Azure AD B2C刷新令牌已撤销403
[英]Azure AD B2C Refresh Token Revoked 403
问题描述
Good morning everyone, 
大家,早安,
I Have set up an App Service in Azure and added Authentication via Azure AD B2C. 我在Azure中设置了一个App Service,并通过Azure AD B2C添加了身份验证。 So far so good everything works fine. 到目前为止,一切都很好。 After 1 hour though, when the token expires, I try to refresh it but then I get an error back that the refresh token has been revoked. 但是,1小时后,当令牌过期时,我尝试刷新它,但后来我得到一个错误,即刷新令牌已被撤销。 What goes wrong here ? 这里出了什么问题? I have set up the backend like explained in this post : and when logging in I pass the additional parameter like so : 我已经设置了后端,就像在这篇文章中解释的那样:当登录时我传递了附加参数,如下所示:
user = await Manager.CurrentClient.LoginAsync(currentContext,MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,new Dictionary<string, string>() { { "response_type", "code id_token" } });
This is my refresh code : 这是我的刷新代码:
user = await Manager.CurrentClient.RefreshUserAsync();
This is the error I am getting 这是我得到的错误
{Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException: Refresh failed with a 403 Forbidden error.
Am I missing something here ? 我在这里错过了什么吗? Thank you 谢谢
EDIT : Here is a Screenshot of the Settings in the Portal 编辑:这是门户中设置的屏幕截图
EDIT 2 : Here is an error form the server logs when trying to refresh the token : 编辑2:这是在尝试刷新令牌时服务器记录的错误形式:
EDIT 3 : And here the Application Log from the webserver for the given request : 编辑3:这里是来自网络服务器的应用程序日志,用于给定的请求:
2017-01-18T15:08:33 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/refresh 2017-01-18T15:08:33 PID[6344] Verbose JWT validation succeeded.
EDIT 4: This is the log of a successfull login : 编辑4:这是成功登录的日志:
2017-01-18T19:10:14 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/login/aad?response_type=code%20id_token 2017-01-18T19:10:14 PID[6344] Information Redirecting: https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fapi.near.lu%2F.auth%2Flogin%2Faad%2Fcallback&client_id=c4c15bfb-eac4-4cdc-861f-eb01594e19d2&scope=openid+profile+email&response_mode=form_post&state=redir%3D%26b2cPolicy%3D&p=b2c_1_default&nonce=817be561f67343688001637fa7808690_20170118191514 2017-01-18T19:10:30 PID[6344] Verbose Received request: POST https://api.near.lu/.auth/login/aad/callback 2017-01-18T19:10:30 PID[6344] Verbose JWT validation succeeded.
This is the error log i get when I try to refresh immediatley after logging in : 这是我在登录后尝试刷新immediatley时得到的错误日志:
2017-01-23T10:55:06 PID[6344] Verbose Received request: POST https://api.near.lu/.auth/refresh 2017-01-23T10:55:06 PID[6344] Verbose JWT validation succeeded.
Which is weird, as it can be seen in the above picture the token store is enabled... 这很奇怪,因为在上图中可以看到令牌存储已启用...
2 个解决方案
解决方案1
2 已采纳 2016-12-20 23:23:31
The problem could be that your current App Service Authentication / Authorization setup is not configured to support token refresh. 问题可能是您当前的App Service身份验证/授权设置未配置为支持令牌刷新。 A simple way to confirm this would be to enable Application Logging and look at the warning messages in the application log stream when a refresh operation fails. 确认这一点的一种简单方法是启用应用程序日志记录,并在刷新操作失败时查看应用程序日志流中的警告消息。 More details on application logging can be found here: https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log 有关应用程序日志记录的更多详细信息,请访问: https : //docs.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log
See the following blog post (which I wrote) to learn more about how to update your Authentication / Authorization settings to support token refresh: https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/#refresh . 请参阅以下博文(我写的)以了解有关如何更新身份验证/授权设置以支持令牌刷新的更多信息: https : //cgillum.tech/2016/08/10/app-service-auth-and-azure -ad-b2c-part-2 /#refresh 。 The short version is that you need to: 简短版本是您需要:
- create an app key in your B2C app registration and set that as the client secret in your Authentication / Authorization "Advanced" settings for AAD in the portal. 在B2C应用程序注册中创建一个应用程序密钥,并将其设置为门户中AAD的身份验证/授权“高级”设置中的客户端密钥。
- Request the offline_access scope when logging in. This ensures you get a refresh token from AAD B2C when the user logs in. 登录时请求offline_access范围。这可确保您在用户登录时从AAD B2C获取刷新令牌。
Your login code should look like the following: 您的登录代码应如下所示:
user = await Manager.CurrentClient.LoginAsync(
currentContext,
MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,
new Dictionary<string, string>() { { "scope", "openid offline_access" } });
解决方案2
0 2016-11-28 11:46:30
To use the refresh user, we have to store the refresh token to the app service token store. 要使用刷新用户,我们必须将刷新令牌存储到应用服务令牌存储中。
You can check whether there are refresh token via using the request below: 您可以使用以下请求检查是否有刷新令牌:
Get:https://{yourMoibleAppName}.azurewebsites.net/.auth/me
X-ZUMO-AUTH: {accessToken}
The access token you can get from user.MobileServiceAuthenticationToken . 您可以从user.MobileServiceAuthenticationToken获取访问令牌。
If there is no refresh token returned, you can check whether following requirements are satisfied: 如果没有返回刷新令牌,您可以检查是否满足以下要求:
the token store is enable
令牌存储已启用 the response_type of request contains code
请求的response_type包含代码 Developers doesn't revoke the access_token, refresh_token, user permission
开发人员不会撤消access_token,refresh_token,用户权限
And all settings well, however the the app still get the 403 error, we should prompt user to login again(refer to Refreshing user logins in App Service Mobile Apps ). 并且所有设置都很好,但是应用程序仍然会收到403错误,我们应该提示用户再次登录(请参阅在App Service Mobile Apps中刷新用户登录 )。
And to avoid misunderstanding, when you specify you were using Azure AD B2C tenant, would you mind sharing the detail steps you protected the mobile service? 为了避免误解,当您指定使用Azure AD B2C租户时,您是否介意共享保护移动服务的详细步骤?
Update( able to reproduce this issuing using the b2c app which register this way ) 更新(能够使用以这种方式注册的b2c应用程序重现此发布)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.