在 AD B2C 中更改用户密码后如何验证用户 ID 令牌
[英]How to validate the user id token after user password changes in AD B2C
问题描述
I am creating a user in AD B2C local account and able to generate the user id token for the created user with https://login.microsoftonline.com/{{My_Domain_Name}}.onmicrosoft.com/oauth2/token/ and I am using this token to Get the User profile https://graph.windows.net/{{My_Domain_Name}}.onmicrosoft.com/users/{{USER_ID}}?api-version=1.6 .
我正在 AD B2C 本地帐户中创建一个用户,并且能够使用https://login.microsoftonline.com/{{My_Domain_Name}}.onmicrosoft.com/oauth2/token/为创建的用户生成用户 ID 令牌,我是使用此令牌获取用户配置文件https://graph.windows.net/{{My_Domain_Name}}.onmicrosoft.com/users/{{USER_ID}}?api-version=1.6 。 Now if I change the user's password and keep the old user id token I am still able to access the user profile , is there a way to restrict the Get User with the old token ?现在,如果我更改用户的密码并保留旧的用户 ID 令牌,我仍然可以访问用户配置文件,是否可以使用旧令牌限制获取用户?
1 个解决方案
解决方案1
0 已采纳 2020-12-01 06:49:32
Move comments to answers for more people's reference.将评论移至答案以供更多人参考。
Firstly, you are using access token to access the user profile.首先,您使用访问令牌来访问用户配置文件。 Access token cannot be revoked.无法撤销访问令牌。 But you could revoke the refresh token, then user will lose access to AAD when the old access token expires.但是您可以撤销刷新令牌,然后当旧访问令牌过期时,用户将失去对 AAD 的访问权限。 The default expiration is 1 hour.默认过期时间为 1 小时。
So you cannot restrict the Get User with the old token immediately, after you took the above steps:因此,在执行上述步骤后,您不能立即使用旧令牌限制 Get User:
For applications using access tokens, the user loses access when the access token expires .
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.