[英]How does Authorization Code flow remember the user after local state is cleared?
Given an app using Oauth 2.0 Authorization Code Flow via Microsoft's msal.js , I login by providing my credentials.给定一个通过 Microsoft 的msal.js使用 Oauth 2.0授权代码流的应用程序,我通过提供我的凭据登录。 Then I fully clear my browser's state, cache, local/session storage, and refresh the page so that the single page application doesn't know I'm logged in, but I'm still logged in with the Microsoft backend.然后我完全清除浏览器的 state、缓存、本地/会话存储,并刷新页面,使单页应用程序不知道我已登录,但我仍然使用 Microsoft 后端登录。
When I initiate another login, it is able to do so silently, without re-asking me for my credentials.当我启动另一个登录时,它可以静默进行,无需重新询问我的凭据。
Apparently, via a request to https://login.microsoftonline.com/redacted/oauth2/v2.0/token
, the Microsoft backend can authenticate me as the same user even though I cleared the js memory and all cache/session/local storage显然,通过对https://login.microsoftonline.com/redacted/oauth2/v2.0/token
的请求,即使我清除了 js memory 和所有缓存/会话/本地,Microsoft 后端也可以将我认证为同一用户贮存
How does this request get a valid code / code_verifier to send to the Authorization Server in order to get an Access Token back for a user without re-entering credentials?此请求如何获取有效代码/ code_verifier以发送到授权服务器,以便在不重新输入凭据的情况下为用户取回访问令牌?
More details:更多细节:
The following does require me to re-enter my credentials (as I would expect it to):以下确实需要我重新输入我的凭据(正如我所期望的那样):
The following does not require me to re-enter my credentials and can log on silently:以下不需要我重新输入我的凭据,可以静默登录:
I would expect the 3 "not" scenarios to require credentials, but they do not.我希望这 3 个“非”场景需要凭据,但它们不需要。 How can I be authenticated without the browser keeping any local state?如果浏览器不保留任何本地 state,如何进行身份验证?
The Microsoft library was storing a cookie owned by AAD, not my app. Microsoft 库正在存储 AAD 拥有的 cookie,而不是我的应用程序。 answer on github 回答 github
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.