[英]Azure ad b2c custom policy with KMSI, auto signin not working after browser close
I have created azure ad b2c custom sign-in policy with KMSI(keep me sign in) option, and using it in blazor server application,我创建了带有 KMSI(保持登录)选项的 azure ad b2c 自定义登录策略,并在 blazor 服务器应用程序中使用它,
But automatic sign in not working after browser close, Need to click 'Login' button.但是浏览器关闭后自动登录不起作用,需要点击“登录”按钮。
After click login button no need to enter credential again, if at the time of previous sign-in KMSI check box checked.单击登录按钮后无需再次输入凭据,如果在上次登录时选中了 KMSI 复选框。
But I want to sign-in automatically if at the time of sign in KMSI check box checked.但如果在登录时选中 KMSI 复选框,我想自动登录。
Could you check the authorization request the app sends to Azure AD B2C, whether it contains the prompt=login
query string parameter?您能否检查一下应用发送给 Azure AD B2C 的授权请求,是否包含
prompt=login
查询字符串参数? If yes, please make sure to remove this param.如果是,请确保删除此参数。
This is expected, your app cookie is not persisted, so the app has no idea you're still logged in at B2C.这是意料之中的,您的应用程序 cookie 不会持久化,因此应用程序不知道您仍在 B2C 登录。 Therefore you have to click login in the app and then you get SSO through AAD B2C.
因此,您必须在应用程序中单击登录,然后才能通过 AAD B2C 获得 SSO。
You could maintain a cookie set by the app to automatically send the user via the login endpoint if they had signed in previously with KMSI.如果用户之前使用 KMSI 登录,您可以维护应用程序设置的 cookie,以通过登录端点自动发送用户。 You can use a claims resolver to send the KMSI claim into the token so your app can understand the user logged in with KMSI.
您可以使用声明解析器将 KMSI 声明发送到令牌中,以便您的应用程序可以了解使用 KMSI 登录的用户。 https://docs.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
https://docs.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
I tested KMSI functionality on my side, and I can repro your symptom.我在我这边测试了 KMSI 功能,我可以重现您的症状。 My test is based on this demo: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi This is my test process below:
我的测试基于这个演示: https : //github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi这是我的测试过程如下:
As this cookie exists, B2C will provide me with the resource I requested for: b2c side sends a request to redirect URL with id token and code :由于此 cookie 存在,B2C 将为我提供我请求的资源:b2c 端发送请求以使用 id 令牌和代码重定向 URL:
Finally, it redirected to “Claim” page and this app knows who am I :最后,它重定向到“索赔”页面,这个应用程序知道我是谁:
In a word, there are two kinds of sessions here: a session between user and B2C and a session between the user and your application.总之,这里有两种会话:用户和 B2C 之间的会话以及用户和您的应用程序之间的会话。 Once you close your browser, by default, you will lose the cookie that user on your application, so users access to some page with no auth needed of your app after reopening the browser, there will be no cookie, your application not know the user.
一旦您关闭浏览器,默认情况下,您将丢失该用户在您的应用程序上的 cookie,因此用户在重新打开浏览器后访问某些不需要您的应用程序身份验证的页面,将没有 cookie,您的应用程序不认识该用户. But on the B2C side, this cookie will be persisted there due to KMSI.
但是在 B2C 端,由于 KMSI,这个 cookie 会在那里持久化。 Only users request some functionality needs to be authenticated on your app, users will be redirected to the B2C domain and B2C will send users' information to your app will make KMSI work.
只有用户请求某些功能需要在您的应用程序上进行身份验证,用户才会被重定向到 B2C 域,B2C 会将用户的信息发送到您的应用程序,从而使 KMSI 起作用。
In my opinion, maybe extending the lifetime of your application cookie will be a solution here.在我看来,也许延长应用程序 cookie 的生命周期将是一个解决方案。 At the same time, you also need to expand session timeout to make sure that your application could recognize that long lifetime cookie.
同时,您还需要扩展会话超时以确保您的应用程序可以识别那个长生命周期的 cookie。 But as we know, it will be a high consumption for server RAM if it holds lots of sessions.
但正如我们所知,如果它拥有大量会话,服务器 RAM 的消耗将很高。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.