简体繁体 English

如何使从天蓝色广告收到的 Jwt 令牌无效

[英]How to invalidate Jwt token received from azure ad

原文 2020-01-07 08:47:20 3 3 angular/ azure/ spring-boot/ azure-active-directory/ azure-ad-b2c

I have 2 apps one spring boot and another in angular.我有 2 个应用程序，一个是弹簧靴，另一个是 angular。 Currently I have integrated my application with azure ad and hence authenticating through it.目前，我已将我的应用程序与 azure ad 集成在一起，因此通过它进行了身份验证。 Now the question here is when the user logs out from the front end app, how to invalidate the JWT token provided by Azure AD, if the token is not expired.现在的问题是，当用户从前端应用注销时，如果令牌未过期，如何使 Azure AD 提供的 JWT 令牌失效。 Because, if someone is able to get the token despite user gets logged out, he can use that token to retrieve data from the backend.因为，如果有人能够在用户注销的情况下获得令牌，他就可以使用该令牌从后端检索数据。 Any idea how to do this ?知道如何做到这一点吗？

3 个解决方案

Your question is one that has got many people looking for a definitive answer.你的问题让很多人都在寻找一个明确的答案。 In short: there is no clear-cut answer .简而言之：没有明确的答案。 Sure, there are some options that kinda work, but none of them are fool-proof.当然，有一些选项还行，但它们都不是万无一失的。

I think the answer to the SO question Invalidating JSON Web Tokens sums up your options best:我认为 SO 问题Invalidating JSON Web Tokens的答案最能概括您的选择：

Remove the token from the client从客户端删除令牌

Create a token blacklist创建令牌黑名单

Just keep token expiry times short and rotate them often只需保持令牌到期时间短并经常轮换它们

I've seen option 3 to be the most successful 'in the field'.我已经看到选项 3 是最成功的“该领域”。

As far as I know, there is no way to invalidate an Id token / access token after it has been issued.据我所知，在发出后无法使 Id 令牌/访问令牌无效。 You can invalidate refresh tokens though: https://docs.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http .您可以使刷新令牌无效： https://docs.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http 。 Those do not apply to a front-end SPA though.不过，这些不适用于前端 SPA。

I wanted to share an Azure AD specific answer to this.我想分享一个 Azure AD 特定的答案。

The issue your raising here is the same across the board for all Azure AD tokens.您在此处提出的问题对于所有 Azure AD 令牌都是一样的。 This includes first party apps by Microsoft (SharePoint, Word, Teams, Outlook).这包括 Microsoft 的第一方应用程序（SharePoint、Word、Teams、Outlook）。 The default token expiry is 60 minutes for access tokens and 90 days for refresh tokens.访问令牌的默认令牌有效期为 60 分钟，刷新令牌的默认有效期为 90 天。 Then you have other factors like MaxInactiveTime, MaxSessionAge etc that affect the refresh token's lifetime.然后还有其他影响刷新令牌生命周期的因素，如 MaxInactiveTime、MaxSessionAge 等。

Microsoft toyed with the idea of configurable token lifetimes (see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes ) but it caused issues so they have dropped it in favour of using Conditional Access policies where the Azure AD tenant owner can specify tenant level sign in frequency).微软玩弄了可配置令牌生命周期的想法（参见https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes ），但它引起了问题，所以他们有放弃它，转而使用条件访问策略，其中 Azure AD 租户所有者可以指定租户级别的登录频率）。 Note however this only applies to refresh tokens.但是请注意，这仅适用于刷新令牌。

The access token is hard set to a 60 minute window after which it expires.访问令牌被硬设置为 60 分钟的窗口，之后它就会过期。 It is the responsibility of the app developer to ensure the safety of the access token.确保访问令牌的安全是应用程序开发人员的责任。 The best practice is to always have it in memory and never write it to a permanent store or expose it over urls where it can be logged.最佳做法是始终将其保存在内存中，切勿将其写入永久存储或通过可记录的 url 公开它。