[英]What is refresh token and can we control refreshing the ID and Access token in AADB2C?
My team is working on implementing or rather configuring B2C login for our client's mobile app.我的团队正在为我们客户的移动应用程序实施或更确切地说配置 B2C 登录。 We got the configuration setup to a point where the user can login to the app once and the token gets cached in MSAL.
我们将配置设置到用户可以登录到应用程序一次并且令牌缓存在 MSAL 中的程度。 And next time onwards, the user is able to directly login without entering his/her credentials.
下次以后,用户可以直接登录而无需输入他/她的凭据。 We are following the pattern as described here
我们遵循此处描述的模式
Our code first tries to retrieve the token using AcquireTokenSilent
and if the token is not present in the MSAL cache, then we retrieve it using AcquireTokenInteractive
.我们的代码首先尝试使用
AcquireTokenSilent
检索令牌,如果该令牌不存在于 MSAL 缓存中,则我们使用AcquireTokenInteractive
检索它。
I was trying to understand how the ID and Access tokens are refreshed and found on MS docs here about tokens which says我试图了解如何刷新 ID 和访问令牌,并在此处的 MS 文档中找到关于令牌的内容
Refresh tokens are used to acquire new ID tokens and access tokens in an OAuth 2.0 flow.
刷新令牌用于在 OAuth 2.0 流中获取新的 ID 令牌和访问令牌。 They provide your application with long-term access to resources on behalf of users without requiring interaction with those users...
它们代表用户为您的应用程序提供对资源的长期访问权限,而无需与这些用户交互...
This also mentioned that when we redeem the refresh token to get new ID and Access tokens, we also get a new refresh token that replaces the previous refresh token.这里也提到了,当我们兑换刷新令牌来获取新的 ID 和访问令牌时,我们也会得到一个新的刷新令牌来替换之前的刷新令牌。
Now I tried logging out and log back into my mobile app after 1 hour or more and I was still able to login.现在我尝试注销并在 1 小时或更长时间后重新登录我的移动应用程序,但我仍然能够登录。 When I inspected the claims, the ID and Access token expiry was refreshed to next 1 hour of login.
当我检查声明时,ID 和访问令牌到期被刷新到下一个 1 小时的登录时间。
My question here is:我的问题是:
I am sorry if I missed anything but I am a little confused on how the refresh token works and is there a way to control when to refresh the tokens and when not.如果我错过了什么,我很抱歉,但我对刷新令牌的工作原理有点困惑,有没有办法控制何时刷新令牌,何时不刷新。
Thanks in advance.提前致谢。
Yes, the refresh token is used to get the new id token and access token, even the id token and access token were expired, as long as the refresh token does not expire, it could use the refresh token to get new id token and access token, meanwhile, a new refresh token will be generated, if you want to configure the token lifetime, you could do that in the portal.是的,刷新令牌用于获取新的id令牌和访问令牌,即使id令牌和访问令牌都过期了,只要刷新令牌没有过期,就可以使用刷新令牌获取新的id令牌和访问权限令牌,同时会生成一个新的刷新令牌,如果你想配置令牌的生命周期,你可以在门户中进行。
Reference - https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow参考 - https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.