIM;它返回401错误;我可以验证新的令牌位于会话存储中;刷新过程成功。

以下是我最初用于登录的loginRequest

export const loginRequest = {
  scopes: ['openid', 'profile'],
};

以下是我用于刷新令牌的代码:

export const msalInstance = new PublicClientApplication(msalConfig);

export const GetAzureB2CAccessToken = async () => {
  const activeAccount = msalInstance.getActiveAccount(); // 仅当您在其他地方调用setActiveAccount API时,此值才会返回非空值
  const accounts = msalInstance.getAllAccounts();

  if (!activeAccount && accounts.length === 0) {
    /*
     * 用户未登录。抛出错误或等待用户登录。
     * 请不要在MsalProvider的上下文之外尝试登录用户。
     */
    throw new Error('用户未登录');
  }

  var request = {
    scopes: [
      'openid',
      'profile',
      'https://devjohn1.onmicrosoft.com/123qwe-19eb-fff-qqqq-123qwe123qwe/johnapp_api',
    ],
    account: activeAccount || accounts[0],
  };
  const tokenResponse = await msalInstance.acquireTokenSilent(request);
  return tokenResponse.accessToken;
};

有什么想法吗?

英文:

I have my reactJS SPA and I have my web api hosted in an Azure VM. I put APIM in front of the VM and the APIM validates token against B2C for authorization.
In the B2C User Flow, I have set the token lifetime to 5 minutes;

In the SPA, when I first log in, it works well and I can make calls to the web APIs with no problem. However, later I have 2 problems:

  1. Even though I set the token lifetime to 5 minutes, it is still valid after 5 minutes; It only becomes invalid at around 13 or 14 minutes; So weird;

  2. After the tokens are refreshed, the new access token cannot pass APIM; it returns a 401 error; I can verify that the new tokens are in position in the session storage; the refresh process is successful

Here is the loginRequest I used at first to sign in:

export const loginRequest = {
  scopes: ['openid', 'profile'],
};

Here is the code I use to refresh token:

export const msalInstance = new PublicClientApplication(msalConfig);

export const GetAzureB2CAccessToken = async () => {
  const activeAccount = msalInstance.getActiveAccount(); // This will only return a non-null value if you have logic somewhere else that calls the setActiveAccount API
  const accounts = msalInstance.getAllAccounts();

  if (!activeAccount && accounts.length === 0) {
    /*
     * User is not signed in. Throw error or wait for user to login.
     * Do not attempt to log a user in outside of the context of MsalProvider
     */
    throw new Error('user is not signed in;');
  }

  var request = {
    scopes: [
      'openid',
      'profile',
      'https://devjohn1.onmicrosoft.com/123qwe-19eb-fff-qqqq-123qwe123qwe/johnapp_api',
    ],
    account: activeAccount || accounts[0],
  };
  const tokenResponse = await msalInstance.acquireTokenSilent(request);
  return tokenResponse.accessToken;
};

Any ideas?

答案1

得分: 2

我创建了一个Azure AD B2C用户流,并将令牌生存期设置为5分钟,如下所示:

B2C令牌生命周期不起作用,新的访问令牌无法通过APIM。

现在,当我通过Postman生成令牌时,令牌生存期设置为5分钟,如下所示:

https://rukb2c.b2clogin.com/rukb2c.onmicrosoft.com/B2C_1_testruk/oauth2/v2.0/token

client_id:ClientID
scope:https://rukb2c.onmicrosoft.com/ClientID/test.read offline_access openid
grant_type:authorization_code
code_verifier:S256
code:code

B2C令牌生命周期不起作用,新的访问令牌无法通过APIM。

即使我将令牌生存期设置为5分钟,它仍然在5分钟后有效;它只在大约13或14分钟后失效;太奇怪了

如果令牌未根据令牌生存期策略过期,那么可能是由于时钟偏差,其默认值为5分钟。

根据 @Kid_Learning_C 的评论,如果要使令牌在精确时间过期,请将 ClockSkew 设置为零。

services.AddAuthentication("Bearer").AddJwtBearer("Bearer", options =>
{
    options.Authority = "https://xxxx";
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateAudience = false,
        ValidateLifetime = true,
        ClockSkew = TimeSpan.Zero
    };
});

参考资料:

oauth - 时钟偏差和令牌 - Stack Overflow 由 rajquest

英文:

I created an Azure AD B2C User flow and set the token lifetime to 5 minutes like below:

B2C令牌生命周期不起作用,新的访问令牌无法通过APIM。

Now, when I generated the tokens via Postman and the token lifetime is set for 5 minutes like below:

https://rukb2c.b2clogin.com/rukb2c.onmicrosoft.com/B2C_1_testruk/oauth2/v2.0/token

client_id:ClientID
scope:https://rukb2c.onmicrosoft.com/ClientID/test.read offline_access openid
grant_type:authorization_code
code_verifier:S256
code:code

B2C令牌生命周期不起作用,新的访问令牌无法通过APIM。

> Even though I set the token lifetime to 5 minutes, it is still valid after 5 minutes; It only becomes invalid at around 13 or 14 minutes; So weird

If the token is not expiring based on the token lifetime policy, then it might be due to clock skew and the default value is 5 minutes.

As per the comments by @Kid_Learning_C, Set ClockSkew to zero if you want token to expire at the precise time.

services.AddAuthentication("Bearer").AddJwtBearer("Bearer", options =>
        {
            options.Authority = "https://xxxx";
            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateAudience = false,
                ValidateLifetime = true,
                ClockSkew = TimeSpan.Zero
            };
        });

Reference:

oauth - Clock skew and tokens - Stack Overflow by rajquest

huangapple
  • 本文由 发表于 2023年7月10日 22:26:10
  • 转载请务必保留本文链接:https://go.coder-hub.com/76654723.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定