堆栈内存溢出
  简体   繁体   English

本地state清除后授权码流程如何记住用户?

[英]How does Authorization Code flow remember the user after local state is cleared?

 原文  2020-12-18 20:22:40       oauth-2.0/ msal/ msal.js/ pkce

问题描述

Given an app using Oauth 2.0 Authorization Code Flow via Microsoft's msal.js , I login by providing my credentials.给定一个通过 Microsoft 的msal.js使用 Oauth 2.0授权代码流的应用程序,我通过提供我的凭据登录。 Then I fully clear my browser's state, cache, local/session storage, and refresh the page so that the single page application doesn't know I'm logged in, but I'm still logged in with the Microsoft backend.然后我完全清除浏览器的 state、缓存、本地/会话存储,并刷新页面,使单页应用程序不知道我已登录,但我仍然使用 Microsoft 后端登录。

When I initiate another login, it is able to do so silently, without re-asking me for my credentials.当我启动另一个登录时,它可以静默进行,无需重新询问我的凭据。

Apparently, via a request to https://login.microsoftonline.com/redacted/oauth2/v2.0/token , the Microsoft backend can authenticate me as the same user even though I cleared the js memory and all cache/session/local storage显然,通过对https://login.microsoftonline.com/redacted/oauth2/v2.0/token的请求,即使我清除了 js memory 和所有缓存/会话/本地,Microsoft 后端也可以将我认证为同一用户贮存

How does this request get a valid code / code_verifier to send to the Authorization Server in order to get an Access Token back for a user without re-entering credentials?此请求如何获取有效代码/ code_verifier以发送到授权服务器,以便在不重新输入凭据的情况下为用户取回访问令牌?

More details:更多细节:

The following does require me to re-enter my credentials (as I would expect it to):以下确实需要我重新输入我的凭据(正如我所期望的那样):

  • a private/incognito tab私人/隐身标签
  • closing the browser and reopening it关闭浏览器并重新打开
  • using a different browser on the same computer在同一台计算机上使用不同的浏览器

The following does not require me to re-enter my credentials and can log on silently:以下不需要我重新输入我的凭据,可以静默登录:

  • authenticating in a new tab with cleared local state在清除本地 state 的新选项卡中进行身份验证
  • authenticating in a new window of the same browser with cleared local state在具有清除本地 state 的同一浏览器的新 window 中进行身份验证
  • refreshing the tab and clearing local state刷新选项卡并清除本地 state

I would expect the 3 "not" scenarios to require credentials, but they do not.我希望这 3 个“非”场景需要凭据,但它们不需要。 How can I be authenticated without the browser keeping any local state?如果浏览器不保留任何本地 state,如何进行身份验证?

1 个解决方案

解决方案1
 0 已采纳  2020-12-21 18:58:36

The Microsoft library was storing a cookie owned by AAD, not my app. Microsoft 库正在存储 AAD 拥有的 cookie,而不是我的应用程序。 answer on github 回答 github

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么可以将授权代码流的状态参数存储在 cookie 中? - Why is it okay to store the state parameter for Authorization Code flow in a cookie? 如何在使用授权代码流时让用户保持用户登录 RingCentral? - How can I keep user keep user logged in RingCentral while using Authorization code flow? 在 OpenID Connect with PKCE 中,客户端如何知道用户重定向后使用哪个 code_verifier 发送哪个授权码? - In OpenID Connect with PKCE, how does the client know which code_verifier to send with which authorization code after user redirect? 授权代码流还是将oauth用户与内部用户匹配的隐式? - Authorization Code Flow or Implicit to match a oauth user to an internal user? spotipy授权代码流程 - spotipy authorization code flow .NET 框架,OIDC; 如何在基于授权码的登录流程中正确验证用户身份? - .NET Framework, OIDC; How to properly authenticate a user in an authorization code based sign-in flow? 使用OAuth 2.0授权代码流识别浏览器(用户代理)会话 - Identifying browser (User agent) session with OAuth 2.0 Authorization Code Flow 无需用户干预即可进行 OAuth 2 授权代码授予/流程 - Make OAuth 2 Authorization Code Grant/Flow without user intervention Oauth 授权码流是否会生成服务主体登录事件? - Does Oauth Authorization Code flow generates a service principal sign in event? 使用 PKCE 的授权代码流如何比没有 client_secret 的授权代码流更安全 - How can Authorization Code Flow with PKCE be more secure than Authorization Code Flow without client_secret
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM