[英]Alexa Skill with Azure AD B2C Auth expires after an hour
I am currently building an Alexa skill backed by Azure Functions (.NET Core/C#) and Azure AD B2C for authentication.我目前正在构建由 Azure Functions (.NET Core/C#) 和 Azure AD B2C 支持的 Alexa 技能以进行身份验证。
For the initial setup, I used mostly used the instructions found in this arcticle .对于初始设置,我主要使用了这篇文章中的说明。 Since, the article was written a couple of years ago, I had to make a few changes.由于这篇文章是几年前写的,我不得不做一些修改。 In the end, I landed on the following configuration:最后,我登陆了以下配置:
As I mentioned, we are using AAD B2C for authentication.正如我提到的,我们使用 AAD B2C 进行身份验证。 Users of a related application are able to sign-up and sign-in to a React application.相关应用程序的用户可以注册和登录 React 应用程序。 The idea is to provide an alternative interface for said users through Alexa intents + utterances.这个想法是通过 Alexa 意图 + 话语为所述用户提供替代界面。
I created an application for Alexa in AAD B2C with the following settings:我使用以下设置在 AAD B2C 中为 Alexa 创建了一个应用程序:
I generated a single App Key , which I'm using as the Secret in the Account Linking section in the Alexa Developer Console.我生成了一个App Key ,我在 Alexa 开发人员控制台的Account Linking部分将其用作 Secret。
Many of the examples online mention setting an explicit expiration date here of 1 or 2 years;许多在线示例都提到在此处设置明确的有效期为 1 年或 2 年; however, I am not presented with any options at all (ie no expiration option), just the code.然而,我根本没有看到任何选项(即没有到期选项),只有代码。 Could this be part of the problem???这可能是问题的一部分吗???
user_impersonation
.在Published scopes部分,Scope 的名称是user_impersonation
。 The description is "Access this app on behalf of the signed-in user".描述为“代表登录用户访问此应用程序”。 The full scope value is: https://myorgsname.onmicrosoft.com/alexa/user_impersonation .完整范围值为: https : //myorgsname.onmicrosoft.com/alexa/user_impersonation 。For API Access, I have to API entries here:对于 API 访问,我必须在此处输入 API 条目:
user_impersonation
scope mentioned above.使用上面提到的user_impersonation
范围的一种。The user flow that I'm using allows signing up and signing in, it utilizes the following configuration:我使用的用户流允许注册和登录,它使用以下配置:
Properties特性
Misc杂项
Token lifetime令牌寿命
Token compatibility settings令牌兼容性设置
https://<domain>/<b2c-tenant-guid>
发行人 (iss) 声明: https://<domain>/<b2c-tenant-guid>
Session behavior会话行为
For the authentication layer within the Azure Function, I'm utilizing the method described in the article mentioned above .对于 Azure Function 中的身份验证层,我使用了上面提到的文章中描述的方法。
On the Alexa side of things, I have a really simple skill setup with the following settings:在 Alexa 方面,我有一个非常简单的技能设置,具有以下设置:
My endpoint uses the HTTPS option with the default region set to the fully-qualified HTTPS endpoint of my Azure Function App's handler function.我的终结点使用HTTPS选项,默认区域设置为 Azure Function App 处理程序函数的完全限定 HTTPS 终结点。
The certificate set to "My development endpoint is a sub-domain of a domain that has a wildcard ..."证书设置为“我的开发端点是具有通配符的域的子域......”
The account linking settings are as outlined below:帐户关联设置概述如下:
https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/authorize?p=<sign-in-user-flow-policy-name>
授权 URI: https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/authorize?p=<sign-in-user-flow-policy-name>
: https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/authorize?p=<sign-in-user-flow-policy-name>
p https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/authorize?p=<sign-in-user-flow-policy-name>
https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/token?p=<sign-in-user-flow-policy-name>
访问令牌 URI: https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/token?p=<sign-in-user-flow-policy-name>
://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/token?p https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/token?p=<sign-in-user-flow-policy-name>
Note: The Alexa Redirect URLS at the bottom are what I put in AAD B2C for the Reply URL section.注意:底部的 Alexa 重定向 URL 是我在 AAD B2C 中为回复 URL部分添加的内容。
Now for the most important part, The Problem .现在是最重要的部分,问题。 Everything seems to work at first...I'm able to go to alexa.amazon.com and utilize Link Account (which redirects me to and from my AAD B2C-driven login screen).一开始似乎一切正常……我可以访问 alexa.amazon.com 并使用链接帐户(它将我重定向到我的 AAD B2C 驱动的登录屏幕和重定向到我的 AAD B2C 驱动的登录屏幕)。 Once I link accounts, I'm able to successfully utilize an utterance and receive a reply.一旦我关联了帐户,我就能够成功地使用话语并收到回复。
The problems starts when I wait an hour (I believe it's an hour).当我等待一个小时(我相信是一个小时)时,问题就开始了。 Attempting to initiate the Intent after an hour yields an error on the Azure Function app side of things when it tries to validate the Auth Token.尝试在一个小时后启动 Intent 会在 Azure Function 应用程序端尝试验证身份验证令牌时产生错误。
Can anyone provide me some guidance as to what I may have setup incorrectly or at least some things that I should look into?任何人都可以就我可能设置不正确的内容或至少我应该研究的某些内容提供一些指导吗? As I mentioned at the start of this question, many of the references that I'm finding online are out-of-date and do not cover all of the settings that I'm expected to utilize.正如我在本问题开始时提到的,我在网上找到的许多参考资料都已过时,并没有涵盖我希望使用的所有设置。 Many of them are still using microsoftonline.com authority vs. b2clogin.com.他们中的许多人仍在使用 microsoftonline.com 权威与 b2clogin.com。
At a glance, I would assume that the problem is that the Alexa skill is failing to refresh its token after it expires after an hour.乍一看,我认为问题在于 Alexa 技能在一小时后过期后未能刷新其令牌。 What do I need to do to ensure that it refreshes correctly?我需要做什么才能确保它正确刷新?
I think that I have enough information at this point to go ahead and answer my own question.我认为此时我有足够的信息可以继续回答我自己的问题。 What I found was that the offline_access
scope is necessary for Token Refresh to be possible.我发现offline_access
范围对于令牌刷新是必要的。
Per Microsoft, "The offline_access scope gives your app access to resources on behalf of the user for an extended time. On the consent page, this scope appears as the "Maintain access to data you have given it access to" permission. When a user approves the offline_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire."根据 Microsoft, “offline_access 范围允许您的应用代表用户在较长时间内访问资源。在同意页面上,此范围显示为“维护对您授予其访问权限的数据的访问权限”权限。当用户批准 offline_access 范围,您的应用程序可以从 Microsoft 标识平台令牌端点接收刷新令牌。刷新令牌是长期存在的。您的应用程序可以在旧的访问令牌过期时获得新的访问令牌。” . .
You can read more about it here .您可以在此处阅读更多相关信息。
To resolve the issue, I ensured that this scope was available in AAD B2C and added it as a referenced scope in the Alexa developer console.为了解决此问题,我确保此范围在 AAD B2C 中可用,并将其添加为 Alexa 开发人员控制台中的引用范围。
Thanks for giving insight on offline_access.感谢您提供有关 offline_access 的见解。 It took few hours to figure out how to implement offline_access.花了几个小时才弄清楚如何实现offline_access。 Interestingly offline_access works only with Azure AD, OAuth 1.0 endpoint and not with 2.0.有趣的是,offline_access 仅适用于 Azure AD、OAuth 1.0 端点,而不适用于 2.0。
While trying with 2.0 it kept failing while account linking when multiple scopes were mentioned in Alexa configurations.在尝试使用 2.0 时,当 Alexa 配置中提到多个范围时,它在帐户链接时一直失败。 The scopes I tried were as follows.我尝试的范围如下。
Finally I ended up working with OAuth 1.0 endpoint and using the scope https://samplealexabackendapi/.default which considers all scopes available to the app registered.最后,我最终使用了 OAuth 1.0 端点并使用了范围https://samplealexabackendapi/.default ,它考虑了注册应用程序可用的所有范围。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.